kdb to pem
In a recent engagement I was assisting a collegue with some OpenShift work. He wanted to create a Route that re-encrypt the content before sending it over to the HCL Commerce containers.
My task was to figure out how to extract the private key from a set of file given by the security team. The Key and Certificate were required to be able to create a re-encrypt route with a custom certificate.
In this blog I want to keep it simple and describe the process that I used to extract the key and certificate and create a PEM file so that it can be used to create the OpenShift Route.
I will skip over the extended explanation of the requirements, along with the complications of why would you want to do such setup. The requirement as mentioned was to figure out how to get the Certificate and the Key in PEM format out of set of given files.
The Archive File
Without disclousing the information of the client and files provided. Let’s say that I received a set of files in an archive format similar to the ones below:
theArchive.zip
├── aBinaryArchiveFile.p7b
├── aServerName.txt
└── aServerName.kdb
And the task was to find out the certificate and key and then extract it, and provide it into a PEM file. Remember we have to find the Key and the Certificate.
What is a PEM file?
PEM stands for Privacy Enhanced Mail and is a type file that uses a common standard format in cryptography for sharing Keys and Certificates.
PEM files are readable to the naked eye, thus can be opened using your favorite text editor.
Care should be taken when the content of the file is a private keys.
For more information about PEM refer to Wikipedia, surprisingly is very simplistic.
.p7b file
This file is a Windows binary format of the Certificate and the Key, you can open the file in any Windows and browse and export the certficate or chain certificate contained in it.
In Linux you can also list the certificates using the openssl tool (for security reasons I don’t show the content of the file, but believe me it works :))
openssl pkcs7 -inform DER -outform PEM -in aBinaryArchiveFile.p7b -print_certs > theCert.cer
more theCert.cer
.kdb file
This file is a database file that holds keys and certificates and it can be password protected. It is frenquently refered as the data store. I was not able to find the specifications webpage for it, but is a very commonly used file to transfer and hold certificates and keys.
Transformation into PEM
With this two files I was able to extract the certificate and the key. You only need the .kdb file as long as you have the password. To extract the data out of the KDB file you first need to convert it into a p12 file.
To do this transformation you need to make use of the Key Management tool. When using HCL Commerce you can use the ts-util that has the command line tool that comes embedded with IBM WebSphere Application Server. There are two options the GUI or the CMD version.
You can refer to the IBM Manual on how to use the Key Management Tool or ikeyman for short.
Using the ts-util container for Commerce, below is the sequence of steps to use.
First, list the certificate in the keystore, this will give you the “label” to use in other cmds.
./ikeycmd -DADD_CMS_SERVICE_PROVIDER_ENABLED=true -cert -list CA -db /tmp/aServerName.kdb
Second, transform the the cert and key into a .p12 type of file
./ikeycmd -DADD_CMS_SERVICE_PROVIDER_ENABLED=true -cert -export -db /tmp/aServerName.kdb -pw 1234 -label "THE_LABEL_OF_THE_CERT_AS_STEP_1" -target /tmp/aServerName.p12 -target_pw 1234 -target_type pkcs12
Lastly, using the Openssl Tool export it to a pem file
openssl pkcs12 -in aServerName.p12 -nodes -nocerts -out aServerName_key.pem
You can transform the pcks12 into a PEM file
- For exporting only the key use: openssl pkcs12 -in aServerNamekey.p12 -out aServerName_key.pem -nocerts -nodes
- For exporting only the cert use: openssl pkcs12 -in aServerNameKey.p12 -out aServerName_cert.pem -clcerts -nokeys
Leave a comment