Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1127
  • Last Modified:

JKS vs PKCS

Hi, I read that keytool -genkey command creates both the private key and a public key(wrapped in a certificate chain). I can see the pub key cert chain but not the private key. On further reading, I found that to store a private key I need to use PKCS (openssl) keystore.

I need to know whether I have to use PKCS if I want to store a private key. Any help on this please. Also, any link/document detailing the differences between the two will be helpful.

Thanks

Leo
0
LeoKris
Asked:
LeoKris
  • 6
  • 4
  • 3
  • +1
3 Solutions
 
rodnessCommented:
I believe you do need to use PKCS to store private keys, yes.  JDK is just for storing certificates.

PKCS (Public Key Cryptography Standards) are a language- and implementation-independent format for managing crypto material.  It's well supported by just about every existing application that needs to use pubkey encryption.  (Note, PKCS8 for private keys, PKCS12 for public keys/certificates.)

JDK is specific to Java.  It's not as flexible as PKCS, nor as universal.

The general rule of thumb:  Use PKCS if you can, use JDK if you have to.


Here's a link to some IBM Tivoli documentation.  If you ignore the parts specific to their products, it's not a bad comparison of the JDK/PKCS structures:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.IBMDI.doc_7.1/adminguide36.htm

0
 
rodnessCommented:
Sorry, JKS everywhere instead of JDK.  I'm mixing up my abbreviations today.
0
 
objectsCommented:
JKS can store private keys

>  I can see the pub key cert chain but not the private key.

you sure thats not the private key you are looking at?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
rodnessCommented:
In general, storing the private key in the same file as the certificate chain (even if supported) is a bad idea.  You will use them for completely different purposes, and one is private and needs to be secure (whereas the other doesn't matter).

Also, if you ever want to use them in another application, JKS key stores are not as portable.

PKCS is, in general, a better choice.  And other than the parameter to KeyStore.getInstance(), this won't matter one bit to the rest of your software.
0
 
LeoKrisAuthor Commented:
Hi rodness, thanks for your help. The article was useful in comparing the two keystores. I wanted to use JKS for some project specific reason, but if I can't make it work, then PKCS is the way to go.

Hi object, this is the command I used to create a keystore:
 keytool -genkey  -alias business -keypass kpi135 -keystore /apps/asap/asapd018/KrisDir/mystore -storepass ab987c -validity 180

When I ran "keytool -v -list -keystore mystore", i got this output:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: business
Creation date: 14/03/2011
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Test, OU=Test, O=Test, L=Test, ST=Test, C=IN
Issuer: CN=Test, OU=Test, O=Test, L=Test, ST=Test, C=IN
Serial number: 4d7dfacd
Valid from: Mon Mar 14 22:23:57 EST 2011 until: Sat Sep 10 21:23:57 EST 2011
Certificate fingerprints:
         MD5:  BA:16:3D:EF:06:9E:42:96:0B:62:A7:85:25:F0:77:08
         SHA1: 0E:6A:7B:D1:18:0F:18:DA:29:EF:85:3E:E5:85:D1:52:61:C5:52:95

am I correct in saying that this is the public key? If yes, then where is the private key?

Thanks

Leo
0
 
rodnessCommented:
That is definitely a certificate (public key).  I think the problem is you didn't generate a key pair.

Try this:

keytool -genkeypair  keyalg RSA -keysize 1024 -alias business -keypass kpi135 -keystore /apps/asap/asapd018/KrisDir/mystore -storepass ab987c -validity 180 -dname cn=myserver.mydomain.com


Note:  The distinguished name (dname) of the owner of the certificate is "cn=myserver.mydomain.com", which should be the same as the DNS name of the server that will use the self-signed certificate for SSL.  Or if it is for email, "cn=user@domain.com".  This depends on the intended use of the certificate.
0
 
gordon_vt02Commented:
Keytool does generate both public and private keys but the private keys are not easily exportable.  The JKS keystore can be useful for holding certificates for a J2EE server such as Tomcat or WebLogic, but moving them to another application/usage (such as SSL connection to a Database or for use in Apache) is a pain and requires a custom application to read and export the private key in PKCS format.

As said above, if you can use PKCS from the start, it will be more portable but if you are only using the cert for an application that can read JKS, it might be simpler to use keytool.

This page has info and a utility for converting JKS to PKCS.
http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips
0
 
LeoKrisAuthor Commented:
Hi Rodness,
       genkeypair is not available in java 1.5 (supported in 1.6). I have to live with 1.5.

I also exported the private key from the JKS keystore using the ExportPriv.java code which is available on http://www.source-code.biz/base64coder/java/ link. But, when I try importing it back to a PKCS12 keystore, it throws an error, saying that it is not in X.509 format. So, I tried converting it to RSA format, but it throws an error: "unable to decryot the private key".

Finally, I tried to convert my JKS to PKSC12, but seems that there is no way to do that. Would you know?

If there is no way out, I think I will start scratch with PKCS12!

Thanks

Leo
0
 
rodnessCommented:
You can't store a private key in a PKCS12 container.  Those are for certificates only.

Private keys use PKCS8 for storage.

(PKCS was designed as a crypto standard.  They won't let you do things which are dangerous, such as keeping private and public keys in the same files.)


In java 1.5, you will probably need both key tool and OpenSSL to convert to PKCS12.  Good examples here:

http://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format
0
 
gordon_vt02Commented:
If the keys in the JKS aren't in production use, your easiest path may be to start over with OpenSSL.  If you've already gotten them signed by a CA and re-imported them to the JKS, it might be less hassle to try to get the conversion working.
0
 
LeoKrisAuthor Commented:
thanks rodness and gordon for your help. One last query I had.

Since I could export private key from the Keystore (using the java program), it means the information is there. Now, one of my requirements is to tell the Axis handler to refer to this private key while signing the SOAP XML request.

How can I achieve it? If I give the alias name as "business" (please see the certificate above) in the WSDD file, will the handler pick the private key to sign the XML? Since this alias refers to the public/private pair, handler should be intelligent enough to pick the private key.

any thoughts?

Thanks a lot.

Leo
0
 
rodnessCommented:
You should post that as a separate question... It's unrelated to the discussion so far.... (and I have no idea, sorry.)
0
 
gordon_vt02Commented:
Pretty sure that Axis will use the appropriate key, but that should be a separate question if it doesn't work for you.
0
 
LeoKrisAuthor Commented:
thanks for the help.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 6
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now