[lug] Migrating x509 public/private keypair to java jks

Andrew Diederich andrewdied at gmail.com
Tue Apr 11 11:17:44 MDT 2006

On 4/11/06, George Sexton <gsexton at mhsoftware.com> wrote:
> My bust.
> Try something like:
> openssl rsa -inform pem -in privatekey.pem -outform der -out privatekey.der

*whack* Yes, if I actually read the header/footer I posted, it makes
sense the private key uses the rsa portion of openssl, not the x509
piece.  The private key converted fine to DER, but then wouldn't
import into the java keystore file.

C:\Documents and Settings\andrew\Desktop\asp2>keytool -import
-keystore keystore -file privatekey.der
Enter keystore password:  secretpassword
keytool error: java.lang.Exception: Input not an X.509 certificate

> you can also do
> openssl rsa -inform pem -in privatekey.pem -text
> to dump the text form of the private key.

That worked fine, and I tried "-inform der" on the der converted key
just to make sure it converted, and I got the same output.

Hmm, http://mindprod.com/jgloss/keytoolexe.html says "Keytool will
generate a private key, but won't import or export one." Note: you
need java enabled in your browser to read his code snippets and
examples.  Note2: one thing not mentioned often enough is the password
for the "cacerts" file shipped with java that contains the trusted
root CAs has a default password of "changeit".

After following some of the sun threads linked on that page, it looks
like someone wrote a tool to do this.
http://www.comu.de/docs/tomcat_ssl.htm  I haven't tried it though. 
Once I have I'll update the list.

Andrew Diederich

More information about the LUG mailing list