Java export private key

Dealing with java keystores

First you have to create a new private key within an existing or new keystore using keytool:

keytool -genkeypair -keyalg rsa -keystore keystorename -storepass keystorepassword -alias my_new_key

The preceding command uses java 1.6 syntax! If your are still using Java 1.5, substitute -genkeypair with -genkey.

• to protect the new private key by its own keypassword within the keystore you have to add the keypass option
• if you don’t use the keypass option the keystore password is used to protect the private key
• accordingly in order to delete a key password (which is not possible with keytool btw), you have to copy the keystore password to the key password
• if you want to use the key as a client certifcate use RSA as key algorithm, instead of default DSA, because many servers (e.g IBM MQ) only accept RSA client certs

The next task is to generate a CSR, even if you want to create a self signed certifcate:

keytool -certreq -alias my_new_key -keystore keystorename -storepass keystorepassword -file my_new.csr

Now it is time to either send the CSR to the CA of your choice, or to sign it by your own CA using openssl:

openssl x509 -req -in my_new.csr -CA my_ca.crt -CAkey my_ca.key -out my_new.crt -days 365 -CAcreateserial -CAserial my_ca.seq

In case your certificate is not selfsigned, you first have to import the certificate of the CA, and in case all intermediate CAs, that signed your CSR. After that, by importing the certficate the chain of trust will be established.

keytool -import -alias my_ca -file ca.crt -keystore keystorename -storepass keystorepassword

You have to enter either «yes» or use .

Finally the signed certificate has to be imported into the keystore using the same alias as the private key:

keytool -import -alias my_new_key -file my_new.crt -keystore keystorename -storepass keystorepassword

Examing the keystore

To see what’s inside any given keystore:

keytool -list -keystore keystorename

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

my_key, Sep 26, 2007, keyEntry,
Certificate fingerprint (MD5): BA:22:E1:9E:9D:83:05:5A:99:42:5E:EF:62:77:DE:5A
my_ca, Sep 26, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 4E:B5:B6:7A:02:F8:F8:6E:5E:79:FB:84:65:75:42:68

To get detailed information, like issuer for an alias use «-v» !

Change keystore passpharse

To change to keystore passphrase use the following keytool command:

keytool -storepasswd -keystore keystorename

If you use JDK 1.6 keytool you have to change the keypasswd for all private keys within the keystore as well !

OpenSSL and Keystores

A common task is to exchange keys and certificates between apache webserver, ssl loadbalancer or java application server such as tomcat or BEA Weblogic. This means to convert keys and certificates from PEM,DER or PKCS12 to or from java keystores. The standard keytool is able to import or export certificates, but there is no way to do so with private keys.

Export certifcate:

keytool -export -rfc -alias my_cert -file cert.crt -keystore keystorename -storepass keystorepassword

Import certificate:

keytool -import -alias my_cert -file cert.crt -keystore keystorename -storepass keystorepassword

Import private key:

In order to import an exisiting private key you first have to get and compile the ImportKey.java tool. It is based on ImportKey. I added options to import keys and certs into an existing keystore as well as setting the keystore passphrase via the command line.

Usage: java ImportKey keyfile certfile [alias] Java export private key Java export private key

The key has to be in DER format, which can be easily done with openssl:

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER

In case of a self signed certifcate use:

openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

If the certifcate is signed by a foreign CA or even signed by intermediate CA(s) use:

openssl crl2pkcs7 [-certfile ca_intermediate.pem] -certfile ca.pem -in cert.pem -inform PEM -out cert.der -outform DER -nocrl

This will create a PKCS#7 container using DER format including the correct certificate chain.

Then build a new keystore using both key and certificate:

java ImportKey key.der cert.der my_alias

Export private key:

In order to export any private key from an existing keystore download and compile ExportPriv.java. After compiling it run:

java ExportPriv > exported.key

The key will be exported into exported.key file in PKCS#8 PEM format. This can be converted into RSA format which is needed by apache with:

openssl pkcs8 -inform PEM -nocrypt -in exported.key -out exported_rsa.key

Various needful commands

Convert PEM to PKCS12

To create a pkcs12 container from a pem private key and cert use:

Export key and cert from PKCS12 to PEM

If you have a pkcs12 container and its passphrase .) use the following command to extract the private key and client certificate only (-clcerts), without encrypting the exported private key again (-nodes):

openssl pkcs12 -in cred.p12 -out certkey.pem -nodes -clcerts

As you will probably notice, both key and certificate are combined into one file. If you need them seperatly you can either split the file using your favorite editor by simply save everything between (and including) each of the ——BEGIN—— and ——END—— lines to separate files or use the following two commands to export them seperatly:

openssl pkcs12 -in cred.p12 -out cert.pem -nodes -clcerts -nokeys

openssl pkcs12 -in cred.p12 -out key.pem -nodes -nocerts

Remove passphrase of private key

It will prompt for current passphrase:

openssl rsa -in oldkey.pem -out newkey.pem

Change passphrase of private key

It will prompt for old passphrase and twice for new one:

openssl rsa [-des3|-aes128] -in oldkey.pem -out newkey.pem

View details of a certificate signing request CSR

openssl req -noout -text -in server.csr

Источник

Extracting a Private Key From the Java Keystore (JKS)

Join the DZone community and get the full member experience.

I’ve been working with the AS2 Protocol and the AdroitLogic AS2Gateway for quite some time now, and hence, playing with JKS has been a must. One of the tricks that were required from time to time was extracting the private key and public key (certificate) from Java KeyStores. In this blog post, we’ll go through a couple of simple commands on how to do that.

What Is a Java KeyStore (JKS)?

A JKS is an encrypted security file used to store a set of cryptographic keys or certificates in the binary format, and it requires a password to be opened. JKS files are used for a variety of security purposes. They can be used to identify the author of an Android app during a build and when publishing to Android Market in Google Play or in SSL encryption.

Are There Any Other KeyStore Types?

Yes. There are other KeyStore types. PKCS12 is one such type.

What Are the Tools Used to Manipulate KeyStores?

For JKS, we can use the Java keytool utility, which comes inbuilt with the JDK, and for PKCS12, we can use the openssl utility.

Let’s Get to Work

Exporting the public key from a JSK is quite straightforward with the keytool utility, but exporting the private key is not allowed. Therefore, we need to get the support of the openssl utility for that. Additionally, you can write some custom Java code to get the private key extracted as well.

To begin with, let’s create a simple KeyStore:

keytool -genkeypair -alias notebook -keyalg RSA -dname "CN=rajind,OU=dev,O=bft,L=mt,C=Srilanka" -keystore identity.jks -keypass keypassword -storepass storepassword

Extracting the Private Key With OpenSSL and Keytool

1. Convert JKS to the PKCS12 format:

keytool -importkeystore -srckeystore identity.jks -srcstorepass storepassword -srckeypass keypassword -srcalias notebook -destalias notebook -destkeystore identity.p12 -deststoretype PKCS12 -deststorepass password -destkeypass password

Note that we have given the destkeypass and deststore pass the same value. This is a requirement of PKCS12 as it does not support different passwords for key store and key. If you try to give different passwords, you’ll get a warning as follows as the destkeypass will be ignored.

Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -destkeypass value.

The final result of this step would be an identity.p12 file.

2. Exporting the private key from the PKCS12 format keystore:

openssl pkcs12 -in identity.p12 -nodes -nocerts -out private_key.pem

Once you enter this command, you will be prompted for the password, and once the password (in this case ‘password’) is given, the private key will be saved to a file by the named private_key.pem.

Note that in this command, nodes means ‘don’t encrypt private keys’ and nocerts means ‘don’t output certificates,’ which are the public keys.

Use the following help commands to get more details on them.

keytool -importkeystore –help openssl pkcs12 –help

Exporting the Public Key:

openssl pkcs12 -in identity.p12 -nokeys -out cert.pem

Call To Action

• Like. Share. Appreciate and let others find this article.
• Comment. Share your views on this article.
• Keep in touch.LinkedIn, Twitter

Originally published at notebookbft.wordpress.com on January 1, 2019.

Published at DZone with permission of Rajind Ruparathna , DZone MVB . See the original article here.

Opinions expressed by DZone contributors are their own.

Источник