On Tue, Feb 24, 2009 at 03:48:21PM -0500, Mark H. Wood wrote: > On Tue, Feb 24, 2009 at 08:02:30AM -0800, John Oliver wrote: > > I need to turn PKI certs into JKSes. I have some instructions from one > > JKS is Java KeyStore or some such. It's a database of certificates > and private keys. You can't turn a certificate into a .jks but you > can store certificates into one.
See what I mean about not knowing the right terminology? :-) > None of this stuff is to do with OpenSSL, so this list may not be the > best place for answers. And I'm not anything like an expert on > keytool or JCA, but I will try to explain a bit. Where would be a better forum for these questions, then? > > of the developers, but it refers to a "KeyTool UI" which, it turns out, > > is not part of the base OS install, but, "Oh, just go out and search the > > Internet for one..." No thanks. Besides, I'd like to script this > > So helpful, they are. Yeah... :-) I did finally get the tool they used, and I think I made it work. I'd still like to be able to script this stuff, though. > > stuff. The man page for keytool doesn't help me much, as I know, > > basically, nothing about this stuff. The terminology is meaningless to > > me :-( ( Speaking of which, if anyone can direct me to some kind of > > tutorial or online lesson about the basics of PKI, SSL, etc. that would > > be awesome! ) > > > > So... I'd like to request some assistance in turning the following > > instructions into CLI 'keytool' commands. > > Spoiler: I don't think there is a way using the tool you've chosen, > but read on for my best guesses. Well, I didn't "choose" so much as "assume". If there is a more appropriate tool, I'm all ears! :-) > > After creating a PKCS12 file... > > > > 9. Use KeyTool UI (Java tool), go to File->Open Keystore and open > > certificate.p12 > > -storetype pkcs12 -keystore certificate.p12 > > are needed to specify the keystore file and its (non-default) type. > You will need these for all steps that operate on this file. > > > 10. Right click on the displayed keypair and Rename it to 'key' > > -changealias -alias OLDNAME -destalias key > > "Names" are "aliases" in keytool. I don't believe that PKI > terminology includes the concept of naming a keypair. > > > 11. Import the COC CA-13 certificate into the new keystore using > > Tools->Import Trusted Certificate > > -importcert -file THE_CERTIFICATE_FILE > > I think you will be required to specify -alias SOME_NAME, and you may > want to add -trustcacerts. > > > 12. Go to File->Save Keystore As and use 'password' > > Meaningless for keytool, which loads and saves the same -keystore file. > > > 13. Save the file as subscriber.jks > > I don't think Sun keytool will do thist step. You can export > certificates but not private keys -- at least, I've never found a way > to move private keys in or out using keytool. And there doesn't seem > to be an option to transform one type of store into another. Well... this might be another case of my simply not knowing the correct terminology, but if this goofy Java tool will happily save as , or create, or export to, or whetever it's actually doing, to a .jks... it doesn't seem to me that that would be something that should be "impossible" for the "real" tool. > The part we haven't been told is why you have to start with a PKCS#12 > bag if you have to end up with a JKS bag. Any procedure that > requires generating a private key outside of Sun keytool is not going > to work if it has to produce a JKS bag using keytool. The > java.security.Keystore class appears to be able to store > externally-provided keys, but keytool doesn't let you at that method. No idea. It's very likely that the answer is, "Because that's the way Joe did it when he figured out how to create the keystore, and it worked, and nobody has cared to revisit the process since". > If you could use -genseckey to let keytool generate the key, you could > start with a .jks and there'd be no problem. I'm actually starting with a private key and a certificate for the server, both in PEM format. The PKCS12 is created like: openssl pkcs12 -export -chain -in cert.pem -CApath . -CAfile 14.pem -inkey key.pem -out certificate.p12 "14.pem" contains the PEM certificates for the CA that signed the cert for the host and the PEM for the Root CA that signed the intermediate CA. If there's a more appropriate way to do this, I'm flexible! Thanks so much for your response! -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
