0

How can I convert PKCS8 to JWK format given the openssl commands below?

openssl genrsa -des3 -passout pass:foobar -out private_key_des3_with_password.pem 2048
openssl pkcs8 -topk8 -inform PEM -in private_key_des3_with_password.pem -outform PEM -out private_key_des3_with_password_pkcs8.pem -passin pass:foobar -passout pass:foobar
openssl rsa -in private_key_des3_with_password.pem -passin pass:foobar -outform PEM -pubout -out public_key_for_pk_des3_with_password.pem

Looking for some assistance in converting a PKCS8 key to JWK format so that I can upload the keys to Salesforce via "CertificatesAndKeysManagement".

Salesforce requires JWK for uploading keys, and will be used to encrypt JWT. I have also found an article to convert PKCS12 to JWT, but do not know how to bridge the gap from PKCS8 -> PKCS12 or PKCS8 -> JWK. Looking for either solutions.

The Salesforce code looks like the following:

        Map<String, String> claims = new Map<String, String>{
            'claim'=> 'myClaims'
        };
        Auth.JWT jw = new Auth.JWT();
        jw.setAdditionalClaims(claims);
        jw.setValidityLength(60);
        Auth.JWS sig = new Auth.JWS(jw, 'mykey');
        return sig.getCompactSerialization();

The library which will be validating the claim requires PKCS8 format, but Salesforce requires JWK format to encrypt

Justin Catterson
  • 49
  • 4

1 Answers1

0

I was able to accomplish the task.

  1. Generate a certificate and import into Salesforce as JWT. The correct article
  2. Reviewed this article to convert PKCS12 to PKCS8

All together we have the following commands

openssl req -newkey rsa:2048 -nodes -keyout private_key.pem -x509 -days 365 -out certificate.pem
openssl x509 -outform der -in certificate.pem -out public_key.der
openssl x509 -in certificate.pem -pubkey > public_key.pem
keytool -importcert -file certificate.pem -keystore keystore.jks -alias mycertificate -storetype jks
openssl pkcs12 -inkey private_key.pem -in certificate.pem -export -out keystore.p12 -name mykey
keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -destalias mykey -srcalias mykey
openssl pkcs12 -in keystore.p12 -nocerts -out certificatename.pem
openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8
openssl rsa -in certificatename.pk8 -passin pass:your_password -outform PEM -pubout -out public_key_for_pk_aes256_with_password.pem

Upload keystore.jks to Salesforce. provide the public key to the other team (public_key_for_pk_aes256_with_password.pem)

Justin Catterson
  • 49
  • 4
  • 1
    You're not importing 'as JWT' or 'as JWK' at all; you're creating and importing JKS, as your new link says, which is completely different. (Although it is subsequently used _for_ JWT.) Also your process is about 3 times more complicated than necessary. And the publickey file is not encrypted with any password and can't be; the PKCS8 privatekey _could_ be, but yours isn't because you specified `-nocrypt`. Since your actual problem had nothing to do with the Q you asked, I don't see how this can be useful to anybody else. – dave_thompson_085 Apr 08 '20 at 07:18