stackoom
  简体   繁体   中英

Converting pem with multiple certificates to java keystore

 原文  2017-12-12 13:15:09       java/ ssl/ keytool

Question

I have been given a pem file which has two certificates in it.

The first is the certificate is specific to my company (ie the subject is specific to my company).

The second certificate is the certificate for the issuer.

It looks something like this... 

Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: CCAPI Client Certificate
Key Attributes
    X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
<<contents>>
-----END RSA PRIVATE KEY-----
Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: CCAPI Client Certificate
    subject=MyCompany CN/OU/O/L/ST/C
    issuer=Issuer CN/OU/O/L/ST/C
-----BEGIN CERTIFICATE-----
<<contents>>
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: 02 00 00 00
    subject=Issuer CN/OU/O/L/ST/C
    issuer=Issuer CN/OU/O/L/ST/C
-----BEGIN CERTIFICATE-----
<<contents>>
-----END CERTIFICATE-----

Firstly I'd like to confirm a couple of things.

Terminology wise is it correct to say I have a pem file with two certificates? How do I describe the PRIVATE KEY part? Is that the public key of the server I am trying to connect to?

And secondly I need to use the keytool command to create a java keystore file (jks) with both certificate and the issue certificate in it.

Can someone help me with the commands to do that. I'm spent a lot of time googling but there seems to be a lot of varying use cases out there which is confusing me.

thanks in advance

2 answers

solution1
 1 ACCPTED  2017-12-13 18:12:03

You haven't mentioned why you were given this file, but judging from the content I assume it's for accessing a web site/service via HTTPS client authentication. The private key (and certificate) is for authenticating against the server. The issuer certificate might be needed for completing a chain to a trusted root certificate on the server (or it might not be needed at all).

This file is not encoded in a very common format, it's basically what happens when OpenSSL writes a PKCS#12 file as PEM. The following OpenSSL command would produce a file like this: 

openssl pkcs12 -in keyStore.p12 -out keyStore.pem -nodes

This preserves the metadata from the PKCS#12 format like the IDs and friendlyNames, so you can see that the private key and first certificate belong together. But it's a bit strange, because...

  1. The private key is not encrypted (anymore).
  2. This format is only useful for further processing in software that uses the OpenSSL library, but not in the Java or Microsoft (IIS, .NET) world. A binary PKCS#12 file would have been usable in all environments.

You can convert it back to binary PKCS#12 with the following OpenSSL command: 

openssl pkcs12 -export -in keyStore.pem -out keyStore.p12

From this point on you have a standard PKCS#12 file that you can use directly in Java software or that you can convert with keytool to JKS/JCEKS .

solution2
 0  2017-12-12 20:28:20

Strictly speaking, PEM is a container that can keep various types of text-encoded PKI data as well as information text.

Quote from specification :

Textual encoding begins with a line comprising "-----BEGIN ", a label, and "-----", and ends with a line comprising "-----END ", a label, and "-----". Between these lines, or "encapsulation boundaries", are base64-encoded data according to Section 4 of [RFC4648]. (PEM [RFC1421] referred to this data as the "encapsulated text portion".) Data before the encapsulation boundaries are permitted, and parsers MUST NOT malfunction when processing such data. Furthermore, parsers SHOULD ignore whitespace and other non- base64 characters and MUST handle different newline conventions.

The private key in your PEM file is just a private key. There is no need for that key to be in any relation with any of the certificates in the file.

The only way to see whether it is the private key for the public key of a certificate is to compare the corresponding public keys. Generate a public key from the private key and compare with the public key from the certificate.

  1. Get public key from private key

Extract the private key to a separate file (put the lines 

-----BEGIN RSA PRIVATE KEY-----
<<contents>>
-----END RSA PRIVATE KEY-----

into a separate privkey.pem file)

In the command line: 

openssl rsa -in privkey.pem -pubout > pubkey.pub
  1. Get public key from certificate

Put the certificate into a separate file certfile.pem (the lines 

-----BEGIN CERTIFICATE-----
<<contents>>
-----END CERTIFICATE-----

)

Invoke openssl again: 

openssl x509 -pubkey -noout -in certfile.pem > pubkey2.pem

-noout suppresses printing the certificate

Then check pubkey.pem and pubkey2.pem .

Java key store

There is an article on Oracle site on how to import PEM certificates to JKS. Did you try it?

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Converting a Java Keystore into PEM Format How to load multiple SSL certificates in Java KeyStore? Converting PEM to PKCS12 and import to Java Keystore Accessing keystore certificates in Java Generating multiple personal certificates from one java keystore Getting Certificates from Java Keystore Importing PEM certificate into Java KeyStore programmatically Extract multiple X.509 certificates from PEM-formatted file in Java How to build a SSLSocketFactory from PEM certificate and key without converting to keystore? Is it necessary to add the root certificates to Java Keystore?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM