On Tue, Feb 24, 2009 at 03:11:29PM -0800, John Oliver wrote: > On Tue, Feb 24, 2009 at 03:48:21PM -0500, Mark H. Wood wrote: > > I don't think Sun keytool will do thist step. You can export > > certificates but not private keys -- at least, I've never found a way > > to move private keys in or out using keytool. And there doesn't seem > > to be an option to transform one type of store into another. > > Well... this might be another case of my simply not knowing the correct > terminology, but if this goofy Java tool will happily save as , or > create, or export to, or whetever it's actually doing, to a .jks... it > doesn't seem to me that that would be something that should be > "impossible" for the "real" tool.
I looked again. I was wrong: Sun did provide a way to "import" one
store into another. (Terminology bit me too. "import"?) I think you
could use this to transform the PKCS12 store into a JKS store:
keytool -importkeystore \
-srckeystore certificate.p12 \
-srcstoretype pkcs12 \
-destkeystore subscriber.jks \
-deststoretype jks
[it asks for the destination keystore password. Enter "password".]
I cobbled up a certificate and key using OpenSSL, and this seems to work.
> > The part we haven't been told is why you have to start with a PKCS#12
> > bag if you have to end up with a JKS bag. Any procedure that
> > requires generating a private key outside of Sun keytool is not going
> > to work if it has to produce a JKS bag using keytool. The
> > java.security.Keystore class appears to be able to store
> > externally-provided keys, but keytool doesn't let you at that method.
>
> No idea. It's very likely that the answer is, "Because that's the way
> Joe did it when he figured out how to create the keystore, and it
> worked, and nobody has cared to revisit the process since".
>
> > If you could use -genseckey to let keytool generate the key, you could
> > start with a .jks and there'd be no problem.
>
> I'm actually starting with a private key and a certificate for the
> server, both in PEM format. The PKCS12 is created like:
>
> openssl pkcs12 -export -chain -in cert.pem -CApath . -CAfile 14.pem
> -inkey key.pem -out certificate.p12
>
> "14.pem" contains the PEM certificates for the CA that signed the cert
> for the host and the PEM for the Root CA that signed the intermediate
> CA.
Aha! The reason for this dance is that it is a way to sneak an
externally-generated private key into keytool, by going behind its
back. You can manipulate a PKCS12 bag using OpenSSL, but not a JKS.
--
Mark H. Wood, Lead System Programmer [email protected]
Friends don't let friends publish revisable-form documents.
pgpiNppW5xhzb.pgp
Description: PGP signature
