Getting Certificates from Java Keystore

ssl-certificate openssl keytool keystore
5,695

Mostly dupe How to generate .key and .crt file from JKS file for httpd apache server .

All file extensions are only conventions; what matters is what operations you did to create a file, which you leave very vague. For one thing, it doesn't make sense to 'generate' both a CSR and a certificate; they do conflicting things.

Java KeyStore JKS is the keystore format used by Java (currently; it is expected to change in Java 9). People often name these files .jks but if you used .keystore in a command like keytool -genkeypair that did not specify -storetype then you created a JKS file named .keystore.

.cer and .crt are commonly used for files containing a certificate, or sometimes multiple certificates in PEM format. There are two common formats, usually called by the names OpenSSL uses which are DER and PEM. If you look at the file with normal text tools like more cat type vi notepad and you see a line like -----BEGIN CERTFICATE----- (possibly with X.509 inserted) and then several lines of almost all letters and digits and then a similar -----END line that's PEM format. People sometimes use these extensions instead or in addition to designate the format like xyzcert.pem xyzcert.der xyz.crt.pem xyz.crt.der.

CSR means Certificate Signing Request, which is generated (in this context) by keytool -certreq. A CSR is used as part of the process of obtaining a certificate from a 'real' CA like Verisign GoDaddy etc. In this case, you will normally get from the CA a certificate for your server AND a 'chain' or intermediate certificate (sometimes more than one); you put these in one or more file(s) and then import those into your JKS for use with Java programs like Tomcat etc. In this case your certificate file(s) would have been generated by the CA not by you.

If you don't get a cert from a CA, by default keytool -genkeypair creates a self-signed cert good for testing. You can put this cert into a separate file with keytool -exportcert [-rfc], and that is a certificate you generated, but in that case you would not have any use for a CSR.

.key is sometimes used for a separate (private)key file in one of several formats used by OpenSSL, and thus by programs that use OpenSSL like Apache httpd and nginx. The OpenSSL formats for privatekeys have DER and PEM variants much like certficates do, so people also use those extensions like xyzkey.pem xyzkey.der xyz.key.pem xyz.key.der.

Finally, PKCS12 is another keystore format, supported by lots of software including Java, OpenSSL, Windows and Mozilla NSS. Often the extension .p12 is used for PKCS12. (PKCS12 is always binary; it has no PEM variant.)

TLDR: if you need OpenSSL-format separate files for privatekey and certificate(s) from a JKS-format keystore, first use keytool to convert to pkcs12 and then use openssl to convert pkcs12 to separate PEM (usually) or DER (rarely).

Share:
5,695

Related videos on Youtube

saurg
Author by

saurg

Updated on September 18, 2022

Comments

  • saurg
    saurg over 1 year

    I used Java Keytool to generate domain.csr, domain.keystore and domain.cer. I need to secure the domain using SSL for which I need domain.crt and domain.key. How can I get these two? Are domain.jks and domain.keystore both same? What is difference among all extensions like csr, pem, crt,etc ?

  • saurg
    saurg over 7 years
    Thanks for the reply. It is very helpful. I have obtained a cer from CA and some intermediate and root certificates also. I also imported them in the keystore file using keytool -import command but when I try to convert it into pkcs12 as mentioned in link given, I got a error Problem inporting entry for alias....TrustedCertEntry not supported. Any idea what am I doing wrong?
  • dave_thompson_085
    dave_thompson_085 over 7 years

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Where the KeyStore password and key password stored
SSL connection issue with s_client
Extract key from JKS keystore to use with apache2 and tomcat
How to generate .key and .crt file from JKS file for httpd apache server
Java keytool error: java.lang.Exception: Input not an X.509 certificate
Not able to load P7B file into keystore file
Error while Importing public certificate to a keystore
Convert CA-signed JKS keystore to PEM
Difference between Entry Type "keyEntry" and "trustedCertEntry" in a keystore
How to add certificate chain to keystore?