tags:

views:

534

answers:

1
+3  Q: 

Import .pem public and private keys to JKS keystore

Hi,

I have public and private keys in separate .pem files that I would need to get into a JKS keystore somehow.

Tried using the -import command in KeyTool for this, which gives an "not an X.509 certificate" error.

I'm guessing the solution has to do with OpenSSL, but I'm not entirely sure what to do with it.

Would really appreciate any help with this, since I'm completely clueless with everything crypto-related.

Thanks in advance, --Rolf

A: 

KeyTool expects the objects in DER format. PEM is Base64-encoded DER, with a header and a footer. KeyTool cannot parse PEM.

However, OpenSSL can convert PEM objects to DER. E.g., for an X.509 certificate, the -outform DER command-line flag instructs OpenSSL to use DER as its output format.

This page apparently contains some more detailed explanations.

Thomas Pornin  2010-03-20 19:27:46
Hi, thanks for answering!I managed to convert the private key to DER with OpenSSL, but not the public key.openssl x509 -in pubkey.pem -inform PEM -out pubkey.der -outform DERresults in the following error:unable to load certificate5280:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:642:Expecting: TRUSTED CERTIFICATEI'm guessing that it expects the public key file to begin with a "BEGIN TRUSTED CERTIFICATE" header, but what it actually contains is "BEGIN PUBLIC KEY"
Rolf  2010-03-20 23:07:35
You have a "lone public key". You need a certificate. KeyTool follows the KeyStore format, which accepts private keys only if they come with certificates. A certificate contains the public key, along with other information such as an identity (the "key owner name") and a signature by a "certificate authority". You could use the private key to create a "self-signed certificate" (a certificate where the signature is computed relatively to the key itself); try this: `openssl req -new -x509 -key privkey.pem -out cert.pem`
Thomas Pornin  2010-03-21 14:00:43
Okay, that got me on the right track, thanks!
Rolf  2010-03-22 14:46:34

related questions

Is there a standard implementation for Electronic Signatures on fill-in-form web applications?
Best way to handle block ciphers in C++? (Crypto++)
What is the best replacement for Windows' rand_s in Linux/POSIX?
Combination of more than one crypto algorithm
Encryption output always different even with same key
What techniques do you use when writing your own cryptography methods?
Optimize y = x*x in Galois field arithmetic
Best way to prevent duplicate use of credit cards
Enumerating Certificate Fields in C#
I'm using Wincrypt for Diffie-Hellman-- can I export the shared secret in plain text?
Cryptography algorithm
I have P & G-- how do I use the Wincrypt API to generate a Diffie-Hellman keypair?
Good primers on Cryptography
Should I use an initialization vector (IV) along with my encryption?
How do I hash a string with Delphi?
Inter-convertability of asymmetric key containers (eg: X.509, PGP, OpenSSH)
How to implement password protection for individual files?
Is Bouncy Castle API Thread Safe ?
128 bit data encryption using Java
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
App.config connection string Protection error
Is there a best .NET algorithm for credit card encryption?
How to encrypt one message for multiple recipients?
How can I generate a unique, small, random, and user-friendly key?
Why is an s-box input longer than its output?