Extract key from JKS keystore to use with apache2 and tomcat

apache-2.2 ssl ssl-certificate openssl keytool
21,195

Solution 1

The JKS has certificates in DER and for Apache you want to have PEM (AKA X509) format.

Sample of how to do this:

$JAVA_HOME/bin/keytool --list -keystore <mykeystore>
$JAVA_HOME/bin/keytool -export -rfc -alias <alias_name> -file <cert.crt> -keystore <mykeystore>

So you will want to export the private key and then the certificates.

The private key exported located then goes in SSLCertificateKeyFile directive in httpd.conf, and you can put the chained certificates in SSLCertificateChainFile directive. This is in addition to SSLCertificateFile directive.

See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

Solution 2

You cannot get the private key directly from the JKS using keytool; instead you must convert to PKCS12 format first, then use openssl command. I've made this work:

  1. Use keytool to convert the keystore to a pkcs12

    keytool -importkeystore -srckeystore jks_filename.jks -destkeystore p12_filename.p12 -deststoretype PKCS12

  2. Use openssl to export the cert as a .pem file:

    openssl pkcs12 -in p12_filename.p12 -nokeys -clcerts -out cert_filename.pem

  3. Use openssl to export the corresponding private key as a .pem file:

    openssl pkcs12 -in p12_filename.p12 -nocerts -out key_filename.pem

  4. Update ssl.conf in two places (SSLCertificateFile and SSLCertificateKeyFile) to configure port 443 to uses these cert and key files.

Solution 3

There's no way to "directly" export anything other than the certificate. You will need to go through an intermediate step in a PKCS12 format.

keytool -importkeystore -srckeystore rec.jks -destkeystore rec.p12 -deststoretype PKCS12

This will prompt for source and destination passphrases. If you need to automate this, use PW=somepass keytool -srcpass:env PW ... or keytool -srcstorepass:file filecontainingpass ..., and similarly for -deststorepass

And from there, you can use openssl to convert the PKCS12 file to standard PEM:

openssl pkcs12 -in rec.p12 -out rec.pem

This too will prompt for passphrases. Use -passin env:PW or -passin file:filename and -passout options, or -nodes if you dont want the resulting key encrypted, but be careful about where you're writing this to.

The resulting file will contain your key, certificate, and probably the full certificate chain.

Share:
21,195

Related videos on Youtube

CappyT
Author by

CappyT

Updated on September 18, 2022

Comments

  • CappyT
    CappyT over 1 year

    I have a keystore in JKS format and I want to use that with apache2. How can I export the key and the certificates (that i already chained) out the JKS in a easy way? I found many answers out there but seems that no one has my problem... (or the answer is partial)

    Thank you for your time.

    • Schrute
      Schrute almost 9 years
      Did you unaccept the answer for some reason?
    • CappyT
      CappyT almost 9 years
      Sorry, was my fault.
  • Sohan
    Sohan over 8 years
    How can we export key here, can you plz let me know?
  • Schrute
    Schrute over 8 years
    Key from what source?
  • hagrawal
    hagrawal over 8 years
    This will only generate the certificate but what about key required for SSLCertificateKeyFile in Apache ??
  • Schrute
    Schrute over 8 years
    If there is no key in keystore there will not be anything exported.
  • Zennichimaro
    Zennichimaro almost 7 years
    I did that but did not have the private key. My apache won't start because of it and throw [error] Init: Private key not found

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Restart of nginx service fails because of /etc/nginx/nginx.conf test failure
How to install godaddy's ssl on apache
Apache2 fails to start with some specific SSLCipherSuite config
ssl_error_bad_mac_alert error in Firefox
How to debug curl? gnutls_handshake failed -unexpected TLS packet (OpenSSL)
SSL URL gives a 404
How to generate .key and .crt file from JKS file for httpd apache server
stop apache from asking for SSL password each restart
SSL Library Error: X509_check_private_key:key values mismatch
Error while creating self-signed SSL certificate