Problem in importing a cert and a pvt key
[291 byte] By [glow007] at [2007-9-26 4:26:18] 
Hi,I have a certificate issued by a CA. And I have the certs private key.How should I import it into the keystore using keytool.I am able to import a certificate. But I do not know how to import the cert as well as the pvt key...Thanks in advance...
Your question is not very clear.
<< I have a certificate issued by a CA. And I have the certs private key.
<< But I do not know how to import the cert as well as the pvt key
Why did a CA issue a certificate to you ?
I guess you sent a request to a CA. And the CA sent you back the response that had their certificate (enclosing their public key) and included their signature that they used to sign your public key. Right ?
When you generated the private key in the first place, even before generating a certificate signing request, your private key would have already been placed into your keystore.
When you get the response back from the CA, you have to just import it into the keystore. When you do that, whatever was sent back to you by the CA replaces whatever is already there in the keystore against your private key.
To summarize, you never import your own private key after you get the signed response back from the CA.
Does this make sense ? Or have I gone on a completely wrong tangent here ?
neville_sequeira at 2007-6-29 17:35:11 >
glow007....
I guess you sent a request to a CA. And the CA sent
you back the response that had their certificate
(enclosing their public key) and included their
signature that they used to sign your public key.
Right ?
-Right
I have created the CSR and the private using openssl..and I have got the signed certificate from Thawte.
Now I need to import this certificate into my keystore.
So that I can send it to one of my servers which requires client's certificate.
glow007 at 2007-6-29 17:35:11 >
Okay.
Now, I haven't used OpenSSL. Atleast not for any significant purposes.
I have always used keytool, the standard tool that comes with JDK to do all keystore management tasks : create private keys, generate certificate signing requests, and import responses from the CA (and thats all the keystore tasks I have done)
Isn't there a command in openSSL to import certificates ?
Or probably you can use keytool to import the certificate.
neville_sequeira at 2007-6-29 17:35:11 >
Out of curiosity, I just reffered to http://www.openssl.org/docs/apps/x509.html#and it seems the command, or atleast the relevant portion of it, to import a certificate would be openssl x509 -in certificateFile
neville_sequeira at 2007-6-29 17:35:11 >
I can create using keytool..so no probs in test situations...
But during production...the client will already have a certificate...so, I need to import into the keystore.
I mean client already has .crt file, and .key file..(pvt key file)...so, i need to import this using keytool.
This is becoz JSSE understands in this format...keystore..etc..
glow007 at 2007-6-29 17:35:11 >
Well, what kind/type of keystore is the private key file (the .pvt file) that is used in production ?
I would guess there would be a provider matching that keystore type. i.e. a provider string name and a service provider implementation (Java classes or jar file etc.) Right ?
Then from your client-side application, you can get a handle to the corresponding key store using ava.security.KeyStore.getInstance(String type, String provider) Right ?
neville_sequeira at 2007-6-29 17:35:11 >
Thank you very much!!..
I have the client.key which has the private key
and I have the client.crt which has the certificate signed by Thawte in Base64 Encoded format
Now I need to import this into the keystore..
So, that I can send the certificate when the server asks for it...
glow007 at 2007-6-29 17:35:11 >
Hi, Did you ever solve this problem?
I am dealing with the same issue.
I have a private key generated quite some time ago by openssl and used in apache ssl. Now, I have a need for this key in the jks keystore file. There seems to be no easy way to achieve this.
> Thank you very much!!..
>
> I have the client.key which has the private key
>
> and I have the client.crt which has the certificate
> signed by Thawte in Base64 Encoded format
>
> Now I need to import this into the keystore..
> So, that I can send the certificate when the server
> asks for it...
>
>
alted at 2007-6-29 17:35:11 >
Hi Glow007, since the thread has been years from now, guess you have solve the problem. Can you please share your solution? Thanks.
lyenchew at 2007-6-29 17:35:11 >
Hello All,Please email me the solution to this problem to dskrishna@hotmail.com I need it very desperately.Thank you very much.
dskrishna at 2007-6-29 17:35:11 >
*bump*Did anyone ever solve this ?I also need to import a private key into a keystore...
evilb69 at 2007-6-29 17:35:11 >
I finally got an externally generated private key into tomcats keystore, and this is how:-
First, go here and download the ImportKey java code:-
http://www.comu.de/docs/tomcat_ssl.htm
Change the source code so that the password is not "" (I've defaulted it to 'changeit', which tomcat uses. If you leave it blank, it causes problems later trying to change it.
Next, get a copy of OpenSSL. You can get this from openssl.org and compile it yourself, or do what I did and search google for precompiled binaries.
Get the private key that you used to generate your CSR file.
Convert the key (we use the openssl):
openssl pkcs8 -topk8 -nocrypt -in PRIVATE.KEY -out PRIVATE.KEY.der -outform der
Get the cert issued by your CA. Even if its a chained cert, tomcat does NOT need the root cert using this method.
Convert the certificate:
openssl x509 -in YOUR.CERT -out YOUR.CERT.der -outform der
Run java ImportKey using:-
java comu.ImportKey PRIVATE.KEY.der YOUR.CERT.der tomcat
Rename the file in your home directory from ImportKey.keystore to .keystore (need to use dos to do this on a windows box)
Then change the keypasswd to 'changeit' using:-
keytool -keypasswd -new changeit -alias tomcat
The java code warns that this method WILL overwrite your existing keystore, but by default, it outputs a file called ImportKey.keystore, not .keystore.
Enjoy
evilb69 at 2007-6-29 17:35:11 >
An alternative way we used is generating the keystore in a different format:
openssl pkcs12 -in <yourfile.crt> \
-inkey <yourfile.key> \
-export -out keystore -name tomcat
This will generate a keystore in pkcs12 format from the certificate and private key.
Then, inside Tomcat's server.xml file, adjust the SSL Factory:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS"
keystoreFile="keystore/keystore"
keystorePass="yourpassword"
keystoreType="pkcs12" />
add the keystoreType="pkcs12"
tunacat at 2007-6-29 17:35:11 >
tunacat -
I used this method to import both the signed server cert and the root ca cert (chained together), and the server private key (all in .pem format) into a pkcs12 format keystore. It works, and I can use the keystore - but the root ca cert doesn't seem to be found when performing authentications. Do I need to add the root ca cart to a default keystore perhaps?
TIA,
Rich
rmfought at 2007-6-29 17:35:11 >
*** BEGIN SOLUTION***
Having got a certificate in PKCS#12 like cert.p12:
1) Download Jetty library.
2) Given jetty.jar export cert.p12 in jks format:
user@host> java -cp org.mortbay.jetty.jar org.mortbay.util.PKCS12Import cert.p12 mykeystore
Enter input keystore passphrase: ****
Enter output keystore passphrase: ****
Alias 0: Albert Einstein's CA id
Adding key for alias Albert Einstein's CA id
user@host>jarsigner -keystore mykeystore any.jar "Albert Einstein's CA id"
That's all and works.
Main reference:
http://jetty.mortbay.org/javadoc/org/mortbay/util/PKCS12Import.html
*** END SOLUTION***
icelab at 2007-7-1 11:08:06 >
here is another way to import a private key with a certificate generated by openssl utility.
Use BouncyCastle security provider's jar bcprov-jdk13-128.jar with the following program:
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.EncodedKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
class ImportPrivateKey {
// need org.bouncycastle.jce.provider.BouncyCastleProvider
static {
try {
if (java.security.Security.getProvider("BC") == null) {
java.security.Security.addProvider((java.security.Provider)Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider").newInstance());
}
} catch (Throwable t) {
throw new RuntimeException(t);
}
}
public static void main(String args[]) throws Exception {
if (args.length != 6) {
System.out.println("usage: keystoreFile keyStorePasswd alias aliasPasswd privateKeyFile certFile");
return;
}
String keyStoreFile = args[0];
String keyStorePasswd = args[1];
String alias = args[2];
String aliasPasswd = args[3];
String privateKeyFile = args[4];
String certFile = args[5];
EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(readBytesFromFile(privateKeyFile));
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
Certificate[] certChain = (Certificate[]) certFactory
.generateCertificates(new FileInputStream(certFile))
.toArray(new Certificate[] {});
KeyStore keyStore = KeyStore.getInstance("jks");
if (!new File(keyStoreFile).exists()) {
keyStore.load(null, keyStorePasswd.toCharArray());
keyStore.store(new FileOutputStream(keyStoreFile), keyStorePasswd.toCharArray());
} else {
keyStore.load(new FileInputStream(keyStoreFile), keyStorePasswd.toCharArray());
}
keyStore.setKeyEntry(alias, privateKey, aliasPasswd.toCharArray(), certChain);
keyStore.store(new FileOutputStream(keyStoreFile), keyStorePasswd.toCharArray());
}
public static byte [] readBytesFromFile(String fileName) throws Exception {
File file = new File(fileName);
byte [] bytes = new byte[(int) file.length()];
new FileInputStream(file).read(bytes);
return bytes;
}
}
Yevgeny_Rouban at 2007-7-1 11:08:06 >
its correct solution.ok once we created keystore using this approach.
do we need to import certificate chain into trust store also like self created or jre cacert.i created keystore containing keyentry as per your code and also imported certificate file into jre cacert to have trusted certificate entry.Than in my code i created keystore from keystore file and also created truststore from jre cacert..but when i try to handshake with server its either closing connection while hanshake or i get exception that no trusted certificate found..
please help me in it.
miryaver at 2007-7-1 11:08:06 >
Hijacked, crossposted, and under discussion at http://forum.java.sun.com/thread.jspa?threadID=744863
ejp at 2007-7-1 11:08:06 >
Security New Topic
Security Hot Topic
- HELP ON Ciphered Base64 encoded text over a socket , it doesn't runs.
- JSSE in JDK 1.4 and java.nio.channels
- One way encryption? How is possible?
- IMPORTANT : Sending a cert from the client
- Obtaining client certificate in servlet using apache + tomcat
- java.lang.SecurityException: sealing violation
- Tomcat, servlet, cacerts, client authentication and Thawte...
- 3d Theory. vcs to scs transformation.
Security
All Classified
- Archived Forums
- Enterprise & Remote Computing
- Java Essentials
- Desktop
- Core
- Solaris Operating System
- Security
- Database Connectivity
- Java Mobility Forums
- Web & Directory Servers
- Development Tools
- Application & Integration Servers
- Java HotSpot Virtual Machine
- Other Topics
- E-Mail, Calendar, & Collaboration
- Developer Tools
- General
- Administration Tools
- Sun Hardware
- Storage Forums
- Java Enterprise System
- StarOffice
- Open Source Technologies
- BigAdmin
- Real-Time
- Java Coding