Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

Migrating Keys from 'keytool' to 'OpenSSL'

Part:   1  2  3  4 

The other type of questions I received is related to moving keys from "keytool" keystore files to "OpenSSL" key files. Since "keytool" does not support key exporting function, I wrote a Java program to dump keys out of the keystore file. In this chapter, I recorded the following testing scenarios to find a way to move keys from "keytool" keystore files to "OpenSSL" key files:

  • Using "keytool" to generate a private and public key pair.
  • Using "keytool" to export the self-signed certificate from PrivateKeyEntry.
  • Using "keytool" to display details of a certificate.
  • Using "OpenSSL" to view certificate exported by "keytool".
  • Writing "" to dump key pair out of "keytool" keystore files.
  • Using "OpenSSL" to convert dumped key pair from binary to Base64 encoding.
  • Using "OpenSSL" to view key pair dumped and converted from "keytool" keystore files.

"keytool" Generating Private and Public Key Pair

To test out how to transfer private and public key pair from "keytool" keystore file to OpenSSL format, I need to generate a pair of keys first with the "keytool -genkeypair" command. What I did was recorded below:

>java -version

java version "1.6.0_01"
Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
Java HotSpot(TM) Client VM (build 1.6.0_01-b06, mixed mode,
>keytool -genkeypair -alias herong_key -keypass keypass
-keysize 1024 -keystore herong.jks -storepass jkspass

What is your first and last name?
  [Unknown]:  Herong Yang
What is the name of your organizational unit?
  [Unknown]:  Herong Unit
What is the name of your organization?
  [Unknown]:  Herong Company
What is the name of your City or Locality?
  [Unknown]:  Herong City
What is the name of your State or Province?
  [Unknown]:  Herong State
What is the two-letter country code for this unit?
  [Unknown]:  CA
Is CN=Herong Yang, OU=Herong Unit, O=Herong Company, 
L=Herong City, ST=Herong State, C=CA correct?
  [no]:  yes

>keytool -list -keystore herong.jks -storepass jkspass

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

herong_key, Apr 1, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 0C:54:AE:99:4E:3D:F7:A9:7...

I am not going to explain all the command options used above, because they were explained in previous chapters.

I have a key pair in keystore file, herong.jks, now. But there seems to be no "keytool" command to export it out. The "keytool -help" gave me the following command options:

keytool usage:

	Generating CSR from a key pair entry

	Renaming an entry in the keystore file

	Deleting an entry in the keystore file

	Exporting a certificate entry

	Generating a new key pair entry

	Generating a secret key entry

	Displaying help information

	Importing a certificate into the keystore file

	Importing all entries from another keystore file

	Changing the password for an existing entry

	Display all entry names

	Print a certificate file

	Changing the keystore file password

In the next section, I tried to use "keytool -exportcert" to export the key pair.

(Continued on next part...)

Part:   1  2  3  4 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - Migrating Keys from 'keytool' to 'OpenSSL'