OpenSSL to Keytool Conversion tips

From ConShell
Jump to: navigation, search

Every so often I hear of someone who needs to convert their openssl-generated certificate and key (typically in PEM or DER format) into a Java Secure Socket Extension (JSSE) keystore. This process is complicated, but it can be done. Here are a few links that may help.

OpenSSL generated certificates and keys are encoded in PEM format by default. This format is base64-encoded. The other type used is DER which is binary-encoded.

Method #1: PKCS12Import

This method converts the certificate & key into a PKCS12 file which may then be converted (by the Jetty tool) into a JKS keystore - the JSSE native format.

First, convert your certificate and key into a pkcs12 file. This is a simple example.

openssl pkcs12 -export -in example.crt -inkey example.key -out keystore.pkcs12

Here is a more complex example which chains together the CA certificate which signed example.crt. It ensures the certificate chaining will be intact after the JKS conversion.

openssl pkcs12 -export -chain -in example.crt -certfile ca.crt -inkey example.key -out keystore.pkcs12

PKCS12Import is part of the Jetty HTTP Server API. Read about it here. You will want to download the jetty 6.1.3 package from here.

After download, unzip it into a folder alongside your keystore.pkcs12 file generated above.

Note that I had to run it a little differently from what is presented in the example...

java -classpath jetty-6.1.3/lib/jetty-6.1.3.jar org.mortbay.jetty.security.PKCS12Import keystore.pkcs12 keystore.jks
Enter input keystore passphrase: secret
Enter output keystore passphrase: secret
Alias 0: 1
Adding key for alias 1
keytool -list -v -keystore keystore.jks

This will result in two entries, one is a chained PrivateKeyEntry and the other a trustedCertEntry. If you used -chain in the PKCS12 generation, the PrivateKeyEntry should have a certificate chain length of 2 (or more).

You only need -trustcacerts if the ca.crt is for an Intermediate CA chained back to a public CA such as Verisign.

Method #2: Jakarta Tomcat recipe

See The Tomcat 5 Servlet/JSP Container SSL Configuration HOW-TO

The section Preparing the Keystore describes using the openssl command to run to convert a key+cert+cacert into a read-only PKCS12 keystore. Because it is read-only by the JSSE, thus functionality is reduced. Case in point...

keytool error: java.io.IOException: PKCS 12 storing not implemented

Method #3: Yellowcat Keytool IUI

Link This web-based java application to let you import a keypair and certificate to export as a keystore (JKS or JCEKS format).

Method #4: Bouncy Castle

You might want to check out The Legion of the Bouncy Castle for an alternate Java Cryptography Extension (JCE) provider that will handle the standard PEM/DER formats (as opposed to the proprietary JKS format).

Method #5: KeyMan / iKeyMan

Another option to consider is KeyMan from IBM Alphaworks. This tool is like keytool on steroids in that it supports additional keystore formats, cryptographic token devices, and can manipulate the windows certificate store. Closely related is a GUI interface called iKeyman that ships with IBM's WebSphere Application server if you happen to have that. (Note: Community edition might be your low-cost/free choice here). iKeyman can import ".arm" files which are PEM encoded certificates in disguise. Depending on which version you use, it can manipulate .kdb and .jks files. The .jks are ( to my knowledge) a variation of the keystore format, but not the native JSSE type.

Find out more about KeyMan and WebSphere.

See Also