Digital certificate Format Conversion

Source: Internet
Author: User
Tags begin rsa private key documentation openssl pkcs12 web services ssl certificate pfx file
Summary

The public key encryption technology, standard 12th (Cryptography Standards #12, PKCS#12) specifies a portable format for storing and transporting user or server private keys, public keys, and certificates. It is a binary format, and these files are also called PFX files. Developers often need to convert PFX files into some different formats, such as PEM or JKS, so that they can be used by stand-alone Java clients or WebLogic servers that communicate with SSL. This article describes how to export private keys, public keys, and certificates from a PFX file and use them to create JKS or PEM files. Brief Introduction

The PFX certificate you create is typically used for two purposes: a client certificate: This certificate is typically installed on the client's browser to provide user identity to other terminal servers. It also provides a public key and certificate to the server. The public key is used by the server to encrypt any data exchange between these two endpoints. Server Certificate: The certificate will be installed on the server side to provide server identity, certificate, and public key information to the client attempting to establish the connection. Use certificates and public keys to exchange information between clients and servers and to further encrypt data.

However, a PFX is not the only certificate format used. Let's take a look at some of the following formats. The Enhanced private mail (privacy enhanced MAIL,PEM) format is now more used as a key format and can contain private keys (RSA and DSA), Public keys (RSA and DSA), and X509 certificates. It stores ASCII-head-wrapped BASE64-encoded der Data, so it works with text-mode transmissions between systems. The Distributed Encoding Rules (distinguished Encoding rules,der) format can also contain private keys, public keys, and certificates. It is the default format for most browsers and is stored in the ASN1 der format. It has no head--PEM is wrapped in text head der.

WebLogic server does not require a specific certificate format in addition to the certificate library. Installing SSL on the WebLogic server requires a server certificate stored in the Java KeyStore (Java key store,jks) file. The JKs file is used only for storing server certificates, private keys, public keys, and identity certificates.

Here are two things we need to convert from a PFX certificate format: Import the server certificate (private key, public key, ID card, and so on) from the PFX file to the JKS file to use it in the Java KeyStore (Java key Store,jks) to install WebLogic server SSL. Sometimes the server certificate is in PFX format, and to use the same certificate in WebLogic Server, we need to export its certificate to the JKs file library. Invoking a two-way SSL authenticated Web service through a Java client requires a PEM-formatted client certificate. Similarly, a servlet that invokes bidirectional SSL authentication through a Java client also requires a PEM-formatted client certificate.

Now, let's take a look at how to perform these transformations. Required

To perform these tasks, we must first set up the following items: WebLogic Server version 8.1 or 9.1, which is configured by the domain. The installed OpenSSL (www.openssl.org). The available Java Keytool (included with the JDK). The source certificate in the PFX format. A text editor. Import a PFX private key and certificate into JKS

In this section, we'll see how to export the server's private key, public key, identity certificate, and CA certificate from the PFX file and import the components into the JKs file to use in WebLogic Server to install SSL. To install SSL in WebLogic Server, you need two JKS files: one called the Trust key store and the other known as the Identity key store. You need to perform the following three steps to complete the task: 1. Export different certificates from a PFX to a PEM

Run the OpenSSL binary file for the <openssl>/bin folder. It will start the OpenSSL command prompt. Execute the following command:

    Pkcs12-in Mycerts.pfx-out Mycerts.pem-nodes

This converts the data in the mycerts.pfx file to PEM format and places the transformation results in the Mycerts.pem file. The resulting file will have all certificates in the following order: Private key ID card root Certificate Intermediate certificate

Note that all certificates (private keys, identity cards, root certificates, and intermediate certificates) are packaged in some headers, which are part of the certificate. 2. Create a trusted Java KeyStore (Trust Java key store,trust JKS)

Now you need to extract the root certificate from the resulting PEM file and use it to create trust JKS: Open the Mycerts.pem file in a text editor, copy and paste the root certificate into a new file named My_key_root.pem. Because the root file must have the same issuer and subject headers, you can easily find the root file. To import the above My_key_root.pem files to the JKs file using the Java key utility program:


My_key_root.pem-alias My_key_root
-keystore My_key_trust.jks-storepass
<trust Key Store password>

The resulting jks can be used as a trusted KeyStore (trust key Store) in WebLogic server. 3. Create an identity Java KeyStore (Identity Java key Store) from the Mycerts.pem file, copy the private key and paste it into a different file named My_key_pk.pem. The private key is easy to identify because the private key is packaged in the following two headers:

-----BEGIN RSA PRIVATE KEY-----
-----End RSA PRIVATE KEY-----
From the Mycerts.pem file, copy the following certificate and paste it into a new file named My_key_crt.pem: ID Card Intermediate Certificate root certificate

Note that certificates must be arranged in the order listed above. Because the file must have a header that displays identity information, such as the name and address of the person or organization, you can easily find an identity certificate in the Mycerts.pem file. The intermediate certificate is the last certificate in the Mycerts.pem file. Now set the WebLogic environment and run the following command:

Java utils. Importprivatekey-keystore <new JKS file>-storepass
<new storepass>-storetype jks-keypass <new key pass>-alias
<new alias name>-certfile my_key_crt.pem-keyfile My_key_pk.pem
-keyfilepass <pfx Key password>

This creates a JKs file that can be used in WebLogic server. Note that you can use the utils mentioned above. The Importprivatekey command imports many private keys into a keystore. About Utils. For more information about Importprivatekey, see the Glossary of terms.

Note that there may be no utils to find here. There are two main reasons for the Importprivatekey anomalies:
1.weblogic license wrong, need genuine
2. The following files need to be run: Bea/weblogic81/server/bin/setwlsenv.cmd
convert pfx to bi-directional SSL certified PEM certificate format

Invoking a two-way SSL-authenticated Web service through a Java client requires a Java client with a PEM-formatted certificate-and it must contain the private key of the user being invoked. Below, we will assume that the client certificate is already installed in the user's browser. In this case, the user can export the certificate in the following detailed steps. Export the client certificate from the browser and save it in the Mycerts.pfx file. Follow the steps given below, which apply to Internet Explorer browsers (similar steps are also performed on other browsers): Go to Internet Explorer-> Tools-> Internet Options-> Content tab.

Press the Certificates button and go to the Personal tab.

Select the certificate you want to export and press the Export button. Click Next, and then select the Yes, export the private key radio button. Press "Next" and tick "Include all certificates in the certificate path if possible".

The next page asks you for a password to protect your private key. After you enter a password, you can save the certificate to a file. Now open the OpenSSL command prompt and execute the following command:

OpenSSL pkcs12-in mycerts.pfx-out mycerts.pem-nodes

This converts the PFX format to PEM format. MYCERTS.PEM will have all certificates in the following order: Private key ID card root Certificate Intermediate certificate

From the Mycerts.pem file, create a new file (named My_key_crt.pem) using the reordered certificate (simply by copying and pasting). Order is important, otherwise the host server will not recognize the certificate: ID book intermediate certificate root certificate private key

Java clients can now invoke SSL-authenticated Web services directly using MY_KEY_CRT.PEM. Concluding remarks

This tutorial explains how to perform the following two tasks: Export the private key, identity card, intermediate certificate, and root certificate from the PFX server certificate file, and then import them into the JKs file that can be used in a one-way SSL-configured WebLogic server. This is useful if the user wants to take advantage of the existing PFX format certificate in WebLogic Server. Converts an existing client certificate from the PFX format to a PEM format that can be used by Java clients in two-way SSL communications. reference materials

The following product documentation links provide additional information about configuring SSL on WebLogic Server: The Configuring SSL importprivatekey Command Reference explains how to configure a KeyStore presentation for WebLogic server. Glossary of Terms

  OpenSSL: The toolkit provides the implementation of SSL and TLS protocols for global full strength encryption. It also provides the ability to convert certificates in different formats (that is, from PFX to PEM).

   Java Keytool: This is the key and certificate management tool. It also manages a keystore (database) that stores the private key and verifies the corresponding public key to the X.509 certificate chain associated with them. It enables users to manage their own public/private key pairs by using digital signatures, manages the associated certificate used for self verification (the user authenticates other users/services), or manages data integrity and authentication services.

   Root Certificates: in cryptography and computer security, a root certificate is an unsigned public key certificate or a self-signed certificate, which is part of a public key infrastructure scenario.

   ID Card: in cryptography, a public key certificate (or identity certificate) is a certificate that uses a digital signature to constrain the public key with identity information, such as a person or organization's name, address, and so on. This certificate can be used to authenticate the public key that belongs to the person.

   Intermediate Certificate: Intermediate certificate is a subordinate certificate issued by the trusted root certificate, or rather, a Terminal entity server certificate. The certificate chain begins with the trusted root CA, through intermediate certificates, to the end of the SSL certificate published to the user. Such a certificate is called a linked root certificate.

   Private/Public key: use private/public key pair encoding to ensure that data is encrypted by one key and can only be decrypted by another key pair. The two keys are essentially similar and can be exchanged for each other: One key is used for encryption and another key pair is used for decryption. Key pairs are based on prime numbers and the length of their bits to ensure that the message cannot be decrypted without a key pair. The trick of a key pair is to keep one key secret (the private key) while distributing another key (the public key) to others. Then anyone can send you an encrypted message that only you can decrypt.

   WebLogic importprivatekey: The Importprivatekey utility is used to load the private key into the private key library file. This utility is bundled with the WebLogic Server installation, and you need to set the domain environment (DOMAIN_DIR/SETENV) that executes the utility. For more information, please visit the documentation.

Author Introduction
Arvind Tiwari in the BEA backline Support for WebLogic Server team Dre (Developer relationship engineer).

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.