certificate management
http://www.bo.infn.it/alice/introgrd/certmgr/certmgr.html
http://forum.java.sun.com/thread.jspa?forumID=2&messageID=449486&threadID=154587
How to export private key from keystore?
Author: zendragon Posts: 4 Registered: 12/5/97
Jul 31, 2001 7:24 AM
I have the same problem as following
Hi
Does anybody know, how to export a private key from a keystore in a PEM-Encoded format, i.e. that is what openSSL for Apache is looking for.
What I got until now from the Keystore (and that's very easy) is an instance of the Key-class of the Private Key. From that Key instance I can call the encoded()-method to get a PKCS8-encoded byte-array. Now, what I want to is a PEM-Encoded String.
Any help greatly apreciated!
Re: How to export private key from keystore?
Author: thaisontn Posts: 1 Registered: 8/27/99
Sep 13, 2002 6:24 PM (reply 1 of 16)
I have the exact same issue. I have a certificate for a site that is incorporated in a Java keystore because the webserver is in Java. Now I want to migrate the site to a new setup (Apache/Tomcat) so I want to export the private key so that Apache/OpenSSL can use it. I've tried privKey.getEncoded()(which I assume is equivalent to OpenSSL's DER format) as well as Base64.encode(privKey.getEncoded()) (which I assume is equivalent to OpenSSL's PEM format). Neither of these approaches work. Am I missing something or is there a bug in the PKCS8EncodedKeySpec code or the OpenSSL code ? If anyone has any thoughts on this, I'd like to hear about it. Thanx !
Re: How to export private key from keystore?
Author: jheiss Posts: 3 Registered: 12/18/97
Sep 30, 2002 9:37 AM (reply 2 of 16)
You're on the right track. After Base64.encode(privKey.getEncoded()) you need
to wrap the lines at 64 characters and add the header and footer lines (these are documented in OpenSSL's pkcs8 man page).
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Re: How to export private key from keystore?
Author: emoy2000 Posts: 1 Registered: 6/8/01
Dec 30, 2002 11:25 PM (reply 3 of 16)
Hi, I have the same problem as what you mentioned here (which I don't know how to export private key from keystore), could you share your solution with me here?
Thanks a lot
Mana
Re: How to export private key from keystore?
Author: amorrow5 Posts: 320 Registered: 8/27/01
Jan 8, 2003 2:00 AM (reply 4 of 16)
Here is a full code example
// How to export the private key from keystore?
// Does keytool not have an option to do so?
// This example use the "testkeys" file that comes with JSSE 1.0.3
import sun.misc.BASE64Encoder;
import java.security.cert.Certificate;
import java.security.*;
import java.io.File;
import java.io.FileInputStream;
class ExportPriv {
public static void main(String args[]) throws Exception{
ExportPriv myep = new ExportPriv();
myep.doit();
}
public void doit() throws Exception{
KeyStore ks = KeyStore.getInstance("JKS");
String fileName = "testkeys";
char[] passPhrase = "passphrase".toCharArray();
BASE64Encoder myB64 = new BASE64Encoder();
File certificateFile = new File(fileName);
ks.load(new FileInputStream(certificateFile), passPhrase);
KeyPair kp = getPrivateKey(ks, "duke", passPhrase);
PrivateKey privKey = kp.getPrivate();
String b64 = myB64.encode(privKey.getEncoded());
System.out.println("-----BEGIN PRIVATE KEY-----");
System.out.println(b64);
System.out.println("-----END PRIVATE KEY-----");
}
// From http://javaalmanac.com/egs/java.security/GetKeyFromKs.html
public KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password) {
try {
// Get private key
Key key = keystore.getKey(alias, password);
if (key instanceof PrivateKey) {
// Get certificate of public key
Certificate cert = keystore.getCertificate(alias);
// Get public key
PublicKey publicKey = cert.getPublicKey();
// Return a key pair
return new KeyPair(publicKey, (PrivateKey)key);
}
} catch (UnrecoverableKeyException e) {
} catch (NoSuchAlgorithmException e) {
} catch (KeyStoreException e) {
}
return null;
}
}
Re: How to export private key from keystore?
Author: pchinns Posts: 1 Registered: 10/8/00
Mar 11, 2003 11:34 AM (reply 5 of 16)
Hi,
I have a problem related to keystore and certificates. Can you please throw some light on this.
JSSE expects two keystores one for loading the private keys and the other for loading public keys.
I created a certificate request using java keytool and obtained a trial certificate from a trusted CA. I imported the CA's trial root and trial certificate into the keystore which was intially used to generate certificate request. I believe this can now be used as the keystore that contains the private key. Now how do i get the keystore which contains the public keys.
Any help in this regard will be appreaciated
Thanks,
pradeep
Re: How to export private key from keystore?
Author: lpz Posts: 2 Registered: 9/25/98
Mar 18, 2003 5:59 PM (reply 6 of 16)
I have the opposite problem. How do you read in an encrypted private key from a PEM file? I can read in the public key certificate and get the public key, like this:
FileInputStream is = new FileInputStream(file);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
java.security.cert.Certificate cert = cf.generateCertificate(is);
However, I cannot read in the private key and generate the private key:
FileInputStream in = new FileInputStream(file);
fileLength = (int) in.available();
byte[] base64Bytes = new byte[fileLength];
int inLength = in.read(base64Bytes, 0, fileLength);
String inputString = new String(base64Bytes);
// Here I tried all of the PEM file (including the ASCII armor) and just the base64 // characters. I get the same error either way
String keyString = new String(base64KeyBytes);
byte[]encryptedKeyBytes4 = Base64.decode(keyString);
EncryptedPrivateKeyInfo encryptedKeyInfo =
new EncryptedPrivateKeyInfo(encryptedKeyBytes);
// This always throws IOException
I have the same problem whether I use the java keystore or openssl to generate the key material.
Re: How to export private key from keystore?
Author: klmreddy Posts: 1 Registered: 11/21/02
Mar 22, 2003 6:25 AM (reply 7 of 16)
Hi ,
this code is working fine , but it is not maintaining 64 char for each line.
even if i made it 64 chars for line.this keyfile is not recognized by openssl.
the following converts pem cert to pkcs12 certificate ,we need to specify the private
key.
openssl pkcs12 -export -out file_name.p12 -inkey userkey.pem -in usercert.pem
I got the following error.
Error loading private key
15114:error:0D080071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an integer:a_int.c:204:
15114:error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:117:
15114:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:89:
15114:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:291:
this means private key is not in correct format.can somebody help me.
Thanks in advance,
klm.
Re: How to export private key from keystore?
Author: amorrow5 Posts: 320 Registered: 8/27/01
Jul 11, 2003 5:08 AM (reply 8 of 16)
It might be best to just try to dump out the the cert, rather than run your web server.
To review, on the cert (and public key):
keytool -export -rfc -keystore keyfile -alias duke > duke.cert.pem
openssl x509 -noout -text -in duke.cert.pem
but for the private key, you run the program and send the output to a file, say duke.key.pem and then you can:
openssl rsa -noout -text -in duke.key.pem
Note that the starting delimiter line is simply
"-----BEGIN PRIVATE KEY-----"
but if you have a password-protected (encrypted) private key, the line will be more like:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4ECDE43CCBDA9934
I think Java, using JCE's DES, can decrypt such a file, but I have not tried to make an implementation of such.
In thinking about it, I can understand who keytool does not provide the functionality my program does: the unencrypted private key becomes less secure when it is no longer protected by the keystore password.
Re: How to export private key from keystore?
Author: alef-sun Posts: 1 Registered: 6/6/03
Oct 9, 2003 8:42 AM (reply 9 of 16)
Hi, I have used succesfully this code and the script:
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.Key;
public class DumpPrivateKey {
static public void main(String[] args) {
try {
KeyStore ks = KeyStore.getInstance("jks");
ks.load(new FileInputStream("keystore"),
"password".toCharArray());
Key key = ks.getKey("youralias",
"password".toCharArray());
System.out.write(key.getEncoded());
} catch (Exception e) {
e.printStackTrace();
}
}
}
#!/bin/sh
ALIAS=youralias
PKEY_8=privatekey.pkcs8
PKEY_64=privatekey.b64
CERT_64=certificate.b64
CERT_12=certificate.p12
keytool -alias ${ALIAS} -export -rfc >${CERT_64}
java DumpPrivateKey >${PKEY_8}
(echo "-----BEGIN PRIVATE KEY-----" ;
openssl enc -in ${PKEY_8} -a;
echo "-----END PRIVATE KEY-----") >${PKEY_64}
openssl pkcs12 -inkey ${PKEY_64} -in ${CERT_64} -out ${CERT_12} -export
rm ${PKEY_8} ${PKEY_64} ${CERT_64}
echo ${CERT_12}
Hope could be useful. Regards.
Re: How to export private key from keystore?
Author: evilb69 Posts: 182 Registered: 4/8/03
Oct 13, 2003 1:26 AM (reply 10 of 16)
LPZ... in answer to reading IN a private key into the keystore, see my answer here:-
http://forum.java.sun.com/thread.jsp?forum=2&thread=161578&tstart=15&trange=15
Re: How to export private key from keystore?
Author: dwc_ Posts: 1 Registered: 2/27/04
Feb 27, 2004 10:52 AM (reply 11 of 16)
Thanks for the posts. They were just what I was looking for.
Re: How to export private key from keystore?
Author: svangasse Posts: 10 Registered: 3/21/03
May 27, 2004 2:03 PM (reply 12 of 16)
I'm very interested to see if anyone has managed to decrypt the (password protected) exported private key from a keystore.
I took amorrow5's advice and looked into using the JCE with DES but if, as I did, you created your key pair using keytool you won't know what parameters to use when initialising the Cipher object which is used to decrypt the private key.
I need the private key unencrypted to use with UW IMAP Mail Server.
If anyone has any pointers they would be very much appreciated.
Re: How to export private key from keystore?
Author: rdare Posts: 24 Registered: 9/2/99
Aug 10, 2004 1:56 PM (reply 13 of 16)
Using the cog-jglobus.jar and the BouncyCastle keyProvider classes,
one can load a password protected PrivateKey .pem file as such:
PrivateKey caPrivKey = null;
String fileName = null; // .pem file path
String caPassword = "some.password";
try {
// Now Generate the Cerificate
// OpenSSLKey key = new BouncyCastleOpenSSLKey(fileName);
OpenSSLKey key = new BouncyCastleOpenSSLKey(fileName);
// decrypt ca priv key
if (key.isEncrypted()) {
try {
if (caPassword == null) {
throw new GeneralSecurityException(
"A CA password is required");
}
key.decrypt(caPassword);
} catch (GeneralSecurityException e) {
System.out.println("Wrong CA password or other security error: "
+ e.getMessage());
e.printStackTrace();
}
}
caPrivKey = key.getPrivateKey();
Re: How to export private key from keystore?
Author: TJworld Posts: 1 Registered: 1/4/05
Jan 4, 2005 2:56 PM (reply 14 of 16)
Spurred on by the disparate articles and the code+script from alef-sun, I decided to put some tools together to make the job much easier, and to write a comprehensive illustrated guide to go with it, for Windows-based developers.
Here's how to get and use a FREE trusted Thawte digital certificate to sign your Java JAR and Microsoft CAB code archives, to create trusted applets for downloading over the Internet, and to convert the Java JKS key-store to Microsoft PFX Personal Information Exchange format to share the same certificate with Java JAR files and Microsoft CAB files.
Visit my guide "Trusted Code-Signing
http://forum.java.sun.com/thread.jspa?forumID=2&messageID=449486&threadID=154587
How to export private key from keystore?
Author: zendragon Posts: 4 Registered: 12/5/97
Jul 31, 2001 7:24 AM
I have the same problem as following
Hi
Does anybody know, how to export a private key from a keystore in a PEM-Encoded format, i.e. that is what openSSL for Apache is looking for.
What I got until now from the Keystore (and that's very easy) is an instance of the Key-class of the Private Key. From that Key instance I can call the encoded()-method to get a PKCS8-encoded byte-array. Now, what I want to is a PEM-Encoded String.
Any help greatly apreciated!
Re: How to export private key from keystore?
Author: thaisontn Posts: 1 Registered: 8/27/99
Sep 13, 2002 6:24 PM (reply 1 of 16)
I have the exact same issue. I have a certificate for a site that is incorporated in a Java keystore because the webserver is in Java. Now I want to migrate the site to a new setup (Apache/Tomcat) so I want to export the private key so that Apache/OpenSSL can use it. I've tried privKey.getEncoded()(which I assume is equivalent to OpenSSL's DER format) as well as Base64.encode(privKey.getEncoded()) (which I assume is equivalent to OpenSSL's PEM format). Neither of these approaches work. Am I missing something or is there a bug in the PKCS8EncodedKeySpec code or the OpenSSL code ? If anyone has any thoughts on this, I'd like to hear about it. Thanx !
Re: How to export private key from keystore?
Author: jheiss Posts: 3 Registered: 12/18/97
Sep 30, 2002 9:37 AM (reply 2 of 16)
You're on the right track. After Base64.encode(privKey.getEncoded()) you need
to wrap the lines at 64 characters and add the header and footer lines (these are documented in OpenSSL's pkcs8 man page).
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Re: How to export private key from keystore?
Author: emoy2000 Posts: 1 Registered: 6/8/01
Dec 30, 2002 11:25 PM (reply 3 of 16)
Hi, I have the same problem as what you mentioned here (which I don't know how to export private key from keystore), could you share your solution with me here?
Thanks a lot
Mana
Re: How to export private key from keystore?
Author: amorrow5 Posts: 320 Registered: 8/27/01
Jan 8, 2003 2:00 AM (reply 4 of 16)
Here is a full code example
// How to export the private key from keystore?
// Does keytool not have an option to do so?
// This example use the "testkeys" file that comes with JSSE 1.0.3
import sun.misc.BASE64Encoder;
import java.security.cert.Certificate;
import java.security.*;
import java.io.File;
import java.io.FileInputStream;
class ExportPriv {
public static void main(String args[]) throws Exception{
ExportPriv myep = new ExportPriv();
myep.doit();
}
public void doit() throws Exception{
KeyStore ks = KeyStore.getInstance("JKS");
String fileName = "testkeys";
char[] passPhrase = "passphrase".toCharArray();
BASE64Encoder myB64 = new BASE64Encoder();
File certificateFile = new File(fileName);
ks.load(new FileInputStream(certificateFile), passPhrase);
KeyPair kp = getPrivateKey(ks, "duke", passPhrase);
PrivateKey privKey = kp.getPrivate();
String b64 = myB64.encode(privKey.getEncoded());
System.out.println("-----BEGIN PRIVATE KEY-----");
System.out.println(b64);
System.out.println("-----END PRIVATE KEY-----");
}
// From http://javaalmanac.com/egs/java.security/GetKeyFromKs.html
public KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password) {
try {
// Get private key
Key key = keystore.getKey(alias, password);
if (key instanceof PrivateKey) {
// Get certificate of public key
Certificate cert = keystore.getCertificate(alias);
// Get public key
PublicKey publicKey = cert.getPublicKey();
// Return a key pair
return new KeyPair(publicKey, (PrivateKey)key);
}
} catch (UnrecoverableKeyException e) {
} catch (NoSuchAlgorithmException e) {
} catch (KeyStoreException e) {
}
return null;
}
}
Re: How to export private key from keystore?
Author: pchinns Posts: 1 Registered: 10/8/00
Mar 11, 2003 11:34 AM (reply 5 of 16)
Hi,
I have a problem related to keystore and certificates. Can you please throw some light on this.
JSSE expects two keystores one for loading the private keys and the other for loading public keys.
I created a certificate request using java keytool and obtained a trial certificate from a trusted CA. I imported the CA's trial root and trial certificate into the keystore which was intially used to generate certificate request. I believe this can now be used as the keystore that contains the private key. Now how do i get the keystore which contains the public keys.
Any help in this regard will be appreaciated
Thanks,
pradeep
Re: How to export private key from keystore?
Author: lpz Posts: 2 Registered: 9/25/98
Mar 18, 2003 5:59 PM (reply 6 of 16)
I have the opposite problem. How do you read in an encrypted private key from a PEM file? I can read in the public key certificate and get the public key, like this:
FileInputStream is = new FileInputStream(file);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
java.security.cert.Certificate cert = cf.generateCertificate(is);
However, I cannot read in the private key and generate the private key:
FileInputStream in = new FileInputStream(file);
fileLength = (int) in.available();
byte[] base64Bytes = new byte[fileLength];
int inLength = in.read(base64Bytes, 0, fileLength);
String inputString = new String(base64Bytes);
// Here I tried all of the PEM file (including the ASCII armor) and just the base64 // characters. I get the same error either way
String keyString = new String(base64KeyBytes);
byte[]encryptedKeyBytes4 = Base64.decode(keyString);
EncryptedPrivateKeyInfo encryptedKeyInfo =
new EncryptedPrivateKeyInfo(encryptedKeyBytes);
// This always throws IOException
I have the same problem whether I use the java keystore or openssl to generate the key material.
Re: How to export private key from keystore?
Author: klmreddy Posts: 1 Registered: 11/21/02
Mar 22, 2003 6:25 AM (reply 7 of 16)
Hi ,
this code is working fine , but it is not maintaining 64 char for each line.
even if i made it 64 chars for line.this keyfile is not recognized by openssl.
the following converts pem cert to pkcs12 certificate ,we need to specify the private
key.
openssl pkcs12 -export -out file_name.p12 -inkey userkey.pem -in usercert.pem
I got the following error.
Error loading private key
15114:error:0D080071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an integer:a_int.c:204:
15114:error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:117:
15114:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:89:
15114:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:291:
this means private key is not in correct format.can somebody help me.
Thanks in advance,
klm.
Re: How to export private key from keystore?
Author: amorrow5 Posts: 320 Registered: 8/27/01
Jul 11, 2003 5:08 AM (reply 8 of 16)
It might be best to just try to dump out the the cert, rather than run your web server.
To review, on the cert (and public key):
keytool -export -rfc -keystore keyfile -alias duke > duke.cert.pem
openssl x509 -noout -text -in duke.cert.pem
but for the private key, you run the program and send the output to a file, say duke.key.pem and then you can:
openssl rsa -noout -text -in duke.key.pem
Note that the starting delimiter line is simply
"-----BEGIN PRIVATE KEY-----"
but if you have a password-protected (encrypted) private key, the line will be more like:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4ECDE43CCBDA9934
I think Java, using JCE's DES, can decrypt such a file, but I have not tried to make an implementation of such.
In thinking about it, I can understand who keytool does not provide the functionality my program does: the unencrypted private key becomes less secure when it is no longer protected by the keystore password.
Re: How to export private key from keystore?
Author: alef-sun Posts: 1 Registered: 6/6/03
Oct 9, 2003 8:42 AM (reply 9 of 16)
Hi, I have used succesfully this code and the script:
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.Key;
public class DumpPrivateKey {
static public void main(String[] args) {
try {
KeyStore ks = KeyStore.getInstance("jks");
ks.load(new FileInputStream("keystore"),
"password".toCharArray());
Key key = ks.getKey("youralias",
"password".toCharArray());
System.out.write(key.getEncoded());
} catch (Exception e) {
e.printStackTrace();
}
}
}
#!/bin/sh
ALIAS=youralias
PKEY_8=privatekey.pkcs8
PKEY_64=privatekey.b64
CERT_64=certificate.b64
CERT_12=certificate.p12
keytool -alias ${ALIAS} -export -rfc >${CERT_64}
java DumpPrivateKey >${PKEY_8}
(echo "-----BEGIN PRIVATE KEY-----" ;
openssl enc -in ${PKEY_8} -a;
echo "-----END PRIVATE KEY-----") >${PKEY_64}
openssl pkcs12 -inkey ${PKEY_64} -in ${CERT_64} -out ${CERT_12} -export
rm ${PKEY_8} ${PKEY_64} ${CERT_64}
echo ${CERT_12}
Hope could be useful. Regards.
Re: How to export private key from keystore?
Author: evilb69 Posts: 182 Registered: 4/8/03
Oct 13, 2003 1:26 AM (reply 10 of 16)
LPZ... in answer to reading IN a private key into the keystore, see my answer here:-
http://forum.java.sun.com/thread.jsp?forum=2&thread=161578&tstart=15&trange=15
Re: How to export private key from keystore?
Author: dwc_ Posts: 1 Registered: 2/27/04
Feb 27, 2004 10:52 AM (reply 11 of 16)
Thanks for the posts. They were just what I was looking for.
Re: How to export private key from keystore?
Author: svangasse Posts: 10 Registered: 3/21/03
May 27, 2004 2:03 PM (reply 12 of 16)
I'm very interested to see if anyone has managed to decrypt the (password protected) exported private key from a keystore.
I took amorrow5's advice and looked into using the JCE with DES but if, as I did, you created your key pair using keytool you won't know what parameters to use when initialising the Cipher object which is used to decrypt the private key.
I need the private key unencrypted to use with UW IMAP Mail Server.
If anyone has any pointers they would be very much appreciated.
Re: How to export private key from keystore?
Author: rdare Posts: 24 Registered: 9/2/99
Aug 10, 2004 1:56 PM (reply 13 of 16)
Using the cog-jglobus.jar and the BouncyCastle keyProvider classes,
one can load a password protected PrivateKey .pem file as such:
PrivateKey caPrivKey = null;
String fileName = null; // .pem file path
String caPassword = "some.password";
try {
// Now Generate the Cerificate
// OpenSSLKey key = new BouncyCastleOpenSSLKey(fileName);
OpenSSLKey key = new BouncyCastleOpenSSLKey(fileName);
// decrypt ca priv key
if (key.isEncrypted()) {
try {
if (caPassword == null) {
throw new GeneralSecurityException(
"A CA password is required");
}
key.decrypt(caPassword);
} catch (GeneralSecurityException e) {
System.out.println("Wrong CA password or other security error: "
+ e.getMessage());
e.printStackTrace();
}
}
caPrivKey = key.getPrivateKey();
Re: How to export private key from keystore?
Author: TJworld Posts: 1 Registered: 1/4/05
Jan 4, 2005 2:56 PM (reply 14 of 16)
Spurred on by the disparate articles and the code+script from alef-sun, I decided to put some tools together to make the job much easier, and to write a comprehensive illustrated guide to go with it, for Windows-based developers.
Here's how to get and use a FREE trusted Thawte digital certificate to sign your Java JAR and Microsoft CAB code archives, to create trusted applets for downloading over the Internet, and to convert the Java JKS key-store to Microsoft PFX Personal Information Exchange format to share the same certificate with Java JAR files and Microsoft CAB files.
Visit my guide "Trusted Code-Signing
posted by iamjerryyeung at
6:42 PM
0 Comments:
Post a Comment
<< Home