Converting a certificate + key to a usable Java keystore

By Confusion on Friday 31 October 2008 15:04 - Comments (2)
Categories: Java, Software engineering, Views: 6.547

Today I was researching the obstacles I would encounter while upgrading the Resin Application Server from 2.1 to 3.1. One of the things that came up was that OpenSSL support is no longer supported in the open source version: you would have to buy a license to enable the JNI bindings to OpenSSL.

However, JSSE is also supported as the SSL connection handler, so I decided to find out what was involved in switching from OpenSSL to JSSE. That proved to be quite easy, with a Java 6 JDK that already includes a configured JSSE library. The largest problem was converting the certificate + key to a Java keystore. For everyone that may one day have to solve this problem:

First put the certificate and the key in a pkcs12 keystore:

code:
1
openssl pkcs12 -export -out dev.pkcs12 -in dev.crt -inkey dev.key


then convert the keystore to a JKS keystore, using the Java keytool:

code:
1
2
keytool -importkeystore -srckeystore dev.pkcs12 -srcstoretype PKCS12
 -destkeystore dev.keystore


This example involves a self-signed certificate; if you need to include CA certificaties or certificate chains, the process is slightly more complicated, but probably not very, as you can use openssl to perform all the hard steps. If I encounter any problems when I do that, I will let you know ;).

On a sidenote: Java keystores are terrible things and I dread the moments when I discover they are once again inevitable in reaching a certain goal.

Volgende: Nicer, shorter, GWT url's 11-'08 Nicer, shorter, GWT url's
Volgende: Matching lines in multiline regular expressions 10-'08 Matching lines in multiline regular expressions

Comments


By Tweakers user latka, Friday 31 October 2008 23:54

Ik gebruik meestal XCA voor de generatie en conversie van keystores. Alleen kan die geen jks aanmaken.. dan is keytool met de import inderdaad handig of een van de tooltjes die gemaakt zijn rondom bouncy castle: http://www.bouncycastle.org/resources.html

By Tweakers user Remus, Saturday 1 November 2008 11:20

Ik gebruik meestal Portecle http://portecle.sourceforge.net/ om keystores aan te maken of bij te werken. Je kan daarmee ook de meeste andere keystore types importeren of converteren of losse certificaten en sleutels.

Het is iig een stuk duidelijker dan al die commandline opties en tools die je anders moet gebruiken.

Comments are closed