tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <>
Subject Re: SSL Certificate formats, requirements for import into existing keystore
Date Thu, 07 Jul 2011 05:14:10 GMT
Hi Marvin,

Marvin Addison <> schrieb:

>> There is some "junk" ("bag attributes")n the file that I don't'
>understand. I am used to just seeing "-----BEGIN CERTIFICATE-----
>"-----END RSA PRIVATE KEY----- "
>As far as I know, keytool can only import certificates in PKCS8
>format.  The "junk" you mentioned may indicate the key is in SSLeay
>format.  You can use OpenSSL to convert from one format to another.
>That said, I'm not aware of _any_ method to import a keypair into a
>keystore using keytool; the private key is inaccessible (with respect
>to import and export) by design.
I think that restriction is gone. At least my sun jdk 6u12 keytool can import complete pkcs12
files into my Java keystores without a problem. Export works, too.
And u12 is really old now.

>You should probably determine whether you actually need the private
>key before proceeding.  Sounds like you're doing SSL offloading, but
>that shouldn't necessarily require using the same keypair on both the
>LB and endpoint.
>To unsubscribe, e-mail:
>For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message