Create Keystore P12 with Certificate and a Private key

[matteshe]

Describe the solution you'd like I have a certificate and I have private key. I'd like to sign the certificate with the priv key and put this in a p12 keystore. At the moment I can't create a cert/key pair with this given files.

With openssl I can use the options pkcs12 -export -in cert -inkey privkey -out p12

[kaikramer]

The KSE equivalent of this OpenSSL command would be:

1. Create a new keystore, select type PKCS#12:
2. Click "Import Key Pair" in Tools menu:
3. Choose either "PKCS#8" (more likely) or "OpenSSL" (that's an outdated OpenSSL format):
4. It seems the private key file is unencrypted, so unselect this option, then browse to the two files:

The rest should be self-explaining.

[matteshe]

Hi,

I alreday tried this ways, but I wasn't able to do it. I received the following errors.

Import with openssl: priv key and cert does not contain a valid key pair

Import with pkcs8: private key could not be read

It look like, that the key need to be converted first: http://openssl.cs.utah.edu/docs/apps/ec.html

The ec command processes EC keys. They can be converted between various forms and their components printed out. Note OpenSSL uses the private key format specified in 'SEC 1: Elliptic Curve Cryptography' (http://www.secg.org/). To convert a OpenSSL EC private key into the PKCS#8 private key format use the pkcs8 command.

[kaikramer]

Ok, it seems like the key actually is in the old OpenSSL format. Could you please use the "Detect File Type" function on the key file:

It will probably say something like "unencrypted OpenSSL private key".

And also the output of this command (delete the key data as in the following example):

$ openssl ec -in ec.key -noout -text
read EC key
Private-Key: (256 bit)
priv:
     <deleted>
pub:
     <deleted>
ASN1 OID: prime256v1
NIST CURVE: P-256

[kaikramer]

Oh, and please try "Examine File" on the key file as well and post the error message.

[matteshe]

Hi,

as you said, the tools as determined a unencrypted private key.

Detect File type of private key

Detect File type of certificate

openssl ec -in privkey-PK.pem -noout -text

read EC key Private-Key: (256 bit) priv:

pub: ASN1 OID: prime256v1 NIST CURVE: P-256 No Error Messages on Examine Files: Examine Private Key:  Examile certificate: 

[matteshe]

I just tried the following:

Import pkcs8 with my priv key and click detail ends in error

Examine my priv key and use PEM Button to store new file and import that works.

So why the examine file works but the detail button doesn't.

look inside both pem files:

my priv key -----BEGIN EC PRIVATE KEY----- deleted data -----END EC PRIVATE KEY-----

new stored priv key based on PEM button -----BEGIN PRIVATE KEY----- deleted data; differ from my -----END PRIVATE KEY-----

[kaikramer]

as you said, the tools as determined a unencrypted private key.

The important part is that it is in OpenSSL format (not PKCS#8), so you have to choose OpenSSL for import.

"Examine File" always shows "PKCS#8" format because the key is always internally converted to PKCS#8 regardless of the actual file format. The PEM button in "Examine File" therefore always outputs PKCS#8 format.

This PEM header means OpenSSL (RFC 5915) format: -----BEGIN EC PRIVATE KEY-----

And this PEM header means PKCS#8 (RFC 5208) format: -----BEGIN PRIVATE KEY-----

So far everything seems fine, the question now is why did the import as OpenSSL key not work. Does the import work, if you use the convrted PKCS#8 key file?

[matteshe]

Import as OpenSSL

Detail on priv key and cert can be opened

Import fails

Import with converted file fail as well

[kaikramer]

The converted file is PKCS#8, so you have to select this for the import instead of OpenSSL.

Are you sure the certificate matches the key?

[matteshe]

As I wrote above, import as pkcs8 with converted key and cert works.

[kaikramer]

Ok, I've overlooked that. I think I have now all the information I need. Thanks for reporting this!