[lug] Migrating x509 public/private keypair to java jks

George Sexton gsexton at mhsoftware.com
Tue Apr 11 10:38:54 MDT 2006 

My bust.

Try something like:

openssl rsa -inform pem -in privatekey.pem -outform der -out privatekey.der

you can also do

openssl rsa -inform pem -in privatekey.pem -text

to dump the text form of the private key.

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
 

> -----Original Message-----
> From: lug-bounces at lug.boulder.co.us [mailto:lug-bounces at lug.boulder.co.us]
> On Behalf Of Andrew Diederich
> Sent: Tuesday, April 11, 2006 9:45 AM
> To: Boulder (Colorado) Linux Users Group -- General Mailing List
> Subject: Re: [lug] Migrating x509 public/private keypair to java jks
> 
> On 4/10/06, George Sexton <gsexton at mhsoftware.com> wrote:
> > The problem is that keytool doesn't speak pem. It speaks DER. Here's
> what I
> > had to do to get my LDAP cert into the keystore.
> <snip>
> 
> keytool (1.5) has imported my pem certificates just fine.  I converted
> a public/private pem keypair I had (cat'd in one file), which
> converted, then I imported it into a jks file with keytool.  It
> imported as a trustedCertEntry, which is what cert-only certs and CA
> certs get imported as.  So, I tried converting just my private key to
> DER from PEM, and got an error.  It looks like private keys just can't
> be changed from one form to another.  There seems to be a black hole
> of knowledge about this -- I haven't found docs on how to do it, and
> haven't seen any notes that it is impossible.  Weird.
> 
> andrew at tango:> openssl x509 -inform pem -in privatekey.pem -outform
> der -out privatekey.der
> unable to load certificate
> 7041:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:642:Expecting: TRUSTED CERTIFICATE
> 
> The private key has the regular -----BEGIN RSA PRIVATE KEY----- and
> -----END RSA PRIVATE KEY----- lines.  It is not encrypted.
> 
> --
> Andrew Diederich
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us portf67 channel=olug

More information about the LUG mailing list