Migrating Keys from 'keytool' to 'OpenSSL'
Part:
1
2
3
4
The other type of questions I received is related to moving keys from "keytool" keystore files
to "OpenSSL" key files. Since "keytool" does not support key exporting function,
I wrote a Java program to dump keys out of the keystore file.
In this chapter, I recorded the following testing scenarios to find a way to move keys from
"keytool" keystore files to "OpenSSL" key files:
- Using "keytool" to generate a private and public key pair.
- Using "keytool" to export the self-signed certificate from PrivateKeyEntry.
- Using "keytool" to display details of a certificate.
- Using "OpenSSL" to view certificate exported by "keytool".
- Writing "DumpKey.java" to dump key pair out of "keytool" keystore files.
- Using "OpenSSL" to convert dumped key pair from binary to Base64 encoding.
- Using "OpenSSL" to view key pair dumped and converted from "keytool" keystore files.
"keytool" Generating Private and Public Key Pair
To test out how to transfer private and public key pair from "keytool" keystore file to OpenSSL format,
I need to generate a pair of keys first with the "keytool -genkeypair" command.
What I did was recorded below:
>java -version
java version "1.6.0_01"
Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
Java HotSpot(TM) Client VM (build 1.6.0_01-b06, mixed mode,
sharing)
>keytool -genkeypair -alias herong_key -keypass keypass
-keysize 1024 -keystore herong.jks -storepass jkspass
What is your first and last name?
[Unknown]: Herong Yang
What is the name of your organizational unit?
[Unknown]: Herong Unit
What is the name of your organization?
[Unknown]: Herong Company
What is the name of your City or Locality?
[Unknown]: Herong City
What is the name of your State or Province?
[Unknown]: Herong State
What is the two-letter country code for this unit?
[Unknown]: CA
Is CN=Herong Yang, OU=Herong Unit, O=Herong Company,
L=Herong City, ST=Herong State, C=CA correct?
[no]: yes
>keytool -list -keystore herong.jks -storepass jkspass
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
herong_key, Apr 1, 2007, PrivateKeyEntry,
Certificate fingerprint (MD5): 0C:54:AE:99:4E:3D:F7:A9:7...
I am not going to explain all the command options used above, because they were explained
in previous chapters.
I have a key pair in keystore file, herong.jks, now. But there seems to be no "keytool" command
to export it out. The "keytool -help" gave me the following command options:
keytool usage:
-certreq
Generating CSR from a key pair entry
-changealias
Renaming an entry in the keystore file
-delete
Deleting an entry in the keystore file
-exportcert
Exporting a certificate entry
-genkeypair
Generating a new key pair entry
-genseckey
Generating a secret key entry
-help
Displaying help information
-importcert
Importing a certificate into the keystore file
-importkeystore
Importing all entries from another keystore file
-keypasswd
Changing the password for an existing entry
-list
Display all entry names
-printcert
Print a certificate file
-storepasswd
Changing the keystore file password
In the next section, I tried to use "keytool -exportcert" to export the key pair.
(Continued on next part...)
Part:
1
2
3
4
|