Can a Java key store import a key pair generated by OpenSSL?

Jef picture Jef · Apr 21, 2010 · Viewed 48.7k times · Source

I generate a certification key with openssl. Here is my command:

openssl genrsa -des3 -out enc_key.pem 1024

I export into cer file, then with java keytool I import into java keystore (jks).

The keystore sounds good. I can load the keystore from my java app.

The problem is when client connect to the server (In this case is FTP server, not web server, and I use apache mina), the exception occured:

javax.net.ssl.SSLHandshakeException: SSL handshake failed. at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:433) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$5(DefaultIoFilterChain.java:429)

...

Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source) at javax.net.ssl.SSLEngine.wrap(Unknown Source)

...

Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)

There is a few things that I want to ask:

  1. What is the cipher of certification that I generate with openssl? How can we know? maybe by command line openssl xxx?
  2. I go to http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA. And I put SSL_RSA_xxx to enabled cipher suites, but still can't work (I put SSL_RSA because it the SSL is using ssl implisit, and genrsa, just my opinion genrsa is generate RSA). Is it correct?
  3. Anybody knows the solution?
  4. Or, anybody knows how to generate the standard keystore from openssl command line until can be used in java app (off course with the cipher). Because right now I can generate the certification from openssl and export keystore java, but I don't know what is the cipher that I used and how I use in the java app. Note: I can run if the keystore is generate directly FROM java. Right now the problem is if the keystore generated by java keytool from certification like openssl (and other maybe).

Any help will be appreciated! Thanks

Answer

erickson picture erickson · Apr 21, 2010

Why are you using OpenSSL to generate the keypair? Why not just use keytool?

The genrsa tool just generates a private key. How are you creating a corresponding certificate? How are you importing the private key into your Java keystore? (I ask, because keytool can only import a private key from an existing key store, and only from Java 6 onward.)

I suspect that your problem is that your key store doesn't contain a key entry (private key and corresponding certificate). When you list the keystore contents with keytool, how many entries are there? Are they key entries or trusted entries?


The server needs access to the private key in order to authenticate itself. To import a private key, use Java 6's enhanced keytool.

After creating the key and the certificate with OpenSSL, use OpenSSL to create a PKCS #12 key store:

openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12

Then convert this store into a Java key store:

keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12

Now use server.jks in your SSL-enable server, which contains the certificate and the private key.