Creating Keystores by Importing
This page outlines how to create a keystore by
importing private keys and public certificates that you have
received from somebody else into a local keystore so that you
can use them for encrypted communication.
Importing a Public Key into a Keystore
Public keys will commonly be in a format called
PEM. PEM
files begin and end with a special delimiter line and consist of
a body of Base-64 encoded binary.
Public keys will often have one of the following file extensions:
.PEM, .CRT
The following is an example of what a PEM file should look like:
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIETWBDIDANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD
... some lines removed ...
4UJdLAICuodKr1YNzWOi+qu/C/toHkGIH3qqFlBwxYv+03VFy1ZeqqSFOS4yVZReXrNP9dpvIkcs
G9w7mJXpRj444RtF+sKQ15WYs7MmABnIrv9r/+mVbgXO1yawhEzc4rt4m/T5tGpiAE485mGUwZzo
7/5nr32KlhSkexwwuZCDpuzm3FC36g+puzVLUic32S1GZ50Z
-----END CERTIFICATE-----
The key may also be in a format known as DER, which is a binary
format. To import a key file in either PEM or DER format into a
keystore, issue the following command. The following arguments should
be substituted for something appropriate:
-
-alias trust_app_alias refers to the name
by which the key will be known to the keystore. It generaly doesn't matter what
you put here as long as you choose something meaningful to the
certificate you are putting in.
-
-file public.cert refers to the filename of
the certificate. This file should be in one of the formats listed above.
-
-keystore keystore.jks refers to the
name of the keystore you are putting the key in. If no file exists with
this name, one will be created and given the keystore password that you
specify at the prompt below. If this keystore already exists, the new
certificate will be added to it, and the password you enter must match
the password that this keystore was previously given.
$ keytool -import -alias trust_app_alias -file public.cert -keystore truststore.jks -storetype JKS
Enter keystore password: trustpassword
Re-enter new password: trustpassword
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 50257625
Valid from: Fri Aug 10 16:59:17 EDT 2012 until: Thu Aug 10 16:59:17 EDT 2017
Certificate fingerprints:
MD5: B9:5B:43:34:CA:00:82:EE:1F:7B:24:14:B6:3E:56:09
SHA1: 98:56:ED:0B:E0:F2:A6:20:2D:DD:66:72:5F:DF:7D:CB:BC:98:C7:AE
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
Importing a Private Key into a Keystore
Private keys will often be provided using a format called PKCS#12. This is
a format produced by the OpenSSL toolset. PKCS#12 files are generally provided
using the extension .PFX or .P12.
The "openssl" tool can first be used to verify the contents of a PKCS#12 file. Note that
the file itself will have a password which should be supplied by whoever supplies the file.
In the example below, the password is "helloworld123".
$ openssl pkcs12 -info -in private_key.pfx -nokeys
Enter Import Password: helloworld123
MAC Iteration 2000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: le-d7ffb209-fb59-4e0c-bd42-75157dccc563
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
Enter PEM pass phrase: (hit enter)
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Certificate bag
Bag Attributes
localKeyID: 01 00 00 00
subject=/C=CA/ST=Ontario/L=Toronto/O=TestOrg/OU=TestOU/CN=testers.uhn.ca
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIETWBDIDANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD
... many lines removed ...
4UJdLAICuodKr1YNzWOi+qu/C/toHkGIH3qqFlBwxYv+03VFy1ZeqqSFOS4yVZReXrNP9dpvIkcs
G9w7mJXpRj444RtF+sKQ15WYs7MmABnIrv9r/+mVbgXO1yawhEzc4rt4m/T5tGpiAE485mGUwZzo
7/5nr32KlhSkexwwuZCDpuzm3FC36g+puzVLUic32S1GZ50Z
-----END CERTIFICATE-----
In particular, the output above contains the "friendlyName" attribute
value of "le-d7ffb209-fb59-4e0c-bd42-75157dccc563". This is a kind of alias
which will be used to refer to the key when importing it into the keystore.
To import a PKCS#12 file into a keystore, use the following command. Note the following
arguments:
-
-destkeystore otherside.jks tells
keytool the filename for the destination keystore. This is the keystore that the
key will be copied into
-
-deststorepass changeit tells
keytool the password to use for the keystore. If this is a new keystore being created,
this same password will need to be used for any subsequent modifications. If this is
an existing keystore being added to, the password must match its pre-existing password
-
-srckeystore private_key.pfx refers to the
name of the PKCS#12 file containing the private key
-
-srcalias le-d7ffb209-fb59-4e0c-bd42-75157dccc563
refers to the friendly name of the key within the PKCS#12 file. This can be obtained using
openssl, as seen above.
-
-destalias lab_staging_system
gives the key a friendly name (or alias) within the destination keystore. This
should be a small ID which refers to the specific purpose for the key
-
-destkeypass changeit
gives the key itself a password within the keystore.
$ keytool -v -importkeystore -destkeystore otherside.jks
-deststorepass changeit -srckeystore private_key.pfx
-srcstoretype PKCS12 -srcalias le-d7ffb209-fb59-4e0c-bd42-75157dccc563
-destalias lab_staging_system -destkeypass changeit
Enter source keystore password: helloworld123
[Storing otherside.jks]