THE UNSPOKEN ONE WROTE A TUTORIAL ON PEM AND JKS

unspoken_magiks.html

<html xml:lang="en-us" lang="en-us"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="copyright" content="(C) Copyright 2005">
<meta name="DC.rights.owner" content="(C) Copyright 2005">
<meta name="DC.Type" content="task">
<meta name="DC.Title" content="Converting PEM-format keys to JKS format">
<meta name="abstract" content="This topic describes how to convert PEM-format certificates to the standard Java KeyStore (JKS) format.">
<meta name="description" content="This topic describes how to convert PEM-format certificates to the standard Java KeyStore (JKS) format.">
<meta name="DC.Audience.Experiencelevel" content="general">
<meta name="DC.Audience.Job" content="administering">
<meta name="DC.Audience.Type" content="administrator">
<meta name="prodname" content="Oracle Endeca Server">
<meta name="version" content="7.4.0">
<meta name="release" content="2012-09">
<meta name="component" content="Endeca Server">
<meta name="platform" content="All">
<meta name="DC.Format" content="XHTML">
<meta name="DC.Identifier" content="task_8783C7B43E754FC4808F551C6AE5108F">
<meta name="DC.Language" content="en-us">
<link rel="stylesheet" type="text/css" href="../commonltr.css">
<link rel="stylesheet" type="text/css" href="../webhelp_custom.css">
<title>Converting PEM-format keys to JKS format</title>
<script>bazadebezolkohpepadr="315658639"</script><script type="text/javascript" src="https://docs.oracle.com/akam/11/12d091e6" defer=""></script></head>
<body id="task_8783C7B43E754FC4808F551C6AE5108F">

 
  <h1 class="title topictitle1">Converting PEM-format keys to JKS format</h1>
 
   
   
  <div class="body taskbody"><p class="shortdesc">This topic describes how to convert PEM-format certificates to the
	 standard Java KeyStore (JKS) format. 
  </p>
 
	 <div class="section prereq p" id="task_8783C7B43E754FC4808F551C6AE5108F__prereq_F841BB97B3EB4B7E8B252C3C21B9B604"> 
		<p class="p">The Java KeyStores can be used for communication between
		  components that are configured for SSL (for example, between Studio and the
		  Oracle Endeca Server, if both are
		  SSL-enabled). 
		</p>
 
		<div class="p">Two utilities (located in Endeca Server directories) are referenced in
		  the instructions below: 
		<ul class="ul" id="task_8783C7B43E754FC4808F551C6AE5108F__ul_273C847F96DB430BA1F70C2F86A6D412"> 
		  <li class="li" id="task_8783C7B43E754FC4808F551C6AE5108F__li_0702D88A367B44079B1572DADD9E6D0A"><span class="ph filepath">openssl</span> (located
			 in the 
			 <span class="ph filepath">endeca-server/dgraph/bin</span> directory. 
		  </li>
 
		  <li class="li" id="task_8783C7B43E754FC4808F551C6AE5108F__li_9EE7039943BA4F89AD42EB63AA0779BE"><span class="ph filepath">keytool</span> (located
			 in the 
			 <span class="ph filepath">shared/jre/bin</span> directory. 
		  </li>
 
		</ul>
 
		</div>
 
	 </div>
 
	 <div class="section context" id="task_8783C7B43E754FC4808F551C6AE5108F__context_1C97AC3B7F1840169312AEF505AAA172"> 
		<div class="p">This procedure assumes the following: 
		<ul class="ul" id="task_8783C7B43E754FC4808F551C6AE5108F__ul_7E54D2CEEFA54663A55C34E22B79D699"> 
		  <li class="li" id="task_8783C7B43E754FC4808F551C6AE5108F__li_603FDA1C8C2F438BB298A411F144CDA0">You have set your path
			 environment variable to add Dgraph 
			 <span class="ph filepath">utilities</span> directory and the Dgraph binaries to
			 the search path, to allow you to run the 
			 <span class="ph filepath">openssl</span> utility from the directory of your
			 choice. 
		  </li>
 
		  <li class="li" id="task_8783C7B43E754FC4808F551C6AE5108F__li_646CE3D4E1384617BE736AC313BB3D69">Your path will allow you
			 to use the 
			 <span class="ph filepath">keytool</span> utility from the directory of your
			 choice. 
		  </li>
 
		  <li class="li" id="task_8783C7B43E754FC4808F551C6AE5108F__li_02581915ADBA4ED0BCA91B97E61BED4F">You have already generated
			 the set of standard SSL certificates with the 
			 <span class="ph filepath">enecerts</span> command, as documented earlier in this
			 section. 
		  </li>
 
		  <li class="li" id="task_8783C7B43E754FC4808F551C6AE5108F__li_A12CC8C9BB284F44A36107F423E69FF1">All of the input files are
			 located in the local directory. 
		  </li>
 
		</ul>
 
		</div>
 
		<p class="p">To convert the PEM-format keys to Java KeyStores: 
		</p>
 
	 </div>
 
	 <ol class="ol steps" id="task_8783C7B43E754FC4808F551C6AE5108F__steps_A43459F769834E7DA2C92EC21997EE1C"><li class="li step stepexpand" id="task_8783C7B43E754FC4808F551C6AE5108F__step_8148FF7658D04AA0A0A5AFFB6BDAB957"> 
		  <span class="ph cmd">Convert the certificate from PEM to PKCS12, using the following
			 command: 
		  </span> 
		  <div class="itemgroup info"> 
			 <pre class="pre codeblock">openssl pkcs12 -export -out eneCert.pkcs12 -in eneCert.pem</pre>
 You may ignore the warning message this command issues. 
		  </div> 
		</li>
<li class="li step stepexpand" id="task_8783C7B43E754FC4808F551C6AE5108F__step_6944D05C1C8B4D1C970F77383F88D018"> 
		  <span class="ph cmd">Enter and repeat the export password. 
		  </span> 
		</li>
<li class="li step stepexpand" id="task_8783C7B43E754FC4808F551C6AE5108F__step_8AE29870614840BD88523377E5956621"> 
		  <span class="ph cmd">Create and then delete an empty truststore using the following
			 commands: 
		  </span> 
		  <div class="itemgroup info"> 
			 <pre class="pre codeblock">keytool -genkey -keyalg RSA -alias endeca -keystore truststore.ks
keytool -delete -alias endeca -keystore truststore.ks</pre>
The 
			 <span class="ph filepath">-genkey</span> command creates the default certificate
			 shown below. (This is a temporary certificate that is subsequently deleted by
			 the 
			 <span class="ph filepath">-delete</span> command, so it does not matter what
			 information you enter here.) 
			 <pre class="pre codeblock">Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]: 
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  
What is the name of your City or Locality?
  [Unknown]: 
What is the name of your State or Province?
  [Unknown]: 
What is the two-letter country code for this unit?
  [Unknown]: 
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]: yes

Enter key password for &lt;endeca&gt;
        (RETURN if same as keystore password):
Re-enter new password:</pre>
 
		  </div> 
		</li>
<li class="li step stepexpand" id="task_8783C7B43E754FC4808F551C6AE5108F__step_F840A0E9E0DA49B0B073A89814007C2C"> 
		  <span class="ph cmd">Import the CA into the truststore, using the following command: 
		  </span> 
		  <div class="itemgroup info"> 
			 <pre class="pre codeblock">keytool -import -v -trustcacerts -alias endeca-ca -file eneCA.pem -keystore truststore.ks</pre>
 
		  </div> 
		</li>
<li class="li step stepexpand" id="task_8783C7B43E754FC4808F551C6AE5108F__step_2DDA8B26B6F64947B0CA70077D79663C"> 
		  <span class="ph cmd">Enter the keystore password). 
		  </span> 
		</li>
<li class="li step stepexpand" id="task_8783C7B43E754FC4808F551C6AE5108F__step_50A3A7461A8D40B7BA2D81B67C84DEC3"> 
		  <span class="ph cmd">At the prompt, "Trust this certificate?" type 
			 <span class="ph filepath">yes</span>. 
		  </span> 
		</li>
<li class="li step stepexpand" id="task_8783C7B43E754FC4808F551C6AE5108F__step_8C711F6295D34C8FB1A3F4C0CBF80DF2"> 
		  <span class="ph cmd">Create an empty Java KeyStore, using the following commands: 
		  </span> 
		  <div class="itemgroup info"> 
			 <pre class="pre codeblock">keytool -genkey -keyalg RSA -alias endeca -keystore keystore.ks
keytool -delete -alias endeca -keystore keystore.ks</pre>
 The 
			 <span class="ph filepath">-genkey</span> command creates the default certificate
			 shown below. (This is a temporary certificate that is subsequently deleted by
			 the 
			 <span class="ph filepath">-delete</span> command, so it does not matter what
			 information you enter here.) 
			 <pre class="pre codeblock">Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]: 
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  
What is the name of your City or Locality?
  [Unknown]: 
What is the name of your State or Province?
  [Unknown]: 
What is the two-letter country code for this unit?
  [Unknown]: 
Is CN="Unknown", OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]: yes
</pre>
 
		  </div> 
		</li>
<li class="li step stepexpand" id="task_8783C7B43E754FC4808F551C6AE5108F__step_B2AC8C0381CE4E42A32E5AA3EE9600C8"> 
		  <span class="ph cmd">Import your private key into the empty JKS, using the following
			 command: 
		  </span> 
		  <div class="itemgroup info"> 
			 <pre class="pre codeblock">keytool -v -importkeystore -srckeystore eneCert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.ks -deststoretype JKS</pre>
 
		  </div> 
		</li>
</ol>
 
  </div>

<div id="footer">
<p>Oracle Endeca Server Administrator's Guide · Version 7.4.0 · June 2014 · Revision A</p>
<p><a href="../../../dcommon/html/cpyr.htm">Copyright © 2003, 2014, Oracle and/or its affiliates. All rights reserved.</a></p>
<p><img src="../xmwebhelp/images/oracle_official_sm2.png" alt="Oracle logo"></p>
</div>
<noscript><img src="https://docs.oracle.com/akam/11/pixel_12d091e6?a=dD02YmI2MmUyODVkMTYyYWUxMjgzYjkzZDA1NzYyZWE5MGUwNmM4NmY0JmpzPW9mZg==" style="visibility: hidden; position: absolute; left: -999px; top: -999px;" /></noscript>
</body></html>