Solved

JKS vs PKCS

Posted on 2011-03-12
14
1,034 Views
Last Modified: 2012-05-11
Hi, I read that keytool -genkey command creates both the private key and a public key(wrapped in a certificate chain). I can see the pub key cert chain but not the private key. On further reading, I found that to store a private key I need to use PKCS (openssl) keystore.

I need to know whether I have to use PKCS if I want to store a private key. Any help on this please. Also, any link/document detailing the differences between the two will be helpful.

Thanks

Leo
0
Comment
Question by:LeoKris
  • 6
  • 4
  • 3
  • +1
14 Comments
 
LVL 7

Expert Comment

by:rodness
ID: 35117879
I believe you do need to use PKCS to store private keys, yes.  JDK is just for storing certificates.

PKCS (Public Key Cryptography Standards) are a language- and implementation-independent format for managing crypto material.  It's well supported by just about every existing application that needs to use pubkey encryption.  (Note, PKCS8 for private keys, PKCS12 for public keys/certificates.)

JDK is specific to Java.  It's not as flexible as PKCS, nor as universal.

The general rule of thumb:  Use PKCS if you can, use JDK if you have to.


Here's a link to some IBM Tivoli documentation.  If you ignore the parts specific to their products, it's not a bad comparison of the JDK/PKCS structures:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.IBMDI.doc_7.1/adminguide36.htm

0
 
LVL 7

Expert Comment

by:rodness
ID: 35117884
Sorry, JKS everywhere instead of JDK.  I'm mixing up my abbreviations today.
0
 
LVL 92

Expert Comment

by:objects
ID: 35118486
JKS can store private keys

>  I can see the pub key cert chain but not the private key.

you sure thats not the private key you are looking at?
0
 
LVL 7

Expert Comment

by:rodness
ID: 35118776
In general, storing the private key in the same file as the certificate chain (even if supported) is a bad idea.  You will use them for completely different purposes, and one is private and needs to be secure (whereas the other doesn't matter).

Also, if you ever want to use them in another application, JKS key stores are not as portable.

PKCS is, in general, a better choice.  And other than the parameter to KeyStore.getInstance(), this won't matter one bit to the rest of your software.
0
 

Author Comment

by:LeoKris
ID: 35127379
Hi rodness, thanks for your help. The article was useful in comparing the two keystores. I wanted to use JKS for some project specific reason, but if I can't make it work, then PKCS is the way to go.

Hi object, this is the command I used to create a keystore:
 keytool -genkey  -alias business -keypass kpi135 -keystore /apps/asap/asapd018/KrisDir/mystore -storepass ab987c -validity 180

When I ran "keytool -v -list -keystore mystore", i got this output:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: business
Creation date: 14/03/2011
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Test, OU=Test, O=Test, L=Test, ST=Test, C=IN
Issuer: CN=Test, OU=Test, O=Test, L=Test, ST=Test, C=IN
Serial number: 4d7dfacd
Valid from: Mon Mar 14 22:23:57 EST 2011 until: Sat Sep 10 21:23:57 EST 2011
Certificate fingerprints:
         MD5:  BA:16:3D:EF:06:9E:42:96:0B:62:A7:85:25:F0:77:08
         SHA1: 0E:6A:7B:D1:18:0F:18:DA:29:EF:85:3E:E5:85:D1:52:61:C5:52:95

am I correct in saying that this is the public key? If yes, then where is the private key?

Thanks

Leo
0
 
LVL 7

Expert Comment

by:rodness
ID: 35128182
That is definitely a certificate (public key).  I think the problem is you didn't generate a key pair.

Try this:

keytool -genkeypair  keyalg RSA -keysize 1024 -alias business -keypass kpi135 -keystore /apps/asap/asapd018/KrisDir/mystore -storepass ab987c -validity 180 -dname cn=myserver.mydomain.com


Note:  The distinguished name (dname) of the owner of the certificate is "cn=myserver.mydomain.com", which should be the same as the DNS name of the server that will use the self-signed certificate for SSL.  Or if it is for email, "cn=user@domain.com".  This depends on the intended use of the certificate.
0
 
LVL 10

Accepted Solution

by:
gordon_vt02 earned 334 total points
ID: 35129305
Keytool does generate both public and private keys but the private keys are not easily exportable.  The JKS keystore can be useful for holding certificates for a J2EE server such as Tomcat or WebLogic, but moving them to another application/usage (such as SSL connection to a Database or for use in Apache) is a pain and requires a custom application to read and export the private key in PKCS format.

As said above, if you can use PKCS from the start, it will be more portable but if you are only using the cert for an application that can read JKS, it might be simpler to use keytool.

This page has info and a utility for converting JKS to PKCS.
http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:LeoKris
ID: 35136272
Hi Rodness,
       genkeypair is not available in java 1.5 (supported in 1.6). I have to live with 1.5.

I also exported the private key from the JKS keystore using the ExportPriv.java code which is available on http://www.source-code.biz/base64coder/java/ link. But, when I try importing it back to a PKCS12 keystore, it throws an error, saying that it is not in X.509 format. So, I tried converting it to RSA format, but it throws an error: "unable to decryot the private key".

Finally, I tried to convert my JKS to PKSC12, but seems that there is no way to do that. Would you know?

If there is no way out, I think I will start scratch with PKCS12!

Thanks

Leo
0
 
LVL 7

Assisted Solution

by:rodness
rodness earned 166 total points
ID: 35137734
You can't store a private key in a PKCS12 container.  Those are for certificates only.

Private keys use PKCS8 for storage.

(PKCS was designed as a crypto standard.  They won't let you do things which are dangerous, such as keeping private and public keys in the same files.)


In java 1.5, you will probably need both key tool and OpenSSL to convert to PKCS12.  Good examples here:

http://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format
0
 
LVL 10

Assisted Solution

by:gordon_vt02
gordon_vt02 earned 334 total points
ID: 35138189
If the keys in the JKS aren't in production use, your easiest path may be to start over with OpenSSL.  If you've already gotten them signed by a CA and re-imported them to the JKS, it might be less hassle to try to get the conversion working.
0
 

Author Comment

by:LeoKris
ID: 35138235
thanks rodness and gordon for your help. One last query I had.

Since I could export private key from the Keystore (using the java program), it means the information is there. Now, one of my requirements is to tell the Axis handler to refer to this private key while signing the SOAP XML request.

How can I achieve it? If I give the alias name as "business" (please see the certificate above) in the WSDD file, will the handler pick the private key to sign the XML? Since this alias refers to the public/private pair, handler should be intelligent enough to pick the private key.

any thoughts?

Thanks a lot.

Leo
0
 
LVL 7

Expert Comment

by:rodness
ID: 35138264
You should post that as a separate question... It's unrelated to the discussion so far.... (and I have no idea, sorry.)
0
 
LVL 10

Expert Comment

by:gordon_vt02
ID: 35139285
Pretty sure that Axis will use the appropriate key, but that should be a separate question if it doesn't work for you.
0
 

Author Closing Comment

by:LeoKris
ID: 35143855
thanks for the help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
Viewers learn about the “for” loop and how it works in Java. By comparing it to the while loop learned before, viewers can make the transition easily. You will learn about the formatting of the for loop as we write a program that prints even numbers…
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now