[lug] Migrating x509 public/private keypair to java jks

Andrew Diederich andrewdied at gmail.com
Mon Apr 10 16:48:17 MDT 2006

On 4/10/06, Hugh Brown <hugh at math.byu.edu> wrote:
> I'm dredging up vague memories of a lot of pain trying to do this.  I
> don't think I ever succeeded.  I've got these notes to myself about
That's about what I did.  I tried this a couple months ago, and you
may be right about the alias of tomcat as mandatory.  The missing step
you mentioned

> # missing step about importing the signed key

is keytool -import -alias tomcat -keystore keystore -file pubcert

If you've used a CA that isn't in the java-preferred CAs (cacert.org
isn't there) you should -import the class1 and class3 certs or you'll
get errors about not being able to verify the chain.  The thing I
can't figure out is the private key -- there just doesn't look to be a
way to import the private key.  And security guys wonder why everyone
just uses self-signed certs!  We _try_ to do the right thing, but if
it's possible it isn't documented.

Andrew Diederich

More information about the LUG mailing list