Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

This site Web Google

Migrating Keys from 'keytool' to 'OpenSSL'

Part:   1  2  3  4 

The other type of questions I received is related to moving keys from "keytool" keystore files to "OpenSSL" key files. Since "keytool" does not support key exporting function, I wrote a Java program to dump keys out of the keystore file. In this chapter, I recorded the following testing scenarios to find a way to move keys from "keytool" keystore files to "OpenSSL" key files:

  • Using "keytool" to generate a private and public key pair.
  • Using "keytool" to export the self-signed certificate from PrivateKeyEntry.
  • Using "keytool" to display details of a certificate.
  • Using "OpenSSL" to view certificate exported by "keytool".
  • Writing "DumpKey.java" to dump key pair out of "keytool" keystore files.
  • Using "OpenSSL" to convert dumped key pair from binary to Base64 encoding.
  • Using "OpenSSL" to view key pair dumped and converted from "keytool" keystore files.

"keytool" Generating Private and Public Key Pair

To test out how to transfer private and public key pair from "keytool" keystore file to OpenSSL format, I need to generate a pair of keys first with the "keytool -genkeypair" command. What I did was recorded below: 

>java -version

java version "1.6.0_01"
Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
Java HotSpot(TM) Client VM (build 1.6.0_01-b06, mixed mode,
  sharing)
  
>keytool -genkeypair -alias herong_key -keypass keypass
-keysize 1024 -keystore herong.jks -storepass jkspass

What is your first and last name?
  [Unknown]:  Herong Yang
What is the name of your organizational unit?
  [Unknown]:  Herong Unit
What is the name of your organization?
  [Unknown]:  Herong Company
What is the name of your City or Locality?
  [Unknown]:  Herong City
What is the name of your State or Province?
  [Unknown]:  Herong State
What is the two-letter country code for this unit?
  [Unknown]:  CA
Is CN=Herong Yang, OU=Herong Unit, O=Herong Company, 
L=Herong City, ST=Herong State, C=CA correct?
  [no]:  yes

>keytool -list -keystore herong.jks -storepass jkspass

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

herong_key, Apr 1, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 0C:54:AE:99:4E:3D:F7:A9:7...

I am not going to explain all the command options used above, because they were explained in previous chapters.

I have a key pair in keystore file, herong.jks, now. But there seems to be no "keytool" command to export it out. The "keytool -help" gave me the following command options: 

keytool usage:

-certreq
	Generating CSR from a key pair entry

-changealias
	Renaming an entry in the keystore file

-delete
	Deleting an entry in the keystore file

-exportcert
	Exporting a certificate entry

-genkeypair
	Generating a new key pair entry

-genseckey
	Generating a secret key entry

-help
	Displaying help information

-importcert
	Importing a certificate into the keystore file

-importkeystore
	Importing all entries from another keystore file

-keypasswd
	Changing the password for an existing entry

-list
	Display all entry names

-printcert
	Print a certificate file

-storepasswd
	Changing the keystore file password

In the next section, I tried to use "keytool -exportcert" to export the key pair.

(Continued on next part...)

Part:   1  2  3  4 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - Migrating Keys from 'keytool' to 'OpenSSL'