All - I have a bit more information on this ... I have trust keys and private keystores in JKS I need to migrate. When dropping the alias it seems to default to "appserver" - it is possible there is no alias defined for the key? Anyway - when I drop the -srcalias flag and try to import my key I get this Problem importing entry for alias appserver: java.security.KeyStoreException: TrustedCertEntry not supported
Is there a document somewhere out there that explains moving trust and private JKS keystores to the NSS secure DB's? Anna. --- On Wed, 2/3/10, Anna Gellatly <abrick...@yahoo.com> wrote: From: Anna Gellatly <abrick...@yahoo.com> Subject: Re: Converting jks to secmod.db (copying key/cert from JKS to NSS DB) To: "mozilla's crypto code discussion list" <dev-tech-crypto@lists.mozilla.org> Date: Wednesday, February 3, 2010, 9:56 AM Thanks for the info David . When I run this command: /usr/java/current/bin/keytool -importkeystore -srckeystore /proximo/config/cluster/trusted.keystore -srcalias mykkey -destkeystore test.p12 -deststoretype PKCS12 and put in the destination password and source passwords I get: keytool error: java.lang.Exception: Alias <mykkey> does not exist Can you explain a little more about "aliases" I am not sure I understand what they are doing? Thanks, Anna. --- On Wed, 2/3/10, David Stutzman <dstutz.m...@nospam.dstutz.com> wrote: From: David Stutzman <dstutz.m...@nospam.dstutz.com> Subject: Re: Converting jks to secmod.db (copying key/cert from JKS to NSS DB) To: dev-tech-crypto@lists.mozilla.org Date: Wednesday, February 3, 2010, 5:05 AM On 2/2/2010 6:00 PM, Anna Gellatly wrote: > Hello All - > > I'm very new to all this - forgive a potentially ignorant question. > > I believe have created a keystore with the following commands > certutil -N -d . > modutil -fips true -dbdir . So far so good... > I am changing my application from using JKS to NSS's keystore > implementation for FIPS compliance needs. > > I have public and private keys stored in a JKS that I would like to > import into NSS's keystore. > > When I run this command (with the correct passwords): > keytool -importkeystore -srckeystore /path/to/my/keystore -deskeystore > NONE -storetype PKCS11 -providerName SunPKCS11-NSS It *may* be possible to move the keys/certs directly to an NSS DB with Java's keytool but I'm not sure about that. What I am sure about is if you export the keypairs/certs you want from the Java KeyStore using keytool into PKCS#12 files, then you can import them into the NSS security DB (the general term security DB applies to the collection of the 3 .db files that get created when you run "certutil -N -d .") using the nss command line tool pk12util. list the contents of my JKS keystore to get the alias (Java KeyStores use the term alias, NSS uses the term nickname to point to certs/keys): $ keytool -list -keystore test.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry mykey, Feb 3, 2010, PrivateKeyEntry, Certificate fingerprint (MD5): 79:90:B6:71:55:F1:F2:35:AD:44:76:83:8F:3C:F6:F1 exported key/cert to pkcs12 file (Note, for some reason when I ran this command it took around a minute to exit on its own but it worked. There's no real reason for it to take this long but just warning in case you see similar behavior to just let it finish): $ keytool -importkeystore -srckeystore test.jks -srcalias mykey -destkeystore test.p12 -deststoretype PKCS12 -destalias mykey Enter destination keystore password: Re-enter new password: Enter source keystore password: import contents of pkcs12 file to NSS security DB using the NSS command line util pk12util: $ pk12util -i test.p12 -d . Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL check your work using certutil to list the contents of the security DB: $ certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CN=Test u,u,u If you don't see "u,u,u" in the trust column, you didn't get both the key and the cert. In the NSS world the three u's means there is a private key matching the certificate. At this point you can delete the .p12 files as they are no longer necessary and do contain copies of your private key, though encrypted with password based encryption. Dave -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -----Inline Attachment Follows----- -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
