0

I have been given a pem file which has two certificates in it.

The first is the certificate is specific to my company (i.e. the subject is specific to my company).

The second certificate is the certificate for the issuer.

It looks something like this...

Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: CCAPI Client Certificate
Key Attributes
    X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
<<contents>>
-----END RSA PRIVATE KEY-----
Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: CCAPI Client Certificate
    subject=MyCompany CN/OU/O/L/ST/C
    issuer=Issuer CN/OU/O/L/ST/C
-----BEGIN CERTIFICATE-----
<<contents>>
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: 02 00 00 00
    subject=Issuer CN/OU/O/L/ST/C
    issuer=Issuer CN/OU/O/L/ST/C
-----BEGIN CERTIFICATE-----
<<contents>>
-----END CERTIFICATE-----

Firstly I'd like to confirm a couple of things.

Terminology wise is it correct to say I have a pem file with two certificates? How do I describe the PRIVATE KEY part? Is that the public key of the server I am trying to connect to?

And secondly I need to use the keytool command to create a java keystore file (jks) with both certificate and the issue certificate in it.

Can someone help me with the commands to do that. I'm spent a lot of time googling but there seems to be a lot of varying use cases out there which is confusing me.

thanks in advance

Richie
  • 4,989
  • 24
  • 90
  • 177
  • The private key part is the, err, *private* key of *your* certificate. – user207421 Dec 12 '17 at 20:15
  • @EJP, generally speaking, no. It is just a private key. It is the private key for a certificate if and only if the corresponding public key is the same as the public key in the certificate. – Pak Uula Dec 12 '17 at 20:35

2 Answers2

1

You haven't mentioned why you were given this file, but judging from the content I assume it's for accessing a web site/service via HTTPS client authentication. The private key (and certificate) is for authenticating against the server. The issuer certificate might be needed for completing a chain to a trusted root certificate on the server (or it might not be needed at all).

This file is not encoded in a very common format, it's basically what happens when OpenSSL writes a PKCS#12 file as PEM. The following OpenSSL command would produce a file like this:

openssl pkcs12 -in keyStore.p12 -out keyStore.pem -nodes

This preserves the metadata from the PKCS#12 format like the IDs and friendlyNames, so you can see that the private key and first certificate belong together. But it's a bit strange, because...

  1. The private key is not encrypted (anymore).
  2. This format is only useful for further processing in software that uses the OpenSSL library, but not in the Java or Microsoft (IIS, .NET) world. A binary PKCS#12 file would have been usable in all environments.

You can convert it back to binary PKCS#12 with the following OpenSSL command:

openssl pkcs12 -export -in keyStore.pem -out keyStore.p12

From this point on you have a standard PKCS#12 file that you can use directly in Java software or that you can convert with keytool to JKS/JCEKS.

Omikron
  • 4,072
  • 1
  • 27
  • 28
  • That format is useful for some programs that use OpenSSL libraries like Apache httpd and nginx because `SSL_[CTX_]use*File` can read them in one step (while P12 requires multiple steps to unpack) especially if the server must boot or reboot without a person present to enter the password. But _for Java_ I concur completely. – dave_thompson_085 Dec 13 '17 at 22:04
  • @dave_thompson_085 Thanks for pointing that out, I have edited the answer. – Omikron Dec 15 '17 at 11:25
0

Strictly speaking, PEM is a container that can keep various types of text-encoded PKI data as well as information text.

Quote from specification:

Textual encoding begins with a line comprising "-----BEGIN ", a label, and "-----", and ends with a line comprising "-----END ", a label, and "-----". Between these lines, or "encapsulation boundaries", are base64-encoded data according to Section 4 of [RFC4648]. (PEM [RFC1421] referred to this data as the "encapsulated text portion".) Data before the encapsulation boundaries are permitted, and parsers MUST NOT malfunction when processing such data. Furthermore, parsers SHOULD ignore whitespace and other non- base64 characters and MUST handle different newline conventions.

The private key in your PEM file is just a private key. There is no need for that key to be in any relation with any of the certificates in the file.

The only way to see whether it is the private key for the public key of a certificate is to compare the corresponding public keys. Generate a public key from the private key and compare with the public key from the certificate.

  1. Get public key from private key

Extract the private key to a separate file (put the lines

-----BEGIN RSA PRIVATE KEY-----
<<contents>>
-----END RSA PRIVATE KEY-----

into a separate privkey.pem file)

In the command line:

openssl rsa -in privkey.pem -pubout > pubkey.pub
  1. Get public key from certificate

Put the certificate into a separate file certfile.pem (the lines

-----BEGIN CERTIFICATE-----
<<contents>>
-----END CERTIFICATE-----

)

Invoke openssl again:

openssl x509 -pubkey -noout -in certfile.pem > pubkey2.pem

-noout suppresses printing the certificate

Then check pubkey.pem and pubkey2.pem.

Java key store

There is an article on Oracle site on how to import PEM certificates to JKS. Did you try it?

Community
  • 1
  • 1
Pak Uula
  • 2,750
  • 1
  • 8
  • 13