On Tue, Feb 24, 2009 at 03:11:29PM -0800, John Oliver wrote: > On Tue, Feb 24, 2009 at 03:48:21PM -0500, Mark H. Wood wrote: > > I don't think Sun keytool will do thist step. You can export > > certificates but not private keys -- at least, I've never found a way > > to move private keys in or out using keytool. And there doesn't seem > > to be an option to transform one type of store into another. > > Well... this might be another case of my simply not knowing the correct > terminology, but if this goofy Java tool will happily save as , or > create, or export to, or whetever it's actually doing, to a .jks... it > doesn't seem to me that that would be something that should be > "impossible" for the "real" tool.
I looked again. I was wrong: Sun did provide a way to "import" one store into another. (Terminology bit me too. "import"?) I think you could use this to transform the PKCS12 store into a JKS store: keytool -importkeystore \ -srckeystore certificate.p12 \ -srcstoretype pkcs12 \ -destkeystore subscriber.jks \ -deststoretype jks [it asks for the destination keystore password. Enter "password".] I cobbled up a certificate and key using OpenSSL, and this seems to work. > > The part we haven't been told is why you have to start with a PKCS#12 > > bag if you have to end up with a JKS bag. Any procedure that > > requires generating a private key outside of Sun keytool is not going > > to work if it has to produce a JKS bag using keytool. The > > java.security.Keystore class appears to be able to store > > externally-provided keys, but keytool doesn't let you at that method. > > No idea. It's very likely that the answer is, "Because that's the way > Joe did it when he figured out how to create the keystore, and it > worked, and nobody has cared to revisit the process since". > > > If you could use -genseckey to let keytool generate the key, you could > > start with a .jks and there'd be no problem. > > I'm actually starting with a private key and a certificate for the > server, both in PEM format. The PKCS12 is created like: > > openssl pkcs12 -export -chain -in cert.pem -CApath . -CAfile 14.pem > -inkey key.pem -out certificate.p12 > > "14.pem" contains the PEM certificates for the CA that signed the cert > for the host and the PEM for the Root CA that signed the intermediate > CA. Aha! The reason for this dance is that it is a way to sneak an externally-generated private key into keytool, by going behind its back. You can manipulate a PKCS12 bag using OpenSSL, but not a JKS. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents.
pgpiNppW5xhzb.pgp
Description: PGP signature