3

I have created a java webservice that is going to be communicating with iPads using restlet on the server side that communicates over HTTPS with mutual authentication. I have generated two .jks keystores using this guide

http://www.herongyang.com/JDK/ssl_client_auth.html

I have implemented a client for testing purpose in java and everything worked out fine.

I assume that it isn't possible to use the format .jks in ios so should I convert the client.jks to a pkcs12 file in order to make it compatible with ios?

I am having trouble finding information about this.

Thanks!

langen
  • 740
  • 5
  • 17

2 Answers2

1

Converting the .jks to pkcs12 sounds like a good bet. The certificates generated by iOS provisioning portal can be exported (by KeyChain Access) to pkcs12 format, so it's safe to assume this format is compatible with iOS.

You can use keytool to convert your jks to pkcs12. I used it in the opposite direction (converted a pkcs12 file obtained from Apple to jks), and it should work with no problems in your case too.

This command should do the trick :

keytool -importkeystore -srckeystore input.jks -destkeystore output.p12 -srcstoretype JKS -storetype PKCS12
Eran
  • 387,369
  • 54
  • 702
  • 768
  • I tried converting it and it didn't work 100%. `Problem importing entry for alias cerver_pub: java.security.KeyStoreException: TrustedCertEntry not supported. Entry for alias cerver_pub not imported. Do you want to quit the import process? [no]: yes Import command completed: 1 entries successfully imported, 1 entries failed or cancelled` Seems like it couldn't convert the certificate cerver_pub in the client.jks. Is this something to worry about? Thank you for the fast response! – langen Apr 19 '13 at 15:12
  • @user2122636 What do you mean by "didn't work 100%"? Did the conversion fail, or did the output file of the conversion not work in iOS? – Eran Apr 19 '13 at 15:14
  • Sorry, I accidently sent the comment before I was done. Please see the edit. – langen Apr 19 '13 at 15:16
  • @user2122636 I just tried this conversion myself and it worked. Of course, the `jks` I converted to `p12` was originally converted from `p12` to `jks`, so perhaps that's why it had no problem converting it back. – Eran Apr 19 '13 at 15:24
  • @user2122636 I also tried to create the `jks` using the guide in the link you provided, and had no problem converting it to `p12`. Can you show the exact commands you used for creating the `jks` and for converting it to `p12`? – Eran Apr 19 '13 at 15:33
  • I am creating client.jks exactly like these steps: [link](http://www.herongyang.com/JDK/ssl_client_auth_2.html) And for converting I use the command u mentioned `keytool -importkeystore -srckeystore client.jks -destkeystore output.p12 -srcstoretype JKS -storetype PKCS12` I think the reason is that keytool does not support storing trusted certs in a pkcs12 keystore (which i think cerver_pub is) – langen Apr 19 '13 at 15:50
  • @user2122636 I see. I only tried the command in the first page of that guide. I didn't realize you were using something else. – Eran Apr 19 '13 at 15:53
  • I think you are correct : `"pkcs12" is another option. This is a cross platform keystore based on the RSA PKCS12 Personal Information Exchange Syntax Standard. This standard is primarily meant for storing or transporting a user's private keys, certificates, and miscellaneous secrets. As of JDK 6, standards for storing Trusted Certificates in "pkcs12" have not been established yet, and thus "jks" or "jceks" should be used for trusted certificates` – Eran Apr 19 '13 at 16:01
1

If I understand your situation correctly, and I may not, you shouldn't need to change the .jks at all. The KeyStore for your application is just a container of certificates used by your system. To achieve certificate integration on IOS you may have to add the client and ca certs to your local system key chain ( check out : iOS: Pre install SSL certificate in keychain - programmatically ) but the JKS itself should transfer to the other platform with no modifications required.

Also, here is an example of using a keystore on IOS to do apple push notifications. iOS Push Notification - JavaPNS - keystore.p12 file security If you want to do it exactly the same way that this person did (using a local p12 rather than a loaded store) just follow the instructions over here: Converting .jks to p12

For more information about the differences between these files check out: Difference between .keystore file and .jks file

Best of luck with your project.

Community
  • 1
  • 1
grauwulf
  • 376
  • 2
  • 13