Extract key from JKS keystore to use with apache2 and tomcat
The JKS has certificates in DER and for Apache you want to have PEM (AKA X509) format.
Sample of how to do this:
$JAVA_HOME/bin/keytool --list -keystore <mykeystore>
$JAVA_HOME/bin/keytool -export -rfc -alias <alias_name> -file <cert.crt> -keystore <mykeystore>
So you will want to export the private key and then the certificates.
The private key exported located then goes in SSLCertificateKeyFile directive in httpd.conf, and you can put the chained certificates in SSLCertificateChainFile directive. This is in addition to SSLCertificateFile directive.
See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
You cannot get the private key directly from the JKS using keytool; instead you must convert to PKCS12 format first, then use openssl command. I've made this work:
-
Use keytool to convert the keystore to a pkcs12
keytool -importkeystore -srckeystore jks_filename.jks -destkeystore p12_filename.p12 -deststoretype PKCS12
-
Use openssl to export the cert as a .pem file:
openssl pkcs12 -in p12_filename.p12 -nokeys -clcerts -out cert_filename.pem
-
Use openssl to export the corresponding private key as a .pem file:
openssl pkcs12 -in p12_filename.p12 -nocerts -out key_filename.pem
Update ssl.conf in two places (SSLCertificateFile and SSLCertificateKeyFile) to configure port 443 to uses these cert and key files.
There's no way to "directly" export anything other than the certificate. You will need to go through an intermediate step in a PKCS12 format.
keytool -importkeystore -srckeystore rec.jks -destkeystore rec.p12 -deststoretype PKCS12
This will prompt for source and destination passphrases. If you need to automate this, use PW=somepass keytool -srcpass:env PW ...
or keytool -srcstorepass:file filecontainingpass ...
, and similarly for -deststorepass
And from there, you can use openssl to convert the PKCS12 file to standard PEM:
openssl pkcs12 -in rec.p12 -out rec.pem
This too will prompt for passphrases. Use -passin env:PW
or -passin file:filename
and -passout
options, or -nodes
if you dont want the resulting key encrypted, but be careful about where you're writing this to.
The resulting file will contain your key, certificate, and probably the full certificate chain.