Skip to content

Instantly share code, notes, and snippets.

@matthogan

matthogan/CopyKeyFromKeyStoreToNewKeyStore.java

Last active January 4, 2022 23:41
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save matthogan/4c6f99afc279cdc1c2384fbb6ba48e0c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save matthogan/4c6f99afc279cdc1c2384fbb6ba48e0c to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. matthogan revised this gist Jan 4, 2022. 1 changed file with 3 additions and 3 deletions.
    6 changes: 3 additions & 3 deletions CopyKeyFromKeyStoreToNewKeyStore.java
    View file
    Original file line number Diff line number Diff line change
    @@ -19,7 +19,7 @@
    * <p>
    * Export the public certificate from pkcs12 format keystore:-
    * <p>
    * openssl pkcs12 -in keystore_name.p12 -nokeys -out public-cert-file
    * openssl pkcs12 -in new.p12 -nokeys -out cert.crt
    * <p>
    * Once the new p12 exists then list it.
    * <p>
    @@ -48,8 +48,8 @@ static void copyAliasToNewKeystore(String oldKs, char[] pw, String alias, String
    var chain = keystore.getCertificateChain(alias);
    // give to the new
    var ks = KeyStore.getInstance("pkcs12");
    ks.load(null, null);
    ks.setKeyEntry(alias, key, null, chain);
    ks.load(null, pw);
    ks.setKeyEntry(alias, key, pw, chain);
    try (var out = new FileOutputStream(newKs)) {
    ks.store(out, pw);
    }
  2. matthogan created this gist Jan 4, 2022.
    57 changes: 57 additions & 0 deletions CopyKeyFromKeyStoreToNewKeyStore.java
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,57 @@
    import java.io.FileInputStream;
    import java.io.FileOutputStream;
    import java.security.KeyStore;

    /**
    * Transfers a specific alias corresponding to a key from an existing
    * archive to a new one. Assumes p12 format.
    * <p>
    * Some keystores are full of keys, used as general purpose archives,
    * and if some are 'unsupported' then errors like 'Warning unsupported bag
    * type: secretBag' prevent exporting any keys through the usual keytool
    * method. For example:-
    * <p>
    * keytool -importkeystore ...
    * <p>
    * Export unencrypted private key from new.p12:-
    * <p>
    * openssl pkcs12 -in new.p12 -nodes -nocerts -out key.pem
    * <p>
    * Export the public certificate from pkcs12 format keystore:-
    * <p>
    * openssl pkcs12 -in keystore_name.p12 -nokeys -out public-cert-file
    * <p>
    * Once the new p12 exists then list it.
    * <p>
    * keytool -list -keystore new.p12 -storepass changeit
    * <p>
    * Usage:-
    * <p>
    * java CopyKeyFromKeyStoreToNewKeyStore alias-to-copy old.p12 new.12
    */
    public class CopyKeyFromKeyStoreToNewKeyStore {

    public static void main(String... args) throws Exception {
    var alias = args[0];
    var oldKs = args.length > 1 ? args[1] : "old.p12";
    var newKs = args.length > 2 ? args[2] : "new.p12";
    var pw = "changeit".toCharArray();
    copyAliasToNewKeystore(oldKs, pw, alias, newKs);
    }

    static void copyAliasToNewKeystore(String oldKs, char[] pw, String alias, String newKs) throws Exception {
    // take from the old
    var is = new FileInputStream(oldKs);
    var keystore = KeyStore.getInstance("pkcs12");
    keystore.load(is, pw);
    var key = keystore.getKey(alias, null);
    var chain = keystore.getCertificateChain(alias);
    // give to the new
    var ks = KeyStore.getInstance("pkcs12");
    ks.load(null, null);
    ks.setKeyEntry(alias, key, null, chain);
    try (var out = new FileOutputStream(newKs)) {
    ks.store(out, pw);
    }
    }
    }