Converting PEM-format keys to JKS format

This topic describes how to convert PEM-format certificates to the standard Java KeyStore (JKS) format.

The Java KeyStores can be used for communication between Endeca components that are configured for SSL (for example, between Latitude Studio and the MDEX Engine, if both are SSL-enabled).

Two utilities are referenced in the instructions below:
  • openssl, which is located in the bin directory of the MDEX Engine distribution.
  • keytool, which is located in the bin directory of the JDK distribution.
This procedure assumes the following:
  • You have run the appropriate version of the mdex_setup script for your operating system.

    This script adds the utilities directory and the MDEX Engine binaries to the search path, and allows you to run the openssl utility from the directory of your choice.

    It is documented as part of the MDEX Engine installation in the Latitude Installation Guide.

  • Your path will allow you to use the keytool utility from the directory of your choice.
  • You have already generated the set of standard SSL certificates with the enecerts command, as documented earlier in this section.
  • All of the input files are located in the local directory.

To convert the PEM-format keys to Java KeyStores:

  1. Convert the certificate from PEM to PKCS12, using the following command:
    openssl pkcs12 -export -out eneCert.pkcs12 -in eneCert.pem
    You may ignore the warning message this command issues.
  2. Enter and repeat the export password (endeca).
  3. Create and then delete an empty truststore for Tomcat, using the following commands:
    keytool -genkey -keyalg RSA -alias "endeca" -keystore truststore.ks
    keytool -delete -alias endeca -keystore truststore.ks
    The -genkey command creates the default certificate shown below. (This is a temporary certificate that is subsequently deleted by the -delete command, so it does not matter what information you enter here.)
    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]: 
    What is the name of your organizational unit?
      [Unknown]:  
    What is the name of your organization?
      [Unknown]:  
    What is the name of your City or Locality?
      [Unknown]: 
    What is the name of your State or Province?
      [Unknown]: 
    What is the two-letter country code for this unit?
      [Unknown]: 
    Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
      [no]: yes
    
    Enter key password for <endeca>
            (RETURN if same as keystore password):
    Re-enter new password:
  4. Import the CA into the truststore, using the following command:
    keytool -import -v -trustcacerts -alias endeca-ca -file eneCA.pem -keystore truststore.ks
  5. Enter the keystore password (endeca).
  6. At the prompt, "Trust this certificate?" type yes.
  7. Create an empty Java KeyStore, using the following commands:
    keytool -genkey -keyalg RSA -alias "endeca" -keystore keystore.ks
    keytool -delete -alias endeca -keystore keystore.ks
    The -genkey command creates the default certificate shown below. (This is a temporary certificate that is subsequently deleted by the -delete command, so it does not matter what information you enter here.)
    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]: 
    What is the name of your organizational unit?
      [Unknown]:  
    What is the name of your organization?
      [Unknown]:  
    What is the name of your City or Locality?
      [Unknown]: 
    What is the name of your State or Province?
      [Unknown]: 
    What is the two-letter country code for this unit?
      [Unknown]: 
    Is CN="Unknown", OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
      [no]: yes
    
  8. Import your private key into the empty JKS, using the following command:
    keytool -v -importkeystore -srckeystore eneCert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.ks -deststoretype JKS