[lug] Migrating x509 public/private keypair to java jks

Hugh Brown hugh at math.byu.edu
Mon Apr 10 16:36:53 MDT 2006

On Mon, 2006-04-10 at 15:47 -0600, Andrew Diederich wrote:
> I have a pem formatted public/private keypair that I want to use for a
> java program (tomcat).  The tomcat program needs a jks formatted file,
> it cannot use pkcs12.  If I try to do a "keytool -import" on a pem
> file with the public/private keypair I get a java exception because
> the private key isn't an x509 cert.
> keytool -import -alias www.example.com -file wwwexamplecom.pubpriv.pem
> -v -storetype jks -keystore keystore.jks
> Enter keystore password:  changeit
> keytool error: java.lang.Exception: Input not an X.509 certificate
> I get the same error trying to import just the private key.
> If I specify a file with just the public cert keytool wants to import
> the public cert as a trusted cert, and I don't get the private key. 
> If I use "keytool -genkey" to generate a public/private keypair and
> try to import my old public cert, of course the public cert doesn't
> match the new private key.
> Is it even possible to convert PEM formatted x509 certs into a java
> jks file?  If it is possible, does anyone have any references how to
> do it?
> Thanks for the help.

I'm dredging up vague memories of a lot of pain trying to do this.  I
don't think I ever succeeded.  I've got these notes to myself about
generating keys for tomcat ($ is intended as a prompt):

# no commas in names
$ keytool -genkey -alias tomcat -keyalg RSA -keystore keystore
$ keytool -certreq -alias tomcat -keystore keystore.new -file
# sign the key with a CA
# missing step about importing the signed key
$ keytool -printcert -file keystore.signed

More information about the LUG mailing list