Tuesday, April 24, 2012

Java Key and Certificate Management - Using an existing private key

problem: You want to use your existing private key and cert

It is not immediately obvious how to do this with Java's keytool. It took me a good while to figure out, so I'm documenting here.

solution: Java 6 can treat a PKCS12 file as a keystore

With Java 6 keytool, one can import a PKCS12 file as a keystore, here are the steps I used.

First, convert PEM format key/cert to a PKCS12 format cert
$ openssl pkcs12 -export -in thedomain.com.crt -inkey thedomain.com.key -out thedomain.com.p12
Then use keytool to import the PKCS12 cert
$ keytool -importkeystore -destkeystore thedomain.com.keystore -srckeystore thedomain.com.p12 -srcstoretype PKCS12 -alias 1
My understanding is, that if you have access to a version 6 keytool, then one can use the generated file keystore from 6 on older Java versions, but don't quote me on that.

Related: Generating a 2048 bit RSA private key and CSR

It worth mentioning that, if your just looking to generate a 2048 bit key/cert with keytool, to get a CSR for an SSL certificate authority, then you'd want to use something like this:
$ keytool -genkey -keyalg RSA -keysize 2048 -keystore thedomain.com.keystore -alias thealias
Then to get the CSR:
$ keytool -keyalg RSA -keystore thedomain.com.keystore -alias thealias -certreq -file thedomain.com.csr
Then when you get the cert back from the CA, import with keytool:
$ keytool -importcert -trustcacerts -keystore thedomain.com.keystore -alias thealias -file thedomain.com.crt

Free class 1 SSL

I have used these methods to get free SSL class 1 protection from http://www.startssl.com.


Props to:
NCSA CyberSecurity @ University of Illinois
Graham Leggett @ Cunning blog
Knowledge Base @ Comdo

No comments: