6

I have a keystore in JKS format and I want to use that with apache2. How can I export the key and the certificates (that i already chained) out the JKS in a easy way? I found many answers out there but seems that no one has my problem... (or the answer is partial)

Thank you for your time.

CappyT
  • 183
  • 2
  • 3
  • 12

3 Answers3

7

The JKS has certificates in DER and for Apache you want to have PEM (AKA X509) format.

Sample of how to do this:

$JAVA_HOME/bin/keytool --list -keystore <mykeystore>
$JAVA_HOME/bin/keytool -export -rfc -alias <alias_name> -file <cert.crt> -keystore <mykeystore>

So you will want to export the private key and then the certificates.

The private key exported located then goes in SSLCertificateKeyFile directive in httpd.conf, and you can put the chained certificates in SSLCertificateChainFile directive. This is in addition to SSLCertificateFile directive.

See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

Schrute
  • 797
  • 5
  • 14
3

You cannot get the private key directly from the JKS using keytool; instead you must convert to PKCS12 format first, then use openssl command. I've made this work:

  1. Use keytool to convert the keystore to a pkcs12

    keytool -importkeystore -srckeystore jks_filename.jks -destkeystore p12_filename.p12 -deststoretype PKCS12

  2. Use openssl to export the cert as a .pem file:

    openssl pkcs12 -in p12_filename.p12 -nokeys -clcerts -out cert_filename.pem

  3. Use openssl to export the corresponding private key as a .pem file:

    openssl pkcs12 -in p12_filename.p12 -nocerts -out key_filename.pem

  4. Update ssl.conf in two places (SSLCertificateFile and SSLCertificateKeyFile) to configure port 443 to uses these cert and key files.

em_bo
  • 151
  • 5
2

There's no way to "directly" export anything other than the certificate. You will need to go through an intermediate step in a PKCS12 format.

keytool -importkeystore -srckeystore rec.jks -destkeystore rec.p12 -deststoretype PKCS12

This will prompt for source and destination passphrases. If you need to automate this, use PW=somepass keytool -srcpass:env PW ... or keytool -srcstorepass:file filecontainingpass ..., and similarly for -deststorepass

And from there, you can use openssl to convert the PKCS12 file to standard PEM:

openssl pkcs12 -in rec.p12 -out rec.pem

This too will prompt for passphrases. Use -passin env:PW or -passin file:filename and -passout options, or -nodes if you dont want the resulting key encrypted, but be careful about where you're writing this to.

The resulting file will contain your key, certificate, and probably the full certificate chain.

Chris Cogdon
  • 391
  • 3
  • 4