Reputation: 400
How to create a java keystore only with a private key file?
I only have a private key as a .key file, no other .crt or ca stuff. I need to create a java keystore with that. How to convert it?
What I tried so far:
I renamed my .key file to .pem.
I used openssl to create a .p12 file out the .pem.
And lastly I use this command to create the java keystore:
keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12
-srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]
-deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]
I am asked to give the passwords, which I enter and then I get an error:
PEM_read_bio:no start line: ...... Expecting: TRUSTED CERTIFICATE
I already checked for missing spaces and that the file starts with the "-----" and ends with it as well.
Does anyone know a way to do it?
Upvotes: 2
Views: 7325
Answers (1)
Reputation: 38990
You didn't show the openssl command you used, but it's probably wrong, since the error you quote comes from openssl and not keytool, and as a result your keytool command couldn't possibly work.
However, your goal is unwise. The Java KeyStore API is designed to store a privatekey with a certificate (or chain) for it, and both keytool and most other programs won't work right or at all for a privatekey with no certificate. The usual practice in Java -- and mostly in OpenSSL as well -- when you have no real certificate(s) for a privatekey is to create a 'dummy' self-signed certificate; this does not extend trust as a real certificate does, but it fills the certificate-shaped hole(s) and allows programs to work at least up to the point they need valid trust.
There are two ways to do this. OpenSSL is easier, but not programming and hence not really ontopic:
openssl req -new -x509 -inkey privkey.pem [-days N] [-subj name] -out dummy.pem
# -subj name has the form /attr=value/attr=value/...
# where commonly used attrs are C (Country), ST (State/Province),
# L (Locality), O (Organization), OU (Org Unit), CN (CommonName).
# if you omit -subj name you will be prompted for these (assuming normal config)
# -days defaults to 30
# if you modify the default config file or create and specify your own
# you can configure a variety of X.509 extensions, but for a dummy cert
# this is only rarely helpful, depending how you (will) use it
openssl pkcs12 -export -in dummy.pem -inkey privkey.pem -out keystore.p12 [-name alias]
# Java can use the PKCS12, but if you really want JKS for some reason
keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -deststoretype JKS \
[-srcstorepass p] [-deststorepass p] [-srcalias x [-destalias y]]
# most j8 can read PKCS12 without specifying it (due to a compatibility setting)
# and all j9 up autodetect the source type;
# j8 defaults dest type to JKS but j9 up do not
Alternatively you can program this in Java. OOTB Java doesn't directly handle PEM format for keys, and more importantly handles only one of the eight formats used by OpenSSL -- and you carefully avoided telling us which you have. Also OOTB Java has no documented way to create a certificate; there are internal classes used by keytool, but after j8 it is increasingly difficult to use internal classes. Both of these are solved by BouncyCastle (bcpkix+bcprov) which supports OpenSSL PEM keys and generating X.509 certificates among other things.
To read OpenSSL's 'traditional' format unencrypted privatekey file see
Read RSA private key of format PKCS1 in JAVA
How to Load RSA Private Key From File
Getting RSA private key from PEM BASE64 Encoded private key file
or traditional encrypted
Get a PrivateKey from a RSA .pem file
Decrypting an OpenSSL PEM Encoded RSA private key with Java?
For PKCS8 encrypted
Reading PKCS8 in PEM format: Cannot find provider
Decrypt PEM private (RSA) key with Bouncy Castle
and since you actually need the publickey also, which 'traditional' formats give you (as PEMKeyPair -> KeyPair) but PKCS8 doesn't
Bouncy Castle - how to get Public Key Info from JceOpenSSLPKCS8DecryptorProviderBuilder (mine)
For generating a selfsigned cert with Bouncy
Self signed X509 Certificate with Bouncy Castle in Java
Generating X509 Certificate using Bouncy Castle Java (but don't use SHA1)
maybe Generating X509Certificate using bouncycastle X509v3CertificateBuilder
Upvotes: 5
Related Questions
- How do I programmatically create a new KeyStore?
- How to use keystore in Java to store private key?
- Create java keystore from private key and CA certificate bundle
- Get privatekey from Keystore
- How to import key pair to keystore in java and make key not exportable
- How do I store a Java KeyStore password?
- Creating a keystore from private key and a public key
- How to create PrivateKey from a password protected private key file?
- Using own keystore in java code
- Java keypairs - private & public - I only have private