by Arvind Tiwari
Public Key Cryptography Standards #12 (PKCS#12) specifies a portable format for storing and transporting user or server private keys, public keys, and certificates. It is a binary format, and these files are also known as PFX files. Developers often need to transform PFX files to some different format, such as PEM or JKS, so that they can be used by standalone Java clients using SSL communication, or WebLogic Server. This article describes how to export the private key, public key, and certificate from a PFX file and create JKS or PEM files from these artifacts.
PFX certificates are usually created for two purposes:
Client certificate: This is usually installed on a client's browser and provides user identity to the server at the other end. It also provides a public key and certificate to the server. This public key will be used by the server to encrypt any data exchange between these two parties.
Server certificate: This will be installed on the server side and provides server identity, certificate, and public key information to clients that try to establish a connection. The certificate and public key are used for handshaking and further data encryption between client and server.
Unfortunately, PFX isn't the only certificate format in circulation. Let's look at a few more.
The Privacy Enhanced Mail (PEM) format is now much more liberally used as a key format, and can contain private keys (RSA and DSA), public keys (RSA and DSA), and x509 certificates. It stores data in a Base64-encoded DER format, surrounded by ASCII headers, so it is suitable for text-mode transfers between systems.
The Distinguished Encoding Rules (DER) format can also contain private keys, public keys, and certificates. It is the default format for most browsers and is stored according to the ASN1 DER format. It is headerless--PEM is text-header-wrapped DER.
WebLogic Server doesn't require a particular certificate format, but a certificate store. Setting up SSL on WebLogic Server requires server certificates stored in a Java Key Store (JKS) file. The JKS file is used simply for storing the server certificate, private key, public key, and identity.
Here are two situations when we need to convert from the PFX certificate format:
Importing a server certificate (private key, public key, identity certificate, etc.) from a PFX file to a JKS file so that it can be used in the Java Key Store to set up WebLogic Server SSL. Sometimes the server certificate is in PFX format, and to utilize the same certificate in WebLogic Server, we need to export its certificates to a JKS file store.
Invoking a web service through a Java client over two-way SSL requires the client certificate in PEM format. Similarly, invoking a servlet over two-way SSL through a Java client needs the client certificate in PEM format, too.
Let's look at how to perform these conversions.
To perform the above tasks we have to have the following setup ready:
In this section we will look at how to export the server's private key, public key, identity, and CA certificate from a PFX file and import these components into a JKS file so that it can be used in WebLogic Server to set up SSL. To set up SSL in WebLogic Server requires two JKS file stores: one is called the Trust Key Store and other is called the Identity Key Store. You will need to perform the following three steps to accomplish this task:
openssl binary from the
folder. It will start the OpenSSL command prompt. Execute the following command:
pkcs12 -in MYCERTS.pfx -out MYCERTS.pem -nodes
This will convert the data in the MYCERTS.pfx file to the PEM format, placing the result in the MYCERTS.pem file. The resulting file will have all the certificates in the following order:
Note that all the certificates (Private Key, Identity certificate, Root certificate, Intermediate certificate) are wrapped within some headers, and these headers are part of the certificates.
Now you need to extract the root certificate from the resulting PEM file and use it to create the Trust JKS:
subjectheaders must be same.
keytool -import -trustcacerts -file my_key_root.pem -alias my_key_root -keystore my_key_trust.jks -storepass <trust key store password>
The resulting JKS can be used as a Trust Key Store in WebLogic Server.
-----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Note that the certificates must be in the order listed above. The identity certificate can be located easily in MYCERTS.pem since there must be header that shows the identity--information such as the name of a person or an organization, their address, and so forth. The intermediate certificate will be the last certificate in the MYCERTS.pem file.
java utils.ImportPrivateKey -keystore <new JKS file> -storepass <new storepass> -storetype JKS -keypass <new key pass> -alias <new alias name> -certfile my_key_crt.pem -keyfile my_key_pk.pem -keyfilepass <PFX key password>
This will create a JKS file that can be used in WebLogic Server. Note that you can import many private keys into a key store using the
utils.ImportPrivateKey command as mentioned above. Please refer to the
Glossary for details about
Calling a web service over two-way SSL through a Java client requires that the Java client have a certificate in the PEM format--and it must contains the private key of the calling user. In the following, we're going to assume that you have the client certificate already installed in your browser. In this case, you're going to have to export the certificate as detailed below.
openssl pkcs12 -in MYCERTS.pfx -out MYCERTS.pem -nodes
This will convert the PFX format to a PEM format. The MYCERTS.pem will have all the certificates in the following order:
From the MYCERTS.pem file, create a new file (say, my_key_crt.pem) with the certificates reordered (simply copy and paste). The order is important, otherwise the hosting server will not recognize the certificates:
Now the my_key_crt.pem can be directly used by a Java client to invoking web services over SSL.
This tutorial showed how to perform two tasks:
The following product documentation links provide additional information for configuring SSL on WebLogic Server:
OpenSSL: This toolkit provides implementations of the SSL and TLS protocols with full-strength cryptography worldwide. It also provides features to transform the certificates between different formats (i.e. from PFX to PEM).
Java keytool: This is the key and certificate management tool. It also manages a keystore (database) of private keys and their associated X.509 certificate chains authenticating the corresponding public keys. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures.
Root certificate: In cryptography and computer security, a root certificate is an unsigned public key certificate, or a self-signed certificate, and is part of a public key infrastructure scheme.
Identity certificate: In cryptography, a public key certificate (or identity certificate) is a certificate that uses a digital signature to bind together a public key with identity information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.
Intermediate certificate: An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate, and ending with the SSL certificate issued to you. Such certificates are called chained root certificates.
Private Key/public key: The encryption using a private key/public key pair ensures that the data can be encrypted by one key but can only be decrypted by the other key pair. The keys are similar in nature and can be used alternatively: what one key encrypts, the other key pair can decrypt. The key pair is based on prime numbers and their length in terms of bits ensures the difficulty of being able to decrypt a message without the key pairs. The trick in a key pair is to keep one key secret (the private key) and to distribute the other key (the public key) to everybody. Anybody can then send you an encrypted message that only you will be able to decrypt.
WebLogic ImportPrivateKey: The
ImportPrivateKey utility is used to load a private key into a private keystore file. This utility is bundled with the WebLogic Server installation and you need set the domain environment (
Domain_Dir/setEnv) to execute this utility. For more information visit the documentation.
Arvind Tiwari works as a DRE in BEA Backline Support for WebLogic Server.