This site Web

Key Formats PKCS#8 and PKCS#12 and Migration

Part:   1  2  3  4 

(Continued from previous part...)

Notes on the commands and options I used:

• "keytool -list" command lists what's in the keystore file.
• "-keystore openssl_key_crt.p12" option specifies the keystore file, a PKCS#12 file generated by "OpenSSL".
• "-storetype pkcs12" option specifies the type of the keystore file, "jks" or "pkcs12".
• "-storepass p12pass" option specifies the password to open the keystore file.
• "keytool -exportcert" command exports the self-signed certificate out of the keystore file.
• "-rfc" option tells keytool to write the certificate file with PEM (RFC1421) encoding.

The tests were successful and helped me to learn that:

• The PKCS#12 file generated by "OpenSSL" does meet the PKCS#12 standard.
• "OpenSSL" and "keytool" can share keystore files in PKCS#12 format.

As an exercise, you can open "openssl_crt.pem" and "keytool_openssl_crt.pem". They should contain the same Base64 encoded strings.

In the next section, I want to try to convert the PKCS#12 file to a JKS (Java KeyStore) file.

"keytool" Converting PKCS12 to JKS

Since Java uses JKS (Java KeyStore) as the keystore file type, I want to try to convert my PKCS#12 file, openssl_key_crt.p12, to a JKS file with the "keystore -importkeystore" command:

>keytool -importkeystore -srckeystore openssl_key_crt.p12 
-srcstoretype pkcs12 -srcstorepass p12pass -srcalias openssl_key_crt 
-destkeystore openssl_key_crt.jks -deststoretype jks 
-deststorepass jkspass

>keytool -list -keystore openssl_key_crt.jks -storetype jks 
-storepass jkspass

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

openssl_key_crt, Jul 29, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 1D:D4:AC:96:53:25:9F:1A:D0:A7:46:6C...

There was no trouble at all. "keytool -importkeystore" command has a lots of options. But they are very easy to understand.

Summary - Migrating "OpenSSL" Keys to "keytool"

As a summary, I want offer some notes here about migrating private keys from "OpenSSL" files to "keytool" keystore files:

There is no easy way to just migrate the private keys from "OpenSSL" key files to "keytool" keystore files.

"openssl pkcs12 -export" command should be used to combine the private key file and the self-signed certificate file in a PKCS#12 file.

"keytool" can use the PKCS#12 file directly with the "-storetype pkcs12" open.

"keytool -importkeystore" command should be used to convert the PKCS#12 file into a JKS (Java KeyStore) file.

Summary - Migrating "keytool" Keys to "OpenSSL"

PKCS#12 files can also be used to migrate private keys from "keytool" keystore files "OpenSSL" key files. Here are my notes on how to do this:

There is no easy way to just migrate the private keys from "keytool" keystore files to "OpenSSL" key files. My "DumpKey.java" program can do this. See other chapters in the book, if you want to try it.

"keytool -importkeystore" command should be used to convert a JKS (Java KeyStore) file into a PKCS#12 file.

"openssl pkcs12" command should be used to split the private key file out of the PKCS#12 file.

"openssl pkcs12" command should be used to split the certificate file out of the PKCS#12 file.

Conclusion

• PKCS#8 is designed as the Private-Key Information Syntax Standard. It defines what should be included in a private key file.
• PKCS#12 is designed as the Personal Information Exchange Syntax Standard. It defines how to package a private key and its certificates into a single file.
• "openssl pkcs8" command can be used to read and write private keys in PKCS#8 format.
• "openssl pkcs12" command can be used to read and write PKCS#12 files.
• "keytool -importkeystore" command can be used to between PKCS#12 files and JKS files.

Part:   1  2  3  4