Migrating Keys from 'keytool' to 'OpenSSL'
The other type of questions I received is related to moving keys from "keytool" keystore files
to "OpenSSL" key files. Since "keytool" does not support key exporting function,
I wrote a Java program to dump keys out of the keystore file.
In this chapter, I recorded the following testing scenarios to find a way to move keys from
"keytool" keystore files to "OpenSSL" key files:
- Using "keytool" to generate a private and public key pair.
- Using "keytool" to export the self-signed certificate from PrivateKeyEntry.
- Using "keytool" to display details of a certificate.
- Using "OpenSSL" to view certificate exported by "keytool".
- Writing "DumpKey.java" to dump key pair out of "keytool" keystore files.
- Using "OpenSSL" to convert dumped key pair from binary to Base64 encoding.
- Using "OpenSSL" to view key pair dumped and converted from "keytool" keystore files.
"keytool" Generating Private and Public Key Pair
To test out how to transfer private and public key pair from "keytool" keystore file to OpenSSL format,
I need to generate a pair of keys first with the "keytool -genkeypair" command.
What I did was recorded below:
java version "1.6.0_01"
Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
Java HotSpot(TM) Client VM (build 1.6.0_01-b06, mixed mode,
>keytool -genkeypair -alias herong_key -keypass keypass
-keysize 1024 -keystore herong.jks -storepass jkspass
What is your first and last name?
[Unknown]: Herong Yang
What is the name of your organizational unit?
[Unknown]: Herong Unit
What is the name of your organization?
[Unknown]: Herong Company
What is the name of your City or Locality?
[Unknown]: Herong City
What is the name of your State or Province?
[Unknown]: Herong State
What is the two-letter country code for this unit?
Is CN=Herong Yang, OU=Herong Unit, O=Herong Company,
L=Herong City, ST=Herong State, C=CA correct?
>keytool -list -keystore herong.jks -storepass jkspass
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
herong_key, Apr 1, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 0C:54:AE:99:4E:3D:F7:A9:7...
I am not going to explain all the command options used above, because they were explained
in previous chapters.
I have a key pair in keystore file, herong.jks, now. But there seems to be no "keytool" command
to export it out. The "keytool -help" gave me the following command options:
Generating CSR from a key pair entry
Renaming an entry in the keystore file
Deleting an entry in the keystore file
Exporting a certificate entry
Generating a new key pair entry
Generating a secret key entry
Displaying help information
Importing a certificate into the keystore file
Importing all entries from another keystore file
Changing the password for an existing entry
Display all entry names
Print a certificate file
Changing the keystore file password
In the next section, I tried to use "keytool -exportcert" to export the key pair.
(Continued on next part...)