On Tue, Feb 24, 2009 at 08:02:30AM -0800, John Oliver wrote: > I need to turn PKI certs into JKSes. I have some instructions from one
JKS is Java KeyStore or some such. It's a database of certificates and private keys. You can't turn a certificate into a .jks but you can store certificates into one. None of this stuff is to do with OpenSSL, so this list may not be the best place for answers. And I'm not anything like an expert on keytool or JCA, but I will try to explain a bit. > of the developers, but it refers to a "KeyTool UI" which, it turns out, > is not part of the base OS install, but, "Oh, just go out and search the > Internet for one..." No thanks. Besides, I'd like to script this So helpful, they are. > stuff. The man page for keytool doesn't help me much, as I know, > basically, nothing about this stuff. The terminology is meaningless to > me :-( ( Speaking of which, if anyone can direct me to some kind of > tutorial or online lesson about the basics of PKI, SSL, etc. that would > be awesome! ) > > So... I'd like to request some assistance in turning the following > instructions into CLI 'keytool' commands. Spoiler: I don't think there is a way using the tool you've chosen, but read on for my best guesses. > After creating a PKCS12 file... > > 9. Use KeyTool UI (Java tool), go to File->Open Keystore and open > certificate.p12 -storetype pkcs12 -keystore certificate.p12 are needed to specify the keystore file and its (non-default) type. You will need these for all steps that operate on this file. > 10. Right click on the displayed keypair and Rename it to 'key' -changealias -alias OLDNAME -destalias key "Names" are "aliases" in keytool. I don't believe that PKI terminology includes the concept of naming a keypair. > 11. Import the COC CA-13 certificate into the new keystore using > Tools->Import Trusted Certificate -importcert -file THE_CERTIFICATE_FILE I think you will be required to specify -alias SOME_NAME, and you may want to add -trustcacerts. > 12. Go to File->Save Keystore As and use 'password' Meaningless for keytool, which loads and saves the same -keystore file. > 13. Save the file as subscriber.jks I don't think Sun keytool will do thist step. You can export certificates but not private keys -- at least, I've never found a way to move private keys in or out using keytool. And there doesn't seem to be an option to transform one type of store into another. The part we haven't been told is why you have to start with a PKCS#12 bag if you have to end up with a JKS bag. Any procedure that requires generating a private key outside of Sun keytool is not going to work if it has to produce a JKS bag using keytool. The java.security.Keystore class appears to be able to store externally-provided keys, but keytool doesn't let you at that method. If you could use -genseckey to let keytool generate the key, you could start with a .jks and there'd be no problem. > I am told that renaming the keypair is important, as our application > cares. Same with using the password 'password'. :-O Do they leave a key under the doormat, too? -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents.
pgpVHchmnYVTo.pgp
Description: PGP signature