Extract key from JKS keystore to use with apache2 and tomcat

Question

I have a keystore in JKS format and I want to use that with apache2. How can I export the key and the certificates (that i already chained) out the JKS in a easy way? I found many answers out there but seems that no one has my problem... (or the answer is partial)

Thank you for your time.

Did you unaccept the answer for some reason? – Schrute May 30 '15 at 21:05 — Schrute, May 30 '15 at 21:05

Schrute · Accepted Answer · 2014-06-25T03:39:44.893

7

The JKS has certificates in DER and for Apache you want to have PEM (AKA X509) format.

Sample of how to do this:

$JAVA_HOME/bin/keytool --list -keystore <mykeystore>
$JAVA_HOME/bin/keytool -export -rfc -alias <alias_name> -file <cert.crt> -keystore <mykeystore>

So you will want to export the private key and then the certificates.

The private key exported located then goes in SSLCertificateKeyFile directive in httpd.conf, and you can put the chained certificates in SSLCertificateChainFile directive. This is in addition to SSLCertificateFile directive.

See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

edited Jun 25 '14 at 03:39

answered Jun 24 '14 at 23:53

Schrute

797
5
14

1

How can we export key here, can you plz let me know? – Sohan Aug 21 '15 at 13:06
Key from what source? – Schrute Aug 21 '15 at 23:00
1

This will only generate the certificate but what about key required for `SSLCertificateKeyFile` in Apache ?? – hagrawal Nov 20 '15 at 16:49
If there is no key in keystore there will not be anything exported. – Schrute Nov 22 '15 at 00:22
I did that but did not have the private key. My apache won't start because of it and throw [error] Init: Private key not found – Zennichimaro May 05 '17 at 07:24

score 3 · Answer 2 · answered Jan 10 '18 at 14:50

You cannot get the private key directly from the JKS using keytool; instead you must convert to PKCS12 format first, then use openssl command. I've made this work:

Use keytool to convert the keystore to a pkcs12

keytool -importkeystore -srckeystore jks_filename.jks -destkeystore p12_filename.p12 -deststoretype PKCS12
Use openssl to export the cert as a .pem file:

openssl pkcs12 -in p12_filename.p12 -nokeys -clcerts -out cert_filename.pem
Use openssl to export the corresponding private key as a .pem file:

openssl pkcs12 -in p12_filename.p12 -nocerts -out key_filename.pem
Update ssl.conf in two places (SSLCertificateFile and SSLCertificateKeyFile) to configure port 443 to uses these cert and key files.

score 2 · Answer 3 · answered Aug 04 '16 at 17:56

There's no way to "directly" export anything other than the certificate. You will need to go through an intermediate step in a PKCS12 format.

keytool -importkeystore -srckeystore rec.jks -destkeystore rec.p12 -deststoretype PKCS12

This will prompt for source and destination passphrases. If you need to automate this, use PW=somepass keytool -srcpass:env PW ... or keytool -srcstorepass:file filecontainingpass ..., and similarly for -deststorepass

And from there, you can use openssl to convert the PKCS12 file to standard PEM:

openssl pkcs12 -in rec.p12 -out rec.pem

This too will prompt for passphrases. Use -passin env:PW or -passin file:filename and -passout options, or -nodes if you dont want the resulting key encrypted, but be careful about where you're writing this to.

The resulting file will contain your key, certificate, and probably the full certificate chain.

Extract key from JKS keystore to use with apache2 and tomcat

3 Answers3