Converting KeyStores into Correct PKCS#12 Format#

In Curity, private keys are stored in a pre-defined format in the configuration. To facilitate the conversion to this format, a convertks script is available in the bin directory of the Identity Server distribution.

The resulting key can be configured in the crypto-section as ssl/server-keystore, ssl/client-keystore, signing-keys, encryption-keys and decryption-keys.

Usage of the convertks Script#

The convertks script helps with processing a base64-encoded keystore, pick one Private Key entry out of that keystore, and write it as sole Entry in a new KeyStore. The output of the script is a base64-encoded version of this KeyStore.

There are two main ways of using the script, either by providing the input keystore as argument, or by providing it as a file.

The convertks script can show all its options when you invoke it with:

$ convertks --help

Provide KeyStore through Command-line#

Given a base64-encoded KeyStore (i.e. “MyInputKeystore”) that is protected with a KeyStore-password ‘KeyStorePassword’, containing an entry with an alias of ‘InputEntryAlias’ that is protected with password ‘InputEntryPassword’, the convertks script can be invoked with the following commandline:

$ convertks --in-password KeyStorePassword --in-alias InputEntryAlias --in-entry-password InputEntryPassword --in-keystore MyInputKeystore

Note: if entry-password is the same as password of the keystore, it can be omitted in the argument list.

This will output the KeyStore in the correct format to the console. If the output needs to be written to a file instead, add the --out-file parameter with the appropriate filename. The script will be silent.

Note that if any required argument is not provided, the script will prompt for it.

Using stdin#

Instead of providing the keystore on the commandline itself, it can also be provided through stdin, i.e. with a command like:

$ cat "MyInputKeystore" | convertks --in-password KeyStorePassword --in-alias InputEntryAlias --in-entry-password InputEntryPassword

Provide KeyStore through File#

If the base64-encoded KeyStore is stored in a file, this procedure is the same as above, but the --in-keystore parameter that provides the KeyStore must be replaced with the --in-file argument that contains the name of the file. Given that the file is “current-keystore-base64.txt”, the convertks script can be invoked with the following commandline:

$ convertks --in-password KeyStorePassword --in-alias InputEntryAlias --in-entry-password InputEntryPassword --in-file current-keystore-base64.txt --out-file new-keystore-base64.txt

Note: if entry-password is the same as password of the keystore, it can be omitted in the argument list.

This will output the KeyStore in the correct format to the file new-keystore-base64.txt.

If there is no --out-file argument provided, the new keystore will be shown in the console.

Was this helpful?