Using PFX and PEM Certificate Formats with Keystores

by Arvind Tiwari
09/27/2006

Abstract

Public Key Cryptography Standards #12 (PKCS#12) specifies a portable format for storing and transporting user or server private keys, public keys, and certificates. It is a binary format, and these files are also known as PFX files. Developers often need to transform PFX files to some different format, such as PEM or JKS, so that they can be used by standalone Java clients using SSL communication, or WebLogic Server. This article describes how to export the private key, public key, and certificate from a PFX file and create JKS or PEM files from these artifacts.

Introduction

PFX certificates are usually created for two purposes:

  1. Client certificate: This is usually installed on a client's browser and provides user identity to the server at the other end. It also provides a public key and certificate to the server. This public key will be used by the server to encrypt any data exchange between these two parties.
  2. Server certificate: This will be installed on the server side and provides server identity, certificate, and public key information to clients that try to establish a connection. The certificate and public key are used for handshaking and further data encryption between client and server.

Unfortunately, PFX isn't the only certificate format in circulation. Let's look at a few more.

  • The Privacy Enhanced Mail (PEM) format is now much more liberally used as a key format, and can contain private keys (RSA and DSA), public keys (RSA and DSA), and x509 certificates. It stores data in a Base64-encoded DER format, surrounded by ASCII headers, so it is suitable for text-mode transfers between systems.
  • The Distinguished Encoding Rules (DER) format can also contain private keys, public keys, and certificates. It is the default format for most browsers and is stored according to the ASN1 DER format. It is headerless--PEM is text-header-wrapped DER.

WebLogic Server doesn't require a particular certificate format, but a certificate store. Setting up SSL on WebLogic Server requires server certificates stored in a Java Key Store (JKS) file. The JKS file is used simply for storing the server certificate, private key, public key, and identity.

Here are two situations when we need to convert from the PFX certificate format:

  1. Importing a server certificate (private key, public key, identity certificate, etc.) from a PFX file to a JKS file so that it can be used in the Java Key Store to set up WebLogic Server SSL. Sometimes the server certificate is in PFX format, and to utilize the same certificate in WebLogic Server, we need to export its certificates to a JKS file store.
  2. Invoking a web service through a Java client over two-way SSL requires the client certificate in PEM format. Similarly, invoking a servlet over two-way SSL through a Java client needs the client certificate in PEM format, too.

Let's look at how to perform these conversions.

Requirements

To perform the above tasks we have to have the following setup ready:

  • WebLogic Server version 8.1 or 9.1 domain configured.
  • OpenSSL installed ( www.openssl.org).
  • The Java keytool available (it comes with your JDK).
  • A source certificate in PFX format.
  • A text editor.

Importing PFX Private Key and Certificates into a JKS

In this section we will look at how to export the server's private key, public key, identity, and CA certificate from a PFX file and import these components into a JKS file so that it can be used in WebLogic Server to set up SSL. To set up SSL in WebLogic Server requires two JKS file stores: one is called the Trust Key Store and other is called the Identity Key Store. You will need to perform the following three steps to accomplish this task:

1. Exporting the Different Certificates from PFX to PEM

Run the openssl binary from the <OpenSSL>/bin folder. It will start the OpenSSL command prompt. Execute the following command:

pkcs12 -in MYCERTS.pfx -out MYCERTS.pem -nodes

This will convert the data in the MYCERTS.pfx file to the PEM format, placing the result in the MYCERTS.pem file. The resulting file will have all the certificates in the following order:

  • Private key
  • Identity certificate
  • Root certificate
  • Intermediate certificate

Note that all the certificates (Private Key, Identity certificate, Root certificate, Intermediate certificate) are wrapped within some headers, and these headers are part of the certificates.

2. Creating the Trust Java Key Store

Now you need to extract the root certificate from the resulting PEM file and use it to create the Trust JKS:

  1. Open the MYCERTS.pem file in a text editor, copy the root certificate and paste it to a new file, say my_key_root.pem. You can easily find the root certificate since its issuer and subject headers must be same.
  2. Use the Java key tool utility and import the above my_key_root.pem file to a JKS file: 

keytool -import -trustcacerts -file my_key_root.pem -alias my_key_root

-keystore my_key_trust.jks -storepass <trust key store password>

The resulting JKS can be used as a Trust Key Store in WebLogic Server.

3. Creating the Identity Java Key Store

  1. From the MYCERTS.pem file, copy the private key and paste it in different file, say my_key_pk.pem. It is very easy to identify the private key as it is wrapped with in the following two headers: 
    
-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----
  2. From the MYCERTS.pem file, copy the following certificates and paste them in new text file, say my_key_crt.pem:
    • Identity certificate
    • Intermediate certificate
    • Root certificate

    Note that the certificates must be in the order listed above. The identity certificate can be located easily in MYCERTS.pem since there must be header that shows the identity--information such as the name of a person or an organization, their address, and so forth. The intermediate certificate will be the last certificate in the MYCERTS.pem file.

  3. Now set the WebLogic environment and run following command: 
    
java utils.ImportPrivateKey -keystore <new JKS file> -storepass

<new storepass> -storetype JKS -keypass <new key pass> -alias

<new alias name> -certfile my_key_crt.pem -keyfile my_key_pk.pem

-keyfilepass <PFX key password>

This will create a JKS file that can be used in WebLogic Server. Note that you can import many private keys into a key store using the utils.ImportPrivateKey command as mentioned above. Please refer to the Glossary for details about utils.ImportPrivateKey.

Converting PFX to PEM Certificate Formats for Two-Way SSL

Calling a web service over two-way SSL through a Java client requires that the Java client have a certificate in the PEM format--and it must contains the private key of the calling user. In the following, we're going to assume that you have the client certificate already installed in your browser. In this case, you're going to have to export the certificate as detailed below.

  1. Export the client certificate from the browser and save the certificate in MYCERTS.pfx. Please follow the steps given below, which are for the Internet Explorer browser (a similar procedure can be carried out on other browsers):
    1. Go to Internet Explorer -> Tools -> Internet Options -> Content tab.

      Figure 1

    2. Press the Certificates button and go to the Personal tab.

      Figure 2

    3. Select the certificate you want to export and press the export button. Hit "next" and then select the "Yes, export the private key" radio button. Press "next" and check "Include all certificates in the certificate path if possible."

      Figure 3

    4. The next page will ask you to provide the password to protect the private key. After filling this in, you will finally be able to save the certificate to a file.
  2. Now open the OpenSSL command prompt and execute following command:

    openssl pkcs12 -in MYCERTS.pfx -out MYCERTS.pem -nodes

    This will convert the PFX format to a PEM format. The MYCERTS.pem will have all the certificates in the following order:

    • Private key
    • Identity certificate
    • Root certificate
    • Intermediate certificate

    From the MYCERTS.pem file, create a new file (say, my_key_crt.pem) with the certificates reordered (simply copy and paste). The order is important, otherwise the hosting server will not recognize the certificates:

    • Identity certificate
    • Intermediate certificate
    • Root certificate
    • Private Key

    Now the my_key_crt.pem can be directly used by a Java client to invoking web services over SSL.

Summary

This tutorial showed how to perform two tasks:

  1. Exporting the private key, identity certificate, intermediate certificate, and root certificate from a .PFX server certificate and importing these into a JKS file that can be utilized in WebLogic Server for one-way SSL configuration. This is useful if you want to utilize existing, PFX-format server certificates in WebLogic Server.
  2. Transforming an existing client certificate in PFX format to the PEM format that can be used by a Java client in two-way SSL communication.

References

The following product documentation links provide additional information for configuring SSL on WebLogic Server:

  • Configuring SSL
  • ImportPrivateKey command reference
  • A presentation showing how to configure a key store for WebLogic Server.

Glossary

OpenSSL: This toolkit provides implementations of the SSL and TLS protocols with full-strength cryptography worldwide. It also provides features to transform the certificates between different formats (i.e. from PFX to PEM).

Java keytool: This is the key and certificate management tool. It also manages a keystore (database) of private keys and their associated X.509 certificate chains authenticating the corresponding public keys. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures.

Root certificate: In cryptography and computer security, a root certificate is an unsigned public key certificate, or a self-signed certificate, and is part of a public key infrastructure scheme.

Identity certificate: In cryptography, a public key certificate (or identity certificate) is a certificate that uses a digital signature to bind together a public key with identity information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

Intermediate certificate: An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate, and ending with the SSL certificate issued to you. Such certificates are called chained root certificates.

Private Key/public key: The encryption using a private key/public key pair ensures that the data can be encrypted by one key but can only be decrypted by the other key pair. The keys are similar in nature and can be used alternatively: what one key encrypts, the other key pair can decrypt. The key pair is based on prime numbers and their length in terms of bits ensures the difficulty of being able to decrypt a message without the key pairs. The trick in a key pair is to keep one key secret (the private key) and to distribute the other key (the public key) to everybody. Anybody can then send you an encrypted message that only you will be able to decrypt.

WebLogic ImportPrivateKey: The ImportPrivateKey utility is used to load a private key into a private keystore file. This utility is bundled with the WebLogic Server installation and you need set the domain environment ( Domain_Dir/setEnv) to execute this utility. For more information visit the documentation.

Arvind Tiwari works as a DRE in BEA Backline Support for WebLogic Server.