[lug] Migrating x509 public/private keypair to java jks

Andrew Diederich andrewdied at gmail.com
Tue Apr 11 09:44:45 MDT 2006

On 4/10/06, George Sexton <gsexton at mhsoftware.com> wrote:
> The problem is that keytool doesn't speak pem. It speaks DER. Here's what I
> had to do to get my LDAP cert into the keystore.

keytool (1.5) has imported my pem certificates just fine.  I converted
a public/private pem keypair I had (cat'd in one file), which
converted, then I imported it into a jks file with keytool.  It
imported as a trustedCertEntry, which is what cert-only certs and CA
certs get imported as.  So, I tried converting just my private key to
DER from PEM, and got an error.  It looks like private keys just can't
be changed from one form to another.  There seems to be a black hole
of knowledge about this -- I haven't found docs on how to do it, and
haven't seen any notes that it is impossible.  Weird.

andrew at tango:> openssl x509 -inform pem -in privatekey.pem -outform
der -out privatekey.der
unable to load certificate
7041:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:642:Expecting: TRUSTED CERTIFICATE

The private key has the regular -----BEGIN RSA PRIVATE KEY----- and
-----END RSA PRIVATE KEY----- lines.  It is not encrypted.

Andrew Diederich

More information about the LUG mailing list