Skip to end of metadata
Go to start of metadata

STOP! Don't do the following anymore... Its a pain and does not seem to work for the new NAU PKI.

Cert and Key to JKS, the Weblogic Way

CreateJksFromPem

Background

Icon

Use the Sourceforge java project portecle to manipulate keys, certs, and keystores.

  1. What is PEM and DER
  2. Pkcs Formats

What is the goal.

The goal in this case is to create a JavaKeyStore that contains all the Vista public and private certificates and all the trusted certificates of the web using the standard CaCerts from the Java JRE.

What do we start with?

First thing we need is a Public and Private certificate. The certificate in x509 PEM format should look like this:

And the private key should look like this:

Convert a PKCS7 format cert into x509

If they certificate is not in x509 format, it will likely be in PKCS7 format, to convert it to [x509], execute the following commands.

The certificate must have the following header and footer.

Create a PKCS12 file.

A PKCS12 files contains both the certificate and private key in an encrypted format. This is really the best most secure way to keep keys. Follow the following procedure to convert the x509 rsa key pair to a pkcs12 file.

  1. Run openssl pkcs12 -export -in <Certificate File> -inkey <Key File> -out <Output pkcs12 file> -name <Friendly Name> -chain
  2. You now have a pkcs12 file. Next you need to use IbmKeyMan to create the JKS and import the pkcs12 file.
  3. Run km.bat
  4. Select the image of the left ( Create a new Store )
  5. Select Keystore
  6. Click File/Import
  7. Select Local Resource
  8. Select Open a File
  9. Select the p12 file you just created
  10. Enter the passphrase you gave when you created the pkcs12
  11. You should then see this file under the private certificates.
  12. You then need to import all your trusted Certificate Authorities (CA's)
  13. Select File/Import
  14. Find your CaCert file in your jre or any other good list of CA's
  15. Follow the same above procedure. The default password for the CaCert is changeit.
  16. Save the Keystore and give it a password

DER Format for chat/whiteboard

The chat/whiteboard requires a der formatted certificate, but a PEM formatted key.

  • No labels