[lug] Migrating x509 public/private keypair to java jks

Garett Shulman shulmang at colorado.edu
Mon Apr 10 16:50:22 MDT 2006

Andrew Diederich wrote:
> I have a pem formatted public/private keypair that I want to use for a
> java program (tomcat).  The tomcat program needs a jks formatted file,
> it cannot use pkcs12.  If I try to do a "keytool -import" on a pem
> file with the public/private keypair I get a java exception because
> the private key isn't an x509 cert.
> keytool -import -alias www.example.com -file wwwexamplecom.pubpriv.pem
> -v -storetype jks -keystore keystore.jks
> Enter keystore password:  changeit
> keytool error: java.lang.Exception: Input not an X.509 certificate
> I get the same error trying to import just the private key.
> If I specify a file with just the public cert keytool wants to import
> the public cert as a trusted cert, and I don't get the private key. 
> If I use "keytool -genkey" to generate a public/private keypair and
> try to import my old public cert, of course the public cert doesn't
> match the new private key.
> Is it even possible to convert PEM formatted x509 certs into a java
> jks file?  If it is possible, does anyone have any references how to
> do it?
It should be possible to import cert.pem into a keystore. I usually use 
do something like:
keytool -import -trustcacerts -keystore 
$JAVA_HOME/jre/lib/security/cacerts -alias mycert -file path_to/cert.pem

What does the cert look like if you open it in an editor?

> Thanks for the help.
> --
> Andrew Diederich
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us portf67 channel

More information about the LUG mailing list