[lug] Migrating x509 public/private keypair to java jks

George Sexton gsexton at mhsoftware.com
Mon Apr 10 17:46:19 MDT 2006

The problem is that keytool doesn't speak pem. It speaks DER. Here's what I
had to do to get my LDAP cert into the keystore.

openssl x509 -inform pem -in /usr/share/ssl/certs/slapd.pem \
-outform der -out ~/slapd.der

George Sexton
MH Software, Inc.
Voice: 303 438 9585

> -----Original Message-----
> From: lug-bounces at lug.boulder.co.us [mailto:lug-bounces at lug.boulder.co.us]
> On Behalf Of Andrew Diederich
> Sent: Monday, April 10, 2006 3:48 PM
> To: BLUG
> Subject: [lug] Migrating x509 public/private keypair to java jks
> I have a pem formatted public/private keypair that I want to use for a
> java program (tomcat).  The tomcat program needs a jks formatted file,
> it cannot use pkcs12.  If I try to do a "keytool -import" on a pem
> file with the public/private keypair I get a java exception because
> the private key isn't an x509 cert.
> keytool -import -alias www.example.com -file wwwexamplecom.pubpriv.pem
> -v -storetype jks -keystore keystore.jks
> Enter keystore password:  changeit
> keytool error: java.lang.Exception: Input not an X.509 certificate
> I get the same error trying to import just the private key.
> If I specify a file with just the public cert keytool wants to import
> the public cert as a trusted cert, and I don't get the private key.
> If I use "keytool -genkey" to generate a public/private keypair and
> try to import my old public cert, of course the public cert doesn't
> match the new private key.
> Is it even possible to convert PEM formatted x509 certs into a java
> jks file?  If it is possible, does anyone have any references how to
> do it?
> Thanks for the help.
> --
> Andrew Diederich
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us portf67 channel=olug

More information about the LUG mailing list