Convert SSL .pem to .p12 with or without OpenSSL

java openssl pem pkcs#12
DrDave picture DrDave · Mar 14, 2012 · Viewed 56.5k times · Source

I get external .pem files that need to be converted to .p12 files - I add a username and password in the process. (I need to do this to utilize a third party API.)

Using openssl, the command is...

openssl pkcs12 -export -in xxxx.pem -inkey xxxx.pem -out xxx.p12 -passout pas:newpassword -name "newname"

I can run this from a terminal session and it works perfectly.

However, I will need to do this often and have written a Java class that handles this and more (my application is mostly .jsp with Tomcat and Apache). When I try run the same command from Java using Runtime.exec, I get the dreaded "unable to write 'random state'" error ( Using OpenSSL what does "unable to write 'random state'" mean? ).

I assume that the difference is that, when I run from Java, the user is not "root".

So, is there a better way to convert from pem to .p12 using a Java library rather than executing a command line program (i.e. openssl)?

Otherwise, I guess I need to do some configuration on my server. I can not find any .md file anywhere on the server. The only openssl.cnf file is in a weird directory (/etc/pki/tls). Do I need to create a new openssl.cnf file somewhere else?

Answer

Muggles Merriweather picture Muggles Merriweather · Mar 23, 2012

This should do what you want to do (using the BouncyCastle PEMReader as suggested above) -- take a PEM-encoded private key + certificate, and output a PKCS#12 file. Uses the same password for the PKCS12 that was used to protect the private key.

public static byte[] pemToPKCS12(final String keyFile, final String cerFile, final String password) throws Exception {
    // Get the private key
    FileReader reader = new FileReader(keyFile);

    PEMReader pem = new PEMReader(reader, new PasswordFinder() {
        @Override public char[] getPassword() {
            return password.toCharArray();
        }
    });

    PrivateKey key = ((KeyPair)pem.readObject()).getPrivate();

    pem.close();
    reader.close();

    // Get the certificate      
    reader = new FileReader(cerFile);
    pem = new PEMReader(reader);

    X509Certificate cert = (X509Certificate)pem.readObject();

    pem.close();
    reader.close();

    // Put them into a PKCS12 keystore and write it to a byte[]
    ByteArrayOutputStream bos = new ByteArrayOutputStream();
    KeyStore ks = KeyStore.getInstance("PKCS12");
    ks.load(null);
    ks.setKeyEntry("alias", (Key)key, password.toCharArray(), new java.security.cert.Certificate[]{cert});
    ks.store(bos, password.toCharArray());
    bos.close();
    return bos.toByteArray();
}

Related questions

How to read .pem file to get private and public key

I am writing a small piece of code which reads public and private key stored in .pem file. I am using the following commands to generate the keys. Below command to generate pair of key. $openssl genrsa -out mykey.pem 2048 …

Read More
Formatting RSA keys for OpenSSL in Java

Background RSA key generation with OpenSSL on Linux using the command, openssl genrsa -out mykey.pem 1024 created the following: "-----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQChs9Fepy5FgeL0gNJ8GHcKRHsYnM2Kkw19zwydDQNyh2hrHWV2 B11wpLFp8d0imcl2Wjb0oV/AxOhb3unQgNzs66LVuXJwS8…

Read More
How can I read a BouncyCastle private key PEM file using JCA?

In one of our applications private keys are stored using BouncyCastle's PEMWriter. At the moment I am investigating if we can get rid of the BouncyCastle dependency since Java 7 seems to have everything we need. The only issue is that …

Read More