Converting PEM-format keys to JKS format

This topic describes how to convert PEM-format certificates to the standard Java KeyStore (JKS) format.

The Java KeyStores can be used for communication between components that are configured for SSL (for example, between Studio and the Oracle Endeca Server, if both are SSL-enabled).

Two utilities (located in Endeca Server directories) are referenced in the instructions below:
  • openssl (located in the endeca-server/dgraph/bin directory.
  • keytool (located in the shared/jre/bin directory.
This procedure assumes the following:
  • You have set your path environment variable to add Dgraph utilities directory and the Dgraph binaries to the search path, to allow you to run the openssl utility from the directory of your choice.
  • Your path will allow you to use the keytool utility from the directory of your choice.
  • You have already generated the set of standard SSL certificates with the enecerts command, as documented earlier in this section.
  • All of the input files are located in the local directory.

To convert the PEM-format keys to Java KeyStores:

  1. Convert the certificate from PEM to PKCS12, using the following command: 
    openssl pkcs12 -export -out eneCert.pkcs12 -in eneCert.pem
    You may ignore the warning message this command issues.
  2. Enter and repeat the export password.
  3. Create and then delete an empty truststore using the following commands: 
    keytool -genkey -keyalg RSA -alias endeca -keystore truststore.ks
keytool -delete -alias endeca -keystore truststore.ks
    The -genkey command creates the default certificate shown below. (This is a temporary certificate that is subsequently deleted by the -delete command, so it does not matter what information you enter here.) 
    Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]: 
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  
What is the name of your City or Locality?
  [Unknown]: 
What is the name of your State or Province?
  [Unknown]: 
What is the two-letter country code for this unit?
  [Unknown]: 
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]: yes

Enter key password for <endeca>
        (RETURN if same as keystore password):
Re-enter new password:
  4. Import the CA into the truststore, using the following command: 
    keytool -import -v -trustcacerts -alias endeca-ca -file eneCA.pem -keystore truststore.ks
  5. Enter the keystore password).
  6. At the prompt, "Trust this certificate?" type yes.
  7. Create an empty Java KeyStore, using the following commands: 
    keytool -genkey -keyalg RSA -alias endeca -keystore keystore.ks
keytool -delete -alias endeca -keystore keystore.ks
    The -genkey command creates the default certificate shown below. (This is a temporary certificate that is subsequently deleted by the -delete command, so it does not matter what information you enter here.) 
    Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]: 
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  
What is the name of your City or Locality?
  [Unknown]: 
What is the name of your State or Province?
  [Unknown]: 
What is the two-letter country code for this unit?
  [Unknown]: 
Is CN="Unknown", OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]: yes
  8. Import your private key into the empty JKS, using the following command: 
    keytool -v -importkeystore -srckeystore eneCert.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.ks -deststoretype JKS