How to generate .key and .crt file from JKS file for httpd apache server
Solution 1
Here is what I do,
First export the key :
keytool -importkeystore -srckeystore mycert.jks -destkeystore keystore.p12 -deststoretype PKCS12
For apache ssl certificate file you need certificate only:
openssl pkcs12 -in keystore.p12 -nokeys -out my_key_store.crt
For ssl key file you need only keys:
openssl pkcs12 -in keystore.p12 -nocerts -nodes -out my_store.key
Solution 2
.jks is a keystore, which is a Java thing
use keytool binary from Java.
export the .crt:
keytool -export -alias mydomain -file mydomain.der -keystore mycert.jks
convert the cert to PEM:
openssl x509 -inform der -in mydomain.der -out certificate.pem
export the key:
keytool -importkeystore -srckeystore mycert.jks -destkeystore keystore.p12 -deststoretype PKCS12
convert PKCS12 key to unencrypted PEM:
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out mydomain.key
credits:
- https://security.stackexchange.com/questions/3779/how-can-i-export-my-private-key-from-a-java-keytool-keystore
- https://stackoverflow.com/questions/2640691/how-to-export-private-key-from-a-keystore-of-self-signed-certificate
- https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
Related videos on Youtube
Sohan
#SOreadytohelp Working as Principal Developer at an Telecom Product base company Experience with core java Shell Scripts Java Scripts Mysql Cluster Jasper Reporting Oracle DB R2 Node JS Play Frameworks Hands on Advance Java etc. openAM Docker Node Express HighCharts Library etc. MongoDB C# and .net 3.x Apache Ignite Expertise with OpenId Connect TypeScript AngularJs NodeJs Connect me @ linkedin
Updated on September 18, 2022Comments
-
Sohan over 1 year
I have the mycert.jks file only. Now i need to extract and generate .key and .crt file and use it in apache httpd server.
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
Can anybody list the all steps to get this done. I searched but there is no concrete example to understand, mixed and matched steps.
Please suggest!
[EDIT] Getting error after following steps from below answer.
8/21/2015 9:07 PM] Sohan Bafna: [Fri Aug 21 15:32:03.008511 2015] [ssl:emerg] [pid 14:tid 140151694997376] AH02562: Failed to configure certificate 0.0.0.0:4545:0 (with chain), check /home/certs/smp_c ert_key_store.crt [Fri Aug 21 15:32:03.008913 2015] [ssl:emerg] [pid 14:tid 140151694997376] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [Fri Aug 21 15:32:03.008959 2015] [ssl:emerg] [pid 14:tid 140151694997376] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
-
Sohan over 8 yearsNot working , getting error
-
exeral over 8 yearsexported cert is DER format. added a step to convert it to PEM
-
Sohan over 8 yearsthnx, that may work i did not tried yet though
-
dave_thompson_085 over 7 years
keytool -exportcert -rfc
writes in PEM format and doesn't need conversion. Alternatively once you have the p12,openssl pkcs12 -nokeys
writes the entire cert chain in PEM, which is usually better for a server using OpenSSL (like httpd) if this cert is from a real CA rather than the keytool-default self-signed cert. -
GM Lucid over 6 yearsnote: The Alias can be the name of the certificate, if you know what the name was when it was exported. Wanted to mention that in case people were struggling to run the first command.
-
cafebabe1991 over 4 yearsI am getting the following error when I ran the keystore command. ------------------------------ destination pkcs12 storepass and keypass are different.
-
Sohan over 4 yearsare you trying to set new password? what exactly you are trying to do? Check if you have similar problem, stackoverflow.com/questions/36197143/…
-
cafebabe1991 over 4 yearsI guess pkcs12 supports same password for store and keystore. That worked.
-
Sohan over 4 yearsIt is recommend to have the same password always. If this works, please upvote the answer
-
cafebabe1991 over 4 yearsI am new to all this jks and truststore. Can we chat so I get my doubts cleared ? @sohan
-
Sohan over 4 yearssure, i can try
-
Sohan over 4 yearsLet us continue this discussion in chat.
-
Aleksandr Erokhin almost 3 yearsPlease note that when exporting the key, the password for source and dest keystores should match. Otherwise you'll get:
java.lang.Exception: The destination pkcs12 keystore has different storepass and keypass. Please retry with -destkeypass specified
. -
Rafael Borja over 2 yearsThank you. I would just add the
"--storepass <PASSWORD>"
,"--srcstorepass <PASSWORD> --deststorepass <PASSWORD>"
, and"-password pass:<PASSWORD>"
for the 1st, 3rd and 4th commands, in case user need to use it in a script.