Wednesday, June 16, 2010

How to import pem type certificate and key to java key store

We tried lots of ways to do above but works only following for me.

PEM is the default format for OpenSSL.First convert the PEM format key and certificate in to DER format as following




openssl rsa -in input.key -inform PEM -out output.key -outform DER
openssl x509 -in input.crt -inform PEM -out output.crt -outform DER



Download KeyTool IUI tool
This tool let easily import the key and certificate to the key store
http://www.softpedia.com/get/Security/Security-Related/KeyTool-IUI.shtml

start the KeyTool IUI as the readme file.


Import the DER type key and certificate in to the key store as in following image. I used cacerts "/etc/java-6-sun/security/cacerts" as the key store.default password is "changeit".
The private key extension should be .der certificate extension should be .cer or .crt and key store should be .jks . If your files are not in that extensions you have to rename it.




How to enable ssl on tomcat or JIRA



Since you have already imported the key and certificate file to the key store do the following changes on ${tomcat/jira_home}/conf/server.xml




< Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="tomcat.exampl.com" keystoreFile="/usr/lib/jvm/java-6-sun/jre/lib/security/cacerts" />



note: make sure to set the keystoreFile parameter. Default keystoreFile file is ~homefolder/.keystoreFile. if you change the keystore password set the keystorePass directive as well. /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts path is a symlink for /etc/java-6-sun/security/cacerts file.

3 comments:

  1. Thanks Yasith for this nice article.
    KeyTool IUI is now open-source and hosted by Google Code Projects
    http://code.google.com/p/keytool-iui/
    Cheers.
    Bantchao

    ReplyDelete
  2. If you want to replace keytool and openssl with a GUI tool then you can also use CERTivity.
    http://www.edulib.com/products/keystores-manager/

    It can handle different types of keystores (JKS, JCEKS, PKCS12, BKS, UBER, Windows) and digital signatures.

    ReplyDelete
  3. A delightful perusing for any individual who cherishes perusing online journals.
    como importar produtos

    ReplyDelete