Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

This site Web Google

Migrating Keys from 'keytool' to 'OpenSSL'

Part:   1  2  3  4 

(Continued from previous part...)

The last step to make my herong.key file to meet PEM format standard is to add a header line and a footer line with a text editor: 

-----BEGIN PRIVATE KEY-----
MIIBSwIBADCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdS
...
g9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoEFgIUSVbo98XAZDN9RZoZ+li3kIKVEbk=
-----END PRIVATE KEY-----

Now I got my private and public key pair converted from a binary format to the PEM format in the file called herong.key. Remember my key pair was generated by "keytool".

The next thing I want to do is view this key pair with the "openssl dsa" command as described in the next section.

"OpenSSL" Viewing "keytool" Keys

After going through so much trouble of dumping the key pair out of the keystore file, encoding it with Base64, and making it to meet PEM file standard, finally I can view it with the "openssl dsa" command now: 

>openssl dsa -in herong.key -text
read DSA key
Private-Key: (1024 bit)
priv:
    49:56:e8:f7:c5:c0:64:33:7d:45:9a:19:fa:58:b7:
    90:82:95:11:b9
pub:
    00:b0:61:2b:c1:88:0e:19:66:58:37:b5:bc:0f:78:
    88:f7:79:b5:fa:6c:cb:6c:b2:86:44:d8:b2:15:13:
    e3:09:dd:9c:5a:52:02:4a:fb:1c:30:e8:2b:b5:45:
    8f:88:5a:57:a9:1f:c0:b8:3d:1c:a1:a9:6f:20:76:
    a7:c0:eb:5e:df:bf:87:84:14:02:53:d5:87:c9:3a:
    13:9d:e8:45:4f:c6:2d:48:44:e2:80:18:63:e4:40:
    a1:f0:2c:e4:d2:86:34:8d:dd:93:92:42:1a:19:1d:
    0e:44:f6:a2:6d:94:1a:ed:d7:d2:94:7e:0b:26:88:
    a4:cb:c4:88:5b:56:49:2e:80
P:
    00:fd:7f:53:81:1d:75:12:29:52:df:4a:9c:2e:ec:
    e4:e7:f6:11:b7:52:3c:ef:44:00:c3:1e:3f:80:b6:
    51:26:69:45:5d:40:22:51:fb:59:3d:8d:58:fa:bf:
    c5:f5:ba:30:f6:cb:9b:55:6c:d7:81:3b:80:1d:34:
    6f:f2:66:60:b7:6b:99:50:a5:a4:9f:9f:e8:04:7b:
    10:22:c2:4f:bb:a9:d7:fe:b7:c6:1b:f8:3b:57:e7:
    c6:a8:a6:15:0f:04:fb:83:f6:d3:c5:1e:c3:02:35:
    54:13:5a:16:91:32:f6:75:f3:ae:2b:61:d7:2a:ef:
    f2:22:03:19:9d:d1:48:01:c7
Q:
    00:97:60:50:8f:15:23:0b:cc:b2:92:b9:82:a2:eb:
    84:0b:f0:58:1c:f5
G:
    00:f7:e1:a0:85:d6:9b:3d:de:cb:bc:ab:5c:36:b8:
    57:b9:79:94:af:bb:fa:3a:ea:82:f9:57:4c:0b:3d:
    07:82:67:51:59:57:8e:ba:d4:59:4f:e6:71:07:10:
    81:80:b4:49:16:71:23:e8:4c:28:16:13:b7:cf:09:
    32:8c:c8:a6:e1:3c:16:7a:8b:54:7c:8d:28:e0:a3:
    ae:1e:2b:b3:a6:75:91:6e:a3:7f:0b:fa:21:35:62:
    f1:fb:62:7a:01:24:3b:cc:a4:f1:be:a8:51:90:89:
    a8:83:df:e1:5a:e5:9f:06:92:8b:66:5e:80:7b:55:
    25:64:01:4c:3b:fe:cf:49:2a
writing DSA key
-----BEGIN DSA PRIVATE KEY-----
MIIBvAIBAAKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb
+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg
UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX
TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj
rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB
TDv+z0kqAoGBALBhK8GIDhlmWDe1vA94iPd5tfpsy2yyhkTYshUT4wndnFpSAkr7
HDDoK7VFj4haV6kfwLg9HKGpbyB2p8DrXt+/h4QUAlPVh8k6E53oRU/GLUhE4oAY
Y+RAofAs5NKGNI3dk5JCGhkdDkT2om2UGu3X0pR+CyaIpMvEiFtWSS6AAhRJVuj3
xcBkM31Fmhn6WLeQgpURuQ==
-----END DSA PRIVATE KEY-----

Wonderful! Here is what I learned from this exercise:

  • Private and public key pairs generated by "keytool" can be used by "OpenSSL".
  • Private and public key pairs stored in "keystore" files can be dumped out. But I have to write a Java program, DumpKey.java, to do this.
  • My DumpKey.java program does not write the key in PEM format. Extra steps are needed to convert the dumped binary keys to in PEM format.

My private and public key pair, herong.key, dumped and converted from the "keytool" keystore file is now ready to be used by "OpenSSL" for signing any documents.

Conclusion

  • "keytool -genkeypair" command does two things: generating a DSA key pair and generating the self-signed certificate.
  • "keytool -exportcert" command only exports the self-signed certificate from a PrivateKeyEntry in a keystore.
  • "DumpKey.java" program dumps the key pair into a binary format from a PrivateKeyEntry in a keystore.
  • "openssl enc" command can be used to perform Base64 encoding.
  • PEM format requires a header line and footer line in the Base64 encoded file.
  • Key pairs generated with "keytool" are compatible with "OpenSSL".

Part:   1  2  3  4 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - Migrating Keys from 'keytool' to 'OpenSSL'