OpenSSL to Keytool Conversion tips

来源:百度文库 编辑:神马文学网 时间:2024/03/29 16:53:20
Every so often I hear of someone who needs to convert their openssl-generatedcertificate and key into a JSSE keystore. This process is complicated, butit can be done. Here are a couple of links that may help.
PKCS12Import (Jetty HTTP Server API)
OpenSSL generated certs and keys are encoded in PEM format. They need to beconverted into PKCS12 in order to be converted (by the Jetty tool) into a JKS(JSSE native format) keystore.Note that I had to run it a little differently from what is presented in theexample...
java org.mortbay.util.PKCS12Import keystore.pkcs12 keystore.jks
Then import the ca.crt as well
keytool -import -keystore keystore.jks -import -trustcacerts -file ca.crt
keytool -list -v -keystore keystore.jks
It works!!! two entries, one chained!
The Tomcat 5 Servlet/JSP Container SSL Configuration HOW-TO
See the section "Preparing the Keystore", which describes the opensslcommand to run to convert a key+cert+cacert into a PKCS12 keystore. Theresulting keystorewill (AFAIK) be read-only by the JSSE.
keytool error: java.io.IOException: PKCS 12 storing not implemented
Bouncy Castle
You might want to check outThe Legion of the Bouncy Castle for an alternate JCE provider that will handle the standard formats (as opposed to the proprietary JKS format).
KeyMan
Another option to consider is KeyMan from IBM Alphaworks. Thistool is like keytool on steroids in that it supports additional keystoreformats, cryptographic token devices, and can manipulate the windows certificatestore. Also a GUI interface called iKeyman ships with WebSphere if youuse that.
Keytool to OpenSSL Conversion tips
Then, there‘s the reverse situation where you have a JKS-format keystore, andneed to extract the certificate and private key. With the keytool program youcan only extract the certificate (public key), so you need to use a separateprogram (such as ExportPriv or Keystore Explorer) to export the private key. Then the public and privatekey can be combined into a PKCS12 file, or just left separate depending on your needs.
Export the public key (certificate) from a keystore
keytool -export -alias mykey -keystore keystore -file exported.crt
The result is a DER (binary) formatted certificate in exported.crt
openssl x509 -noout -text -in exported.crt -inform der
Now you will want to convert it to another format - PEM - whichis more widely used in applications such as apache and by openssl to dothe pkcs12 conversion.
openssl x509 -out exported-pem.crt -outform pem -text -in exported.crt -inform der
Extracting the private key
Download, compile & runExportPriv crafted from Andrew Morrow‘s posting @
http://forum.java.sun.com/thread.jsp?forum=2&thread=154587&message=449486. The key will be produced to STDOUT. I suggest you redirect > to exported.key
javac ExportPriv.java
java ExportPriv > exported-pkcs8.key
The private key is being exported as PKCS#8 PEM format.To get it into the RSA format that works with Apache (see below) you can issue the following command:
openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key
Alternate way to extract the private key
Another option would be purchaseKeystore Explorer,which claims to support exporting private keys and keypairs. I haven‘ttried it myself. Let me know if you have and if it works.
[2006-Feb-01] Ambarish Mitra writes:
It(Keystore Explorer) works. It exports the key pair to pkcs12 format.However this feature is not present in the evaluation version.
Combine and convert the extracted public/private key pair into PKCS12 format
A PKCS12 format file is typically suffixed with .p12 or .pfx. It is more commonly used on the Microsoft platform.
Now that you have the private key and public key (certificate) combothat go together you can package them in pkcs12-formatted file... thisshould do the trick.
openssl pkcs12 -export -out exported.pfx -inkey exported.key -in exported-pem.crt
[2004-Oct-22] Dave Kilzer writes:
Thanks foryour "OpenSSL to Keytool Conversion tips" web page. It‘s helped me agreat deal to set up client authentication via SSL between Apache 2 andTomcat 5.
However, I ran into one problem with Apache 2 when using theJava-base64-encoded private key. I wrote up this bug about the issue:
http://issues.apache.org/bugzilla/show_bug.cgi?id=31856
In summary, I had to re-encode the Java-base64-encoded private key using openssl to make it palatable to Apache:
openssl rsa -in privkey-java.key -out privkey.key
I‘m not sure why this is required (or why Apache can‘t decode thebase64-encoded version of the private key created by Java), but itfixed the problem I was seeing.
See Also
For further assistance, check out theopenssl-users list archives and consider posing your question to the list. Another great resource isthetomcat-users mailing list .
If you need OpenSSL for Windows if can be foundhere or better yethere.NOTE: I have not used nor do I endorse the Windows port ofOpenSSL. Do not ask me for help using it. I am only providing the linkas a convenience to the poor souls who have not switched to a betterOS.
If I was helpful, pleaselet me know!
© 2003-2006Mark Foster
$Id: openssl-keytool.html,v 1.5 2006/03/30 16:11:20 mdf Exp $