STOP! Don't do the following anymore... Its a pain and does not seem to work for the new NAU PKI.
What is the goal.
The goal in this case is to create a JavaKeyStore that contains all the Vista public and private certificates and all the trusted certificates of the web using the standard CaCerts from the Java JRE.
What do we start with?
And the private key should look like this:
Convert a PKCS7 format cert into x509
If they certificate is not in x509 format, it will likely be in PKCS7 format, to convert it to [x509], execute the following commands.
The certificate must have the following header and footer.
Create a PKCS12 file.
A PKCS12 files contains both the certificate and private key in an encrypted format. This is really the best most secure way to keep keys. Follow the following procedure to convert the x509 rsa key pair to a pkcs12 file.
- Run openssl pkcs12 -export -in <Certificate File> -inkey <Key File> -out <Output pkcs12 file> -name <Friendly Name> -chain
- You now have a pkcs12 file. Next you need to use IbmKeyMan to create the JKS and import the pkcs12 file.
- Run km.bat
- Select the image of the left ( Create a new Store )
- Select Keystore
- Click File/Import
- Select Local Resource
- Select Open a File
- Select the p12 file you just created
- Enter the passphrase you gave when you created the pkcs12
- You should then see this file under the private certificates.
- You then need to import all your trusted Certificate Authorities (CA's)
- Select File/Import
- Find your CaCert file in your jre or any other good list of CA's
- Follow the same above procedure. The default password for the CaCert is changeit.
- Save the Keystore and give it a password
DER Format for chat/whiteboard
The chat/whiteboard requires a der formatted certificate, but a PEM formatted key.