Another tool providing the same functionality is ExtKeyTool, available here .
If you don't need a scripting interface, but are happy with a UI, you can use Keystore Explorer, it' really cool. It allows you very simply to export the Private Key in PKCS#8, PVK or OpenSSL formats. All these formats can be encrypted and protected with a password, to avoid that the PK is stolen. Not necessarily your .key file is protected. Incidentally if your .key file begins with "-----BEGIN RSA PRIVATE KEY-----", it's most likely a OpenSSL file.
Traditionally in the WebLogic world people use the utils.ImportPrivateKey utility; as you see, it supports all: a password-protected key file (-keyfilepass), a password-protected JKS store (-storepass), a password-protected key entry in the JKS Store (-keypass):
cd $DOMAIN_HOME/bin . ./setDomainEnv.sh java utils.ImportPrivateKey Usage: java utils.ImportPrivateKey -certfile-keyfile [-keyfilepass ] -keystore -storepass [-storetype ] -alias [-keypass ] [-help] Where: -certfile, -keyfile, -keyfilepass certificate and private key files, and the private key password -keystore, -storepass, -storetype keystore file name, password, and type. The default type is JKS. -alias -keypass alias and password of the keystore key entry where the private key and the public certificate will be imported. When the key entry password is not specified, the private key password will be used instead, or when it is not specified either, the keystore password.
In fact, you MUST protect your key with a password in the JKS file, but the .key file needs not to be protected (-keyfilepass can be omitted). The -keypass parameter is the same you provide for "Private Key Passphrase" in the "SSL" configuration of the WebLogic Server. The -storepass corresponds to the "Custom Identity Keystore Passphrase" in the "Keystore" tab of the WLConsole.
Another workaroundish way of doing it is using keytool and going through a pkcs12 keystore:
-importkeystore [-v] [-srckeystore] [-destkeystore ] [-srcstoretype ] [-deststoretype ] [-srcstorepass ] [-deststorepass ] [-srcprotected] [-destprotected] [-srcprovidername ] [-destprovidername ] [-srcalias [-destalias ] [-srckeypass ] [-destkeypass ]] [-noprompt] [-providerclass [-providerarg ]] ... [-providerpath ]
Just use the -destkeypass option, and -srcstoretype PKCS12 (see this SO post).
No comments:
Post a Comment