On 2/2/2010 6:00 PM, Anna Gellatly wrote:
Hello All -
I'm very new to all this - forgive a potentially ignorant question.
I believe have created a keystore with the following commands
certutil -N -d .
modutil -fips true -dbdir .
So far so good...
I am changing my application from using JKS to NSS's keystore
implementation for FIPS compliance needs.
I have public and private keys stored in a JKS that I would like to
import into NSS's keystore.
When I run this command (with the correct passwords):
keytool -importkeystore -srckeystore /path/to/my/keystore -deskeystore
NONE -storetype PKCS11 -providerName SunPKCS11-NSS
It *may* be possible to move the keys/certs directly to an NSS DB with
Java's keytool but I'm not sure about that. What I am sure about is if
you export the keypairs/certs you want from the Java KeyStore using
keytool into PKCS#12 files, then you can import them into the NSS
security DB (the general term security DB applies to the collection of
the 3 .db files that get created when you run "certutil -N -d .") using
the nss command line tool pk12util.
list the contents of my JKS keystore to get the alias (Java KeyStores
use the term alias, NSS uses the term nickname to point to certs/keys):
$ keytool -list -keystore test.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
mykey, Feb 3, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5):
79:90:B6:71:55:F1:F2:35:AD:44:76:83:8F:3C:F6:F1
exported key/cert to pkcs12 file (Note, for some reason when I ran this
command it took around a minute to exit on its own but it worked.
There's no real reason for it to take this long but just warning in case
you see similar behavior to just let it finish):
$ keytool -importkeystore -srckeystore test.jks -srcalias mykey
-destkeystore test.p12 -deststoretype PKCS12 -destalias mykey
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
import contents of pkcs12 file to NSS security DB using the NSS command
line util pk12util:
$ pk12util -i test.p12 -d .
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
check your work using certutil to list the contents of the security DB:
$ certutil -L -d .
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CN=Test u,u,u
If you don't see "u,u,u" in the trust column, you didn't get both the
key and the cert. In the NSS world the three u's means there is a
private key matching the certificate.
At this point you can delete the .p12 files as they are no longer
necessary and do contain copies of your private key, though encrypted
with password based encryption.
Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
