Extract key from JKS keystore to use with apache2 and tomcat
Solution 1
The JKS has certificates in DER and for Apache you want to have PEM (AKA X509) format.
Sample of how to do this:
$JAVA_HOME/bin/keytool --list -keystore <mykeystore>
$JAVA_HOME/bin/keytool -export -rfc -alias <alias_name> -file <cert.crt> -keystore <mykeystore>
So you will want to export the private key and then the certificates.
The private key exported located then goes in SSLCertificateKeyFile directive in httpd.conf, and you can put the chained certificates in SSLCertificateChainFile directive. This is in addition to SSLCertificateFile directive.
See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
Solution 2
You cannot get the private key directly from the JKS using keytool; instead you must convert to PKCS12 format first, then use openssl command. I've made this work:
-
Use keytool to convert the keystore to a pkcs12
keytool -importkeystore -srckeystore jks_filename.jks -destkeystore p12_filename.p12 -deststoretype PKCS12
-
Use openssl to export the cert as a .pem file:
openssl pkcs12 -in p12_filename.p12 -nokeys -clcerts -out cert_filename.pem
-
Use openssl to export the corresponding private key as a .pem file:
openssl pkcs12 -in p12_filename.p12 -nocerts -out key_filename.pem
Update ssl.conf in two places (SSLCertificateFile and SSLCertificateKeyFile) to configure port 443 to uses these cert and key files.
Solution 3
There's no way to "directly" export anything other than the certificate. You will need to go through an intermediate step in a PKCS12 format.
keytool -importkeystore -srckeystore rec.jks -destkeystore rec.p12 -deststoretype PKCS12
This will prompt for source and destination passphrases. If you need to automate this, use PW=somepass keytool -srcpass:env PW ...
or keytool -srcstorepass:file filecontainingpass ...
, and similarly for -deststorepass
And from there, you can use openssl to convert the PKCS12 file to standard PEM:
openssl pkcs12 -in rec.p12 -out rec.pem
This too will prompt for passphrases. Use -passin env:PW
or -passin file:filename
and -passout
options, or -nodes
if you dont want the resulting key encrypted, but be careful about where you're writing this to.
The resulting file will contain your key, certificate, and probably the full certificate chain.
Related videos on Youtube
CappyT
Updated on September 18, 2022Comments
-
CappyT over 1 year
I have a keystore in JKS format and I want to use that with apache2. How can I export the key and the certificates (that i already chained) out the JKS in a easy way? I found many answers out there but seems that no one has my problem... (or the answer is partial)
Thank you for your time.
-
Schrute almost 9 yearsDid you unaccept the answer for some reason?
-
CappyT almost 9 yearsSorry, was my fault.
-
-
Sohan over 8 yearsHow can we export key here, can you plz let me know?
-
Schrute over 8 yearsKey from what source?
-
hagrawal over 8 yearsThis will only generate the certificate but what about key required for
SSLCertificateKeyFile
in Apache ?? -
Schrute over 8 yearsIf there is no key in keystore there will not be anything exported.
-
Zennichimaro almost 7 yearsI did that but did not have the private key. My apache won't start because of it and throw [error] Init: Private key not found