12

I have created a self-signed certificate with Java code and added into KeyStore. Now I want to export Private key and Certificate created, into a file in PEM format. Is it possible to achieve this without any third party library ? Below is the code I use for creating self-singed certificate.

 public void createSelfSignedSSLCertificate() { try { final CertAndKeyGen keypair = new CertAndKeyGen("RSA", "SHA1WithRSA", null); final X500Name x500Name = new X500Name(commonName, organizationalUnit, organization, city, state, country); keypair.generate(keysize); final PrivateKey privKey = keypair.getPrivateKey(); final X509Certificate[] chain = new X509Certificate[1]; chain[0] = keypair.getSelfCertificate(x500Name, new Date(), validity * 24 * 60 * 60); final String alias = JettySSLConfiguration.SSL_CERTIFICATE_ALIAS; keyStore.setKeyEntry(alias, privKey, keyStorePassword.toCharArray(), chain); } catch (final Exception e) { // Handle Exception } }

Any suggestion of how to export the key and certificate into file with PEM format will be really helpful.

Improve this question
2
  • 1
    There is really no such thing as a single "PEM" format. There are all kinds of different crypto structures that, when base64 encoded and surrounding with -----BEGIN <xyz> and -----END <xyz>, are described as "PEM format". You'll need to be specific as to which one you want. Commented Jan 20, 2013 at 20:36
  • 1
    Instead of using some of the internal sun.* packages, which are not part of the J2SE API, you should probably consider using a 3rd party library. Commented Jan 22, 2013 at 13:19

3 Answers 3

Reset to default
12

You use Certificate.getEncoded() and Key.getEncoded() to get DER and do the base 64 encoding and header/footer manually, e.g. using DatatypeConverter.printBase64Binary() or some other way. Something like:

certpem = "-----BEGIN CERTIFICATE-----\n" + DatatypeConverter.printBase64Binary(chain[0].getEncoded())) + "\n-----END CERTIFICATE-----\n"; keypem = "-----BEGIN RSA PRIVATE KEY-----\n" + DatatypeConverter.printBase64Binary(privKey.getEncoded())) + "\n-----END RSA PRIVATE KEY-----\n";
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

The encoding returned by [Private]Key.getEncoded() is and always was, as documented, PKCS8, and the correct PEM type for PKCS8 is and was PRIVATE KEY (as in Anup's more recent A) not RSA PRIVATE KEY. This is formalized in RFC7468, although that was 2 years after this A.
5

Thanks Daniel Roethlisberger, for your reply. I got great help from your reply..

Implements in Java as below

String encodedString = "-----BEGIN PRIVATE KEY-----\n"; encodedString = encodedString+Base64.getEncoder().encodeToString(Enrollment2.getKey().getEncoded())+"\n"; encodedString = encodedString+"-----END PRIVATE KEY-----\n";
Improve this answer

Comments

2

On Android, you can use the following Kotlin extension function:

import android.util.Base64 import java.security.PublicKey fun PublicKey.toPemString(): String { val publicKeyBase64: String = Base64.encodeToString(this.encoded, Base64.NO_WRAP) return publicKeyBase64.chunked(64).joinToString( separator = "\n", prefix = "-----BEGIN PUBLIC KEY-----\n", postfix = "\n-----END PUBLIC KEY-----\n" ) }
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.