[lug] Migrating x509 public/private keypair to java jks
Hugh Brown
hugh at math.byu.edu
Mon Apr 10 16:36:53 MDT 2006
On Mon, 2006-04-10 at 15:47 -0600, Andrew Diederich wrote:
> I have a pem formatted public/private keypair that I want to use for a
> java program (tomcat). The tomcat program needs a jks formatted file,
> it cannot use pkcs12. If I try to do a "keytool -import" on a pem
> file with the public/private keypair I get a java exception because
> the private key isn't an x509 cert.
>
> keytool -import -alias www.example.com -file wwwexamplecom.pubpriv.pem
> -v -storetype jks -keystore keystore.jks
> Enter keystore password: changeit
> keytool error: java.lang.Exception: Input not an X.509 certificate
>
> I get the same error trying to import just the private key.
>
> If I specify a file with just the public cert keytool wants to import
> the public cert as a trusted cert, and I don't get the private key.
> If I use "keytool -genkey" to generate a public/private keypair and
> try to import my old public cert, of course the public cert doesn't
> match the new private key.
>
> Is it even possible to convert PEM formatted x509 certs into a java
> jks file? If it is possible, does anyone have any references how to
> do it?
>
> Thanks for the help.
>
I'm dredging up vague memories of a lot of pain trying to do this. I
don't think I ever succeeded. I've got these notes to myself about
generating keys for tomcat ($ is intended as a prompt):
# no commas in names
$ keytool -genkey -alias tomcat -keyalg RSA -keystore keystore
$ keytool -certreq -alias tomcat -keystore keystore.new -file
keystore.csr
# sign the key with a CA
# missing step about importing the signed key
$ keytool -printcert -file keystore.signed
More information about the LUG
mailing list