Import private key and certificate into Java Key Store (JKS)

Apache Tomcat and many other Java applications expect to retrieve SSL/TLS certificates from a Java Key Store (JKS). Jave Virtual Machines usually come with keytool to help you create a new key store.

Keytool helps you to:

create a new JKS with a new private key
generate a Certificate Signung Request (CSR) for the private key in this JKS
import a certificate that you received for this CSR into your JKS

Keytool does not let you import an existing private key for which you already have a certificate. So you need to do this yourself, here's how:

Let's assume you have a private key (key.pem) and a certificate (cert.pem), both in PEM format as the file names suggest.

PEM format is 'kind-of-human-readable' and looks like e.g.

-----BEGIN CERTIFICATE-----
Ulv6GtdFbjzLeqlkelqwewlq822OrEPdH+zxKUkKGX/eN
.
. (snip)
.
9801asds3BCfu52dm7JHzPAOqWKaEwIgymlk=
----END CERTIFICATE-----

Convert both, the key and the certificate into DER format using openssl :

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

Now comes the tricky bit, you need something to import these files into the JKS. ImportKey will do this for you, get the ImportKey.java (text/x-java-source, 6.6 kB, info) source or the compiled (Java 1.5 !) ImportKey.class (application/octet-stream, 3.3 kB, info) and run it like

user@host:~$ java ImportKey key.der cert.der
Using keystore-file : /home/user/keystore.ImportKey
One certificate, no chain.
Key and certificate stored.
Alias:importkey  Password:importkey

Now we have a proper JKS containing our private key and certificate in a file called keystore.ImportKey, using 'importkey' as alias and also as password. For any further changes, like changing the password we can use keytool.

Comments (18)

Comments Hide

Created by Marco Massenzio on 3/20/07, 2:32:56 AM

Hello,

this is exactly what I needed, as I have obtained a developer certificate from Symbian, but the cert request gen tool is a Symbian custom app, and thus generates its own private key.

However, the key it generates, does not appear to be in valid PEM format (at least according to openssl that complains about it):

D:\>d:\OpenSSL\bin\openssl pkcs8 -nocrypt -in ibw2.pem -inform PEM -out ibw2.der -outform DER
Enter PEM pass phrase:
Error decrypting key
4236:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1294:
4236:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:380:Type=X509_ALG
OR
4236:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:749:Field=
pkeyalg, Type=PKCS8_PRIV_KEY_INFO
4236:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:.\crypto\pem\pem_oth.c:83:

The key (well, not all of it) is something like this:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C83F3B63FAD97DA6

TYnfdy/1XQAtAL/R1gVGk1S0DLjXre8BK6fe6tLOzTLIxxczCVQjF9exPqjFypE7
uH9EleWc+7TLHkvN2QLtcG6wXewvHexhcjwjN3MiThrFB29BVDMgHyGf9ZHVUUqs
...
tZJeSwNF0lPJ6/wwwUeyaOJCu0xCSvhMCZ9FBaZgdX+a2s40Kqb/kiQlWPKoNqF6
gAz2xettQCCIV18c7fzHqXeHXics66Tau+3MpG3tN3o6efvJgQU7vw==
-----END RSA PRIVATE KEY-----

I am somewhat stuck in that I can't EXPORT the key from keytool to use in the CSR generator (from Symbian) and I can't import the key/certificate as obtained from Symbian.

Kinda Catch-22....

If you have any suggestions that would be massively appreciated, thanks
Marco
admin@infinitebw.com

Created by Barry Simons on 4/5/07, 2:28:36 AM

I encountered a problem when importing a chained SSL cert. To solve this problem, I changed certs = (Certificate[])c.toArray(); (line 147) to
int i = 0;
Iterator it = c.iterator();
while (it.hasNext()) {
certs[i] = (Certificate)it.next();
i++;
}

Next, I converted all SSL certs from PEM to DER and cat my cert, intermediate cert, and root cert into certs.der. After that, everything worked great.

Hope this helps anyone working with chained certs

Created by Barry Simons on 4/5/07, 2:31:52 AM

Marco,

I am not sure if this helps, but try adding -topk8 when converting. Hope this helps.

Barry

Created by johann renck on 9/3/07, 3:31:49 PM

Barry, In my CA's instructions they say that I need to import an intermediate cert, so following your instructions (BTW you just need to put certs = (Certificate[])c.toArray(new Certificate[0]);) I created the following shell script:

THE_NAME=name.dummy.com
export THE_NAME

openssl pkcs8 -topk8 -nocrypt -in ${THE_NAME}_key.pem -inform PEM -out ${THE_NAME}_key.der -outform DER

openssl x509 -in intermediateCA_cer.pem -inform PEM -out intermediateCA_cer.der -outform DER

openssl x509 -in ${THE_NAME}_cer.pem -inform PEM -out ${THE_NAME}_cer.der -outform DER

cat intermediateCA_cer.der ${THE_NAME}_cer.der > ${THE_NAME}_all_cer.der

javac *.java

java ImportKey ${THE_NAME}_key.der ${THE_NAME}_all_cer.der

keytool -list

But the keystore ony shows one entry, any ideas why is this happening?

Thanks,

Johann

Created by johann renck on 9/3/07, 9:49:12 PM

Ok, now it's working.
What I did was:

changed certs = (Certificate[])c.toArray(); (line 147) to
(Certificate[])c.toArray(new Certificate[0]);

Then I ran the following script:

JAVA_HOME=/usr/java/latest
export JAVA_HOME

PATH=$JAVA_HOME/bin:$PATH
export PATH

THE_NAME=www.dummy.org
export THE_NAME

rm /root/.keystore
rm /usr/share/tomcat5/.keystore

openssl pkcs8 -topk8 -nocrypt -in ${THE_NAME}_key.pem -inform PEM -out ${THE_NAME}_key.der -outform DER

openssl x509 -in rootCA_cer.pem -inform PEM -out rootCA_cer.der -outform DER

openssl x509 -in intermediateCA_cer.pem -inform PEM -out intermediateCA_cer.der -outform DER

openssl x509 -in ${THE_NAME}_cer.pem -inform PEM -out ${THE_NAME}_cer.der -outform DER

cat ${THE_NAME}_cer.der intermediateCA_cer.der rootCA_cer.der > ${THE_NAME}_all_cer.der

javac *.java

java ImportKey ${THE_NAME}_key.der ${THE_NAME}_all_cer.der

cp /root/keystore.ImportKey /root/.keystore

cp /root/.keystore /usr/share/tomcat5/.keystore

keytool -keypass changeit -storepass changeit -list

Created by Ian Stokes-Rees on 4/10/08, 12:00:50 AM

ImportKey.java is actually a .class file. Would it be possible to update it to the source code again?

Created by Chris Markle on 12/17/08, 12:56:28 AM

Hello,

Thank you VERY much for this post and this Java code. And thanks to the others for their further comments and updates to the code.

I needed to build a cert that had three other intermediate certs combined with it. I pretty much did (manually) what johann did in hist second post and all worked perfectly.

Thanks to all of you for this valuable post.

Chris

Created by Eldad Dudu on 3/3/09, 11:48:57 AM

I have a key.pem and cert.pem and I did as
instructed, it did created the file in my %User% home dir
but when I run Keytool -list, it doesn't find the file.
I tried a bunch of parameters ( like -file "C:\..." and so on)

I'm working inside a Novell network, does it matter????

I'm only asking cause I've encountered a post somewhere
that someone needed his IT people to delete and recreate
his User account in a Windows ENV to make the
Keytool -list to work

any information will be more then appreciated .

Ely.

Created by John Blakely on 10/7/09, 5:08:36 PM

Is there a way to export the created signing key to add it to an existing keystore?

Created by Peter Westlake on 10/22/10, 3:52:41 PM

This article solved a big problem for me, thank you! I had a signing certificate installed on Windows, and I needed to use it for signing Jar files on Linux. Exporting it was easy enough (with private key and cert chain), then openssl converted it into a PEM file:

openssl pkcs12 -in all.pfx -out all.pem

which I used as input to your two openssl commands above.

Thank you!

Peter.

Created by Michal Ambroz on 3/2/11, 8:33:11 PM

Hello,
programming is not necessary as java keytool supports transformation from one to another key store type using the parameter -importkeystore.

For example if you have the certificate and key in pkcs12 format you can use it out of the box:
keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -destkeystore server.jks -deststoretype jks

If you have it in PEM you can convert it to pkcs12 first:
cat server_key.pem server_cert.pem server_cacert.pem > server.pem
openssl pkcs12 -export -out server.p12 -in server.pem

Actually when having PKCS12 you do not need to convert to JKS - you can probably use the keystore as it is just by setting the keystore type as PKCS12 in the configuration of your application.

Created by Travis Thomas on 3/31/11, 9:39:13 PM

I'm getting this error and I can't figure out what's happening.

C:\Users\Travis Thomas\Desktop\ImportKey>java ImportKey AKMClientPrivKey.der AKM
ClientSignedCert.der
Using keystore-file : C:\Users\Travis Thomas\Desktop\ImportKey\keyst2
HERE1
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: I
OException : algid parse error, not a sequence
at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(Unknown Source)
at java.security.KeyFactory.generatePrivate(Unknown Source)
at ImportKey.main(ImportKey.java:258)
Caused by: java.security.InvalidKeyException: IOException : algid parse error, n
ot a sequence
at sun.security.pkcs.PKCS8Key.decode(Unknown Source)
at sun.security.pkcs.PKCS8Key.decode(Unknown Source)
at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(Unknown Source)
at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(Unknown Source)
at sun.security.rsa.RSAKeyFactory.generatePrivate(Unknown Source)
... 3 more

Created by Travis Thomas on 3/31/11, 9:42:29 PM

Sorry, I should have included more detail. I'm working with the ImportKey.java file downloaded from here with only minor edits--changed the directory of the KeyStore and added that println("HERE1") to identify exactly where in the code things were going askew. Any ideas why I'm getting the algid parse error?

The .der files are from my boss, I believe they've been used for other tests successfully. The cert is self-signed, as the name would indicate. The newline that splits the cert name is present only due to the copy/paste, it's entered correctly on the commandline.

Created by Seth Carroll on 4/1/11, 8:48:13 PM

Does anyone know what license the ImportKey.java code is released under? (i.e. BSD, GPL, Apache v2, Artistic, Creative Commons, etc) I'm unable to find any authoritative source for that piece of code, although just about everyone references the source code for it.

Created by Travis Thomas on 4/1/11, 11:21:19 PM

The code compiles and runs fine with those .ders on my boss' machine. His machine is 32-bit, mine is 64. Anyone know if there's an incompatibility with this code and 64-bit Java? Windows 7 Pro if it matters...

Created by Esmond Pitt on 4/2/11, 3:30:49 AM

Some very strange code. See http://forums.oracle.com/forums/thread.jspa?threadID=2201355&tstart=0.

Created by George Law on 10/20/11, 9:17:07 PM

this was my magic commandline to keytool to finally get this working:
keytool -importkeystore -v -srckeystore conf/keystore.ImportKey -destkeystore conf/keystore.new -srcalias importkey -destalias tomcat

I had to change the alias from importkey to tomcat to make it work with my tomcat server

hth the next guy
George

Created by George Law on 10/20/11, 9:42:09 PM

Opps - I forgot a step
Before you import the key, you need to change the password on the importkey alias ...

keytool -keystore keystore.ImportKey -keypasswd -new changeit -alias importkey

I am using the default "changeit" password here that is specified in your server.xml file -- adjust it to suit your needs :)

Add a comment

Please log in to be able to add comments.