How do PEM and DER certificates work in openSSL?

Question

I built a server which can get http request and send response. Moreover, I want to use a client program to send http request by using https protocol.

I produce a PEM certificate file, and the format is like:

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

When I try to import the certificate to JVM by using the instruction:

keytool -import -file E:\\server.pem -alias CERT -keystore "C:\\Program Files\\Java\\jre7\\lib\\security\\cacerts"

It have an error:

java.lang.Exception: Input not an X.509 certificate

I searched the exception and find the reason might be keytool can only accept the PEM format between BEGIN CERTIFICATE and END CERTIFICATE.

So I use openSSL to covert PEM to DER, then It could be imported to JVM.

My question is why I have to import the certificate with private key to my JVM? In the process of SSLHandshake, shouldn't I import the certificate of public key to my JVM?

I know it may be a very basic problem, but I could not understand how it works completely.

Many thanks:)

Answer 1

So, Openssl supports storing a private key and a certificate in the same file. You've done this. You can simply pull the private key block into its own file separate from the begin certificate block. When OpenSSL is reading a PEM format certificate it will ignore the private key block. When it's reading a PEM format private key it will ignore certificates. This is convenient if you want a file that includes both your key and your certificate. Your web server will need to know its private key, although it should never send its private key to a client. It will need to send its certificate to the client.

Answer 2

As you server has the private key it has the authority to send the public key to the client, which to client can then use to communicate securely with the server.

See http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html