Extract key from JKS keystore to use with apache2 and tomcat

apache-2.2 ssl ssl-certificate openssl keytool

The JKS has certificates in DER and for Apache you want to have PEM (AKA X509) format.

Sample of how to do this:

$JAVA_HOME/bin/keytool --list -keystore <mykeystore>
$JAVA_HOME/bin/keytool -export -rfc -alias <alias_name> -file <cert.crt> -keystore <mykeystore>

So you will want to export the private key and then the certificates.

The private key exported located then goes in SSLCertificateKeyFile directive in httpd.conf, and you can put the chained certificates in SSLCertificateChainFile directive. This is in addition to SSLCertificateFile directive.

See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html


You cannot get the private key directly from the JKS using keytool; instead you must convert to PKCS12 format first, then use openssl command. I've made this work:

  1. Use keytool to convert the keystore to a pkcs12

    keytool -importkeystore -srckeystore jks_filename.jks -destkeystore p12_filename.p12 -deststoretype PKCS12

  2. Use openssl to export the cert as a .pem file:

    openssl pkcs12 -in p12_filename.p12 -nokeys -clcerts -out cert_filename.pem

  3. Use openssl to export the corresponding private key as a .pem file:

    openssl pkcs12 -in p12_filename.p12 -nocerts -out key_filename.pem

  4. Update ssl.conf in two places (SSLCertificateFile and SSLCertificateKeyFile) to configure port 443 to uses these cert and key files.


There's no way to "directly" export anything other than the certificate. You will need to go through an intermediate step in a PKCS12 format.

keytool -importkeystore -srckeystore rec.jks -destkeystore rec.p12 -deststoretype PKCS12

This will prompt for source and destination passphrases. If you need to automate this, use PW=somepass keytool -srcpass:env PW ... or keytool -srcstorepass:file filecontainingpass ..., and similarly for -deststorepass

And from there, you can use openssl to convert the PKCS12 file to standard PEM:

openssl pkcs12 -in rec.p12 -out rec.pem

This too will prompt for passphrases. Use -passin env:PW or -passin file:filename and -passout options, or -nodes if you dont want the resulting key encrypted, but be careful about where you're writing this to.

The resulting file will contain your key, certificate, and probably the full certificate chain.

Related

Gigabit uplink versus regular switch port
Is it better to use the systemd service unit's Restart & RestartSec, or use a systemd timer unit?
AWS - how to serve faster to oversea users
Centos 7. Freeradius fails to start on boot due to priority
How to speed up QEMU on Windows host?
why adding Expire-Header to static files in nginX does not work
how to sort apache directory listing in last modified order
Is it normal for PID's to be over 65535?
Allow access to RDS instance from EC2 instance on same VPC
The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) Firefox
How to install and setup 389-DS on CentOS 7
In nginx error log: "SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback"