[lug] Migrating x509 public/private keypair to java jks

George Sexton gsexton at mhsoftware.com
Tue Apr 11 11:25:32 MDT 2006

Its all terribly complicated. I documented the steps in my software's
documentation so I don't have to re-learn it each time.

George Sexton
MH Software, Inc.
Voice: 303 438 9585

> -----Original Message-----
> From: lug-bounces at lug.boulder.co.us [mailto:lug-bounces at lug.boulder.co.us]
> On Behalf Of Andrew Diederich
> Sent: Tuesday, April 11, 2006 11:18 AM
> To: Boulder (Colorado) Linux Users Group -- General Mailing List
> Subject: Re: [lug] Migrating x509 public/private keypair to java jks
> On 4/11/06, George Sexton <gsexton at mhsoftware.com> wrote:
> > My bust.
> >
> > Try something like:
> >
> > openssl rsa -inform pem -in privatekey.pem -outform der -out
> privatekey.der
> *whack* Yes, if I actually read the header/footer I posted, it makes
> sense the private key uses the rsa portion of openssl, not the x509
> piece.  The private key converted fine to DER, but then wouldn't
> import into the java keystore file.
> C:\Documents and Settings\andrew\Desktop\asp2>keytool -import
> -keystore keystore -file privatekey.der
> Enter keystore password:  secretpassword
> keytool error: java.lang.Exception: Input not an X.509 certificate
> > you can also do
> >
> > openssl rsa -inform pem -in privatekey.pem -text
> >
> > to dump the text form of the private key.
> That worked fine, and I tried "-inform der" on the der converted key
> just to make sure it converted, and I got the same output.
> Hmm, http://mindprod.com/jgloss/keytoolexe.html says "Keytool will
> generate a private key, but won't import or export one." Note: you
> need java enabled in your browser to read his code snippets and
> examples.  Note2: one thing not mentioned often enough is the password
> for the "cacerts" file shipped with java that contains the trusted
> root CAs has a default password of "changeit".
> After following some of the sun threads linked on that page, it looks
> like someone wrote a tool to do this.
> http://www.comu.de/docs/tomcat_ssl.htm  I haven't tried it though.
> Once I have I'll update the list.
> --
> Andrew Diederich
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us portf67 channel=olug

More information about the LUG mailing list