How can I convert a private key file from Java into .net x509Certificate2

Question

I am writing a .NET client app that consumes a Java web service and need to sign sent requests (related to this other question).

I have been supplied with a private.key file (and a .X509 certificate) and a Java source example. The certificate looks like the public key of service, and the private.key is what I use to sign requests.

In the Java source, I can see they convert the file to a byte array and pass it into the constructor of the PKCS8EncodedKeySpec class.

A bit of googling suggests this file is a private key hash (though I may be wrong).

Is there any way to use this in .Net or convert it to something .Net can use?

This link mentions converting a public/private key, but I don't have both, or if it would work. Does anyone have more information to work on? such as what this file is exactly?

If I read this in as a byte array and convert it to a string, I get a load of HEX (e.g. AA-BB-06 etc) but I can't convert this to anything useful no matter the encoding I use.

This documentation suggests it is in PKCS #8 standard.

I tried (suggested by @gtrig) the command:

openssl rsa -in pkcs8privatekey.der -inform der -out privatekey.pem

but this gives me the following:

unable to load Private Key
32096:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
32096:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:830:
32096:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=n, Type=RSA
32096:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:99:

I also get similar errors with NET and PEM -inform args.

and:

openssl asn1parse -in private.key

gives me the error:

"Error: offset too large"

I've just found that if I convert it to a base 64 string

  Dim ba As Byte() = IO.File.ReadAllBytes("C:\private.key")
  Dim toString1 As String = System.Convert.ToBase64String(ba)

which gives me a string which starts MIICdgIBADANB and is 924 characters long.

trying the following command gives me

openssl rsa -in private.key -text -noout

unable to load Private Key
17978:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expec                            ting: ANY PRIVATE KEY

Any further suggestions?

Answer 1

The following commands turn this into a format usable in windows:

Convert the private key from pkcs8/DER to a PEM file format

openssl pkcs8 -nocrypt -in dealerPrivate.key -inform der -outform pem -out private.pem

Convert the certificate from x509/DER to a PEM file format

openssl x509 -inform der -in dealerCertificate.x509 -out public.pem

Merge the two files into a pkcs12 file – you will be prompted for password to protect the p12 with

openssl pkcs12 -export -inkey private.pem -in public.pem -out mycert.p12

pkcs12 can be used directly in windows.

Answer 2

It's probably not a "hash" of the private key. It's most likely the private key in PKCS#8 format.

You can use the openssl command line tool to create a PKCS#12 keystore that should then be able to be used to construct an X509Certificate2 object.

First you will likely have to convert your private key from DER to PEM format, which can also be done in openssl:

openssl rsa -in pkcs8privatekey.der -inform der -out privatekey.pem

Then create the PKCS#12 keystore with:

openssl pkcs12 -export -name myalias -in mycert.crt -inkey privatekey.pem -out keystore.p12

Finally, you should be able to import this into X509Certificate2 object:

X509Certificate2 cert = X509Certificate2("C:\Path\keystore.p12", "password");

Answer 3

you can use the key tool UI. You need to know the type of the certificate they gave you , typically either a JKS key of PEM.