Dealing with java keystores

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

my_key, Sep 26, 2007, keyEntry,
Certificate fingerprint (MD5): BA:22:E1:9E:9D:83:05:5A:99:42:5E:EF:62:77:DE:5A
my_ca, Sep 26, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 4E:B5:B6:7A:02:F8:F8:6E:5E:79:FB:84:65:75:42:68

Comments (4)

i have three levels of chain
ssl certificate
L1C cross certificate
entrust root certificate

Now when i import to the keystore.. what order should i import? does the order matter? the application on the other end fails saying "Could not validate the trust chain of the signing certificate. The certificate issuing authority may not be a trusted certificate authority."

Answer:
Go for top down import, so start with root CA then L1 and finally client certificate. Regarding the error I would suggest you try to import the L1 certificate into the trust store of the application on the other end, sounds like the application cannot verify your client certificate

reading our page gave me some extra insights, especially on the using the same name for an alias (which I did not read anywhere before).
I found this because I had continous problems with managing a keystore with keytool.
Along this page, I found another page, which has a really handy free GUI tool, working on all popular OS'es:
http://yellowcat1.free.fr/index_ktl.html

It greatly simplifies keystore management and for some steps shows the equivalent keytool code.
This tool helped me too create a proper working keystore with only one CAroot caertifcate.

enjoy :)!

The third command starts with openssl x509 -req -my_new.csr

When I enter that command, it says that my_new.csr is an invalid switch or option. Even if I remove the - before it, it does not work.

Excellent page,
I used to be right into this and I had all my bookmarks for various sources. Which I lost, I found this and its basically everything I'd ever need for certs.

Particularly importing a private key and cert into a pkcs12, which I've been looking all over for! All you can find is the other way around.

Thanks!

yvComment v.1.21.0

Written by Stefan Reimer
Wednesday, 30 January 2008 14:30
Initial Setup First you have to create a new private key within an existing or new keystore using keytool: keytool -genkey -keyalg rsa -keystore keystorename -storepass keystorepassword \ -alias my_new_key The preceding command uses syntax for the keytool provided with Java 1.5. If your installation uses Java 1.6, substitute -genkeypair for the -genkey option. to protect the new private key by its own keypassword within the keystore you have to add the keypass option if you don't use the keypass option the keystore password is used to protect the private key accordingly in order to delete a key password (which is not possible with keytool btw), you have to copy the keystore password to the key password if you want to use the key as a client certifcate use RSA as key algorithm, instead of default DSA, because many servers (e.g IBM MQ) only accept RSA client certs The next task is to generate a CSR, even if you want to create a self signed certifcate: keytool -certreq -alias my_new_key -keystore keystorename -storepass keystorepassword \ -file my_new.csr Now it is time to either send the CSR to the CA of your choice, or to sign it by your own CA using openssl: openssl x509 -req -in my_new.csr -CA my_ca.crt -CAkey my_ca.key -out my_new.crt -days 365 \ -CAcreateserial -CAserial my_ca.seq In case your certificate is not selfsigned, you first have to import the certificate of the CA, and in case all intermediate CAs, that signed your CSR. After that, by importing the certficate the chain of trust will be established. keytool -import -alias my_ca -file ca.crt -keystore keystorename -storepass keystorepassword You have to enter either "yes" or use . Finally the signed certificate has to be imported into the keystore using the same alias as the private key: keytool -import -alias my_new_key -file my_new.crt -keystore keystorename \ -storepass keystorepassword Examing the keystore To see what's inside any given keystore: keytool -list -keystore keystorename for example: Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries my_key, Sep 26, 2007, keyEntry, Certificate fingerprint (MD5): BA:22:E1:9E:9D:83:05:5A:99:42:5E:EF:62:77:DE:5A my_ca, Sep 26, 2007, trustedCertEntry, Certificate fingerprint (MD5): 4E:B5:B6:7A:02:F8:F8:6E:5E:79:FB:84:65:75:42:68 To get detailed information, like issuer for an alias use "-v" ! Change keystore passpharse To change to keystore passphrase use the following keytool command: keytool -storepasswd -keystore keystorename If you use JDK 1.6 keytool you have to change the keypasswd for all private keys within the keystore as well ! OpenSSL and Keystores A common task is to exchange keys and certificates between apache webserver, ssl loadbalancer or java application server such as tomcat or BEA Weblogic. This means to convert keys and certificates from PEM,DER or PKCS12 to or from java keystores. The standard keytool is able to import or export certificates, but there is no way to do so with private keys. Export certifcate: keytool -export -rfc -alias my_cert -file cert.crt -keystore keystorename -storepass keystorepassword Import certificate: keytool -import -alias my_cert -file cert.crt -keystore keystorename -storepass keystorepassword Import private key: In order to import an exisiting private key you first have to get and compile the ImportKey.java tool. It is based on ImportKey. I added options to import keys and certs into an existing keystore as well as setting the keystore passphrase via the command line. Usage: java ImportKey keyfile certfile [alias] [keystore] [keystore_passphrase] The key has to be in DER format, which can be easily done with openssl: openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER In case of a self signed certifcate use: openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER If the certifcate is signed by a foreign CA or even signed by intermediate CA(s) use: openssl crl2pkcs7 [-certfile ca_intermediate.pem] -certfile ca.pem -in cert.pem -inform PEM \ -out cert.der -outform DER -nocrl This will create a PKCS#7 container using DER format including the correct certificate chain. Then build a new keystore using both key and certificate: java ImportKey key.der cert.der my_alias Export private key: This is based on information from Mark Foster's wiki. In order to export any private key from an existing keystore download and compile ExportPriv.java. After compiling it run: java ExportPriv > exported.key The key will be exported into exported.key file in PKCS#8 PEM format. This can be converted into RSA format which is needed by apache with: openssl pkcs8 -inform PEM -nocrypt -in exported.key -out exported_rsa.key Various needful commands Convert PEM to PKCS12 To create a pkcs12 container from a pem private key and cert use: openssl pkcs12 -export -in cert.pem -inkey key.pem -out cred.p12 Export key and cert from PKCS12 to PEM If you have a pkcs12 container and its passphrase .) use the following command to extract the private key and client certificate only (-clcerts), without encrypting the exported private key again (-nodes): openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts As you will probably notice, both key and certificate are combined into one file. If you need them seperatly you can either split the file using your favorite editor by simply save everything between (and including) each of the -----BEGIN----- and -----END----- lines to separate files or use the following two commands to export them seperatly: openssl pkcs12 -in cred.p12 -out cert.pem -nodes -clcerts -nokeys openssl pkcs12 -in cred.p12 -out key.pem -nodes -nocerts Remove passphrase of private key It will prompt for current passphrase: openssl rsa -in oldkey.pem -out newkey.pem Change passphrase of private key It will prompt for old passphrase and twice for new one: openssl rsa [-des3\|-aes128] -in oldkey.pem -out newkey.pem View details of a certificate signing request CSR openssl req -noout -text -in server.csr Links Graphical Keytool Tool Keytool IUI written by yellowcat
Last Updated ( Saturday, 13 February 2010 23:49 )

Initial Setup

Examing the keystore

Change keystore passpharse

OpenSSL and Keystores

Export certifcate:

Import certificate:

Import private key:

Export private key:

Various needful commands

Convert PEM to PKCS12

Export key and cert from PKCS12 to PEM

Remove passphrase of private key

Change passphrase of private key

View details of a certificate signing request CSR

Links

Graphical Keytool Tool