将 PEM 文件转换为 .JKS Key Store 和 Trust Store 文件

Question

PEM file from the server side which is in the following format when opened:

-----BEGIN CERTIFICATE-----
somestuff1234
-----END CERTIFICATE-----

I'm trying to convert this to get two JKS files (A trust store and key store) which I can call the server with using my java application through SSL.

Can anyone help in a easy break down on how to do this using openssl and then the java keystore? I tried following the instructions in: https://docs.oracle.com/cd/E35976_01/server.740/es_admin/src/tadm_ssl_convert_pem_to_jks.html

But I couldn't import the keystore successfully as for some reason it was empty. PS when following these instructions I created the PKSC12 from der without a private key inputted since I wasn't provided one.

Do I need to use my own private key which I need to create as well but not sure if it is needed since I was only given the certificate? I've been told intermediate certs are sent in the TLS handshake.

Thanks for any help on this.

Answer 1

Try to run your java code with debug mode and specific truststore regarding the SSL server like described here: How to configure trustStore for javax.net.ssl.trustStore on windows?

Answer 2

If the only thing in that PEM file is what you've posted:

-----BEGIN CERTIFICATE-----
somestuff1234
-----END CERTIFICATE-----

you will not be able to create a full keystore suitable for use as a TLS server that accepts connections.

You need the private key corresponding to the certificate for that.

Do I need to use my own private key which I need to create as well but not sure if it is needed since I was only given the certificate?

No - along with its identifying data, your certificate has a public key in it. The entire certificate was cryptographically signed by your CA - which is how the "trust" is transferred to your certificate. The public key in your certificate was derived from a specific private key.

Why won't it work? Because data that's encrypted using the public key in your certificate can only be decrypted using the private key that public key was derived from.

Your certificate will only work if it's paired with the correct private key.

But:

I created the PKSC12 from der without a private key inputted since I wasn't provided one.

You must have a private key along with your certificate to be able to run a TLS server.*

EDIT:

And you must have the proper private key paired with your certificate to use it as a client certificate when connecting to a TLS server for the same reason.

Also, a TLS certificate is public - if it were all you needed to prove your identity, publicizing that would make it useless. Your possession of the appropriate private key is what proves that the certificate is your certificate and not mine or anyone else's.

Your TLS server or your client connection to a TLS server isn't going to work until you locate the proper private key for the certificate you have. If you or your organization have lost that private key, you have to create a new private key and go through the process of creating a new certificate from that new private key.

Because without the correct private key, the certificate you have now is utterly useless.

* - Technically not true. The TLS standard does support "anonymous" cipher suites that do not require any certificate or private key. But almost no application supports anonymous cipher suites. OpenSSL only supports anonymous cipher suites if you compile it from source yourself, for example.