0

I know Java keystore stores DER encoded certificate and SSL communication works perfectly fine with it, I wanted to check what happens with PEM encoded certificate so I converted my DER encoded certificate to PEM encoded using openssl utility and then imported that PEM encoded SSL certificate into my keystore using keytool utility and below are outcomes:

  • PEM encoded certificate was successfully imported into my keystore and there was no exception.
  • Then I tried SSL communication using java.net.HttpURLConnection and it was also successful and there were no exceptions.

So, this basically suggests me that this works but I am not sure what are implications of the same and whether this is recommended or not to use PEM encoded certificates in Java keystore. I am looking for answers which through insight on the implications, pros and cons of using PEM encoded certificate in Java keystore.

P.S.: If someone is looking for openssl and keytool command I used then please let me know and I can provide.

Please note that I have already read this and this, and these doesn't answer my questions.
Community
  • 1
  • 1
hagrawal7777
  • 14,103
  • 5
  • 40
  • 70
  • 1
    PEM = header + base64(DER) + footer. When the certificate is imported into a keystore, probably all certificates are converted to the format required by the keystore (JKS, PKCS12). So I believe there are no implications with the source format – pedrofb Feb 13 '17 at 13:21
  • @pedrofb Thank you for your inputs. Could you please provide me references where I can read about "*format required by the keystore (JKS, PKCS12)*", I couldn't get any online reference where it is specified in which format java keystore (JKS) stores the digital certificates. – hagrawal7777 Feb 13 '17 at 13:52
  • 1
    Take a look here http://stackoverflow.com/questions/10839303/specification-of-jks-key-store-format. It points to the sources http://grepcode.com/file_/repository.grepcode.com/java/root/jdk/openjdk/6-b14/sun/security/provider/JavaKeyStore.java/?v=source. I can see that the certificates are stored in DER format `encoded = ((TrustedCertEntry)entry).cert.getEncoded();dos.write(encoded);` – pedrofb Feb 13 '17 at 14:09
  • @pedrofb Thanks for useful information, from following line "*Returns the encoded form of this certificate. It is assumed that each certificate type would have only a single form of encoding; for example, X.509 certificates would be encoded as ASN.1 DER*" of `java.security.cert.Certificate#getEncoded` I can fairly assume that "default" encoding would be DER, but still it is not entirely clear to me that if I import an PEM encoded certificate then it would be internally converted into DER encoded or how this will work. – hagrawal7777 Feb 13 '17 at 14:49
  • 1
    Deducing from code (because there is no specification): Certificates are loaded using a "X.509" CertificateFactory with `cf.generateCertificate(inputStream)`.This method accepts only PEM and DER encoded certificates (see https://docs.oracle.com/javase/8/docs/api/java/security/cert/CertificateFactory.html#generateCertificate-java.io.InputStream-). Since the store method of keystore is not converting to PEM, then **it is assumed it is always used DER format** (and storing plain text in a binary file is a bad idea). Any import tool should be compatible with JKS proprietary format and provide DER – pedrofb Feb 13 '17 at 15:24

0 Answers0