Convert Keys Among GPG, OpenSSL, SSH, jarsigner And NSS

Key conversion for GPG <-> OpenSSL <-> SSH: http://www.sysmic.org/dotclear/index.php?post/2010/03/24/Convert-keys-be...

Key conversion for OpenSSL <-> jarsigner: http://forums.sun.com/thread.jspa?threadID=5419870

# CA
openssl genrsa -aes128 -out ca/ca.key -passout pass:sabre150 2048
openssl req -new -x509 -days 1001 -key ca/ca.key -out ca/ca.crt -passin pass:sabre150 -subj "/C=GB/ST=ssssss/L=aaaaaaa/OU=CA/O=xxxxxx/CN=Sabre"
# Server
openssl genrsa -aes128 -out server.key -passout pass:pd143r 1024
# Create a pkcs8 PEM format private key from the generated rsa key - http://www.openssl.org/docs/apps/pkcs8.html
openssl pkcs8 -topk8 -inform PEM -in server.key -passin pass:pd143r -outform PEM -nocrypt -out server.pkcs8
# create the server CSR
openssl req -new -key server.key -out server.csr -passin pass:pd143r -subj "/C=GB/ST=zzzzzz/L=zzzzzz/OU=Server/O=zzzzzz/CN=*.sabre150.uk"
# sign the server csr using the CA private key and subject
openssl x509 -req -days 365 -in server.csr -CA ca/ca.crt -CAkey ca/ca.key -set_serial 01 -out server.crt -passin pass:sabre150
# convert to pkcs12
openssl pkcs12 -export -name fred -in server.crt -inkey server.key -out server.p12 -passin pass:pd143r -passout pass:pd143r
# import into the keystore (the trick is regard OpenSSL PKCS12 as another keystore since keytool doesn't have option to import key pair)
keytool -importkeystore -destkeystore keystore.ks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass pd143r -deststorepass pd143r
keytool -list -keystore keystore.ks -storepass pd143r
keytool -exportcert -keystore keystore.ks -storepass pd143r -alias fred

Key conversion for OpenSSL <-> NSS: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thr...

From: Nelson Bolyard 
Date: Tue, 02 Dec 2008 17:58:25 -0800

>    2. if not, how do i add the cert's private key to key3.db?

NSS does not deal with private keys in PEM files.  It only deals with
private keys in PKCS#12 files.  You can get the OpenSSL utility program
to combine the PEM files for the cert and its private key into a single
PKCS#12 file, and then import that PKCS#12 file into NSS's databases
using NSS's utility program named pk12util.  That's the only supported
way to import private keys from files into NSS.

From: David Stutzman 
Date: Thu, 4 Dec 2008 05:22:37 -0800 (PST)

Since you say you originally created the key/cert with openssl, just
use openssl to package those things up into a PKCS#12 file and use
pk12util to import them.

First, copy the text of the keyfile into the certfile or vice versa
(or cat them both into a 3rd file), it doesn't matter as long as both
are in the same file.  Then run either of the below commands where
file.pem is the file you just put the cert/key into.  The second
command allows you to put some CA certs into the PKCS12 should you so
desire.  The -name field ends up being the "Friendly name" and after
you import using pk12util it will be the nickname that you use to
reference the cert/key via NSS and the server products so choose
wisely there.

openssl pkcs12 -export -in file.pem -out file.p12 -name "Server-Cert"
openssl pkcs12 -export -in file.pem -out file.p12 -name "Server-Cert" -
certfile othercerts.pem

then to import to NSS, this is usually enough:
pk12util -i file.p12 -d [cert/key db location]

then list the contents of your DB:
certutil -L -d [cert/key db location]

if you see 3 u's after the nickname then you did it right and the cert
AND key are there:
$ nsscertutil -L -d .
Server-Cert
u,u,u