32

I have the mycert.jks file only. Now i need to extract and generate .key and .crt file and use it in apache httpd server.

SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt 
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key 

Can anybody list the all steps to get this done. I searched but there is no concrete example to understand, mixed and matched steps.

Please suggest!

[EDIT] Getting error after following steps from below answer.

8/‎21/‎2015 9:07 PM] Sohan Bafna: 
    [Fri Aug 21 15:32:03.008511 2015] [ssl:emerg] [pid 14:tid 140151694997376] AH02562: Failed to configure certificate 0.0.0.0:4545:0 (with chain), check /home/certs/smp_c
    ert_key_store.crt
    [Fri Aug 21 15:32:03.008913 2015] [ssl:emerg] [pid 14:tid 140151694997376] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED
     CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
    [Fri Aug 21 15:32:03.008959 2015] [ssl:emerg] [pid 14:tid 140151694997376] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 
Sohan
  • 729
  • 1
  • 6
  • 12

3 Answers3

53

.jks is a keystore, which is a Java thing

use keytool binary from Java.

export the .crt:

keytool -export -alias mydomain -file mydomain.der -keystore mycert.jks

convert the cert to PEM:

openssl x509 -inform der -in mydomain.der -out certificate.pem

export the key:

keytool -importkeystore -srckeystore mycert.jks -destkeystore keystore.p12 -deststoretype PKCS12

convert PKCS12 key to unencrypted PEM:

openssl pkcs12 -in keystore.p12  -nodes -nocerts -out mydomain.key

credits:

exeral
  • 1,609
  • 9
  • 19
  • Not working , getting error – Sohan Aug 21 '15 at 15:52
  • exported cert is DER format. added a step to convert it to PEM – exeral Aug 21 '15 at 16:14
  • thnx, that may work i did not tried yet though – Sohan Aug 21 '15 at 16:18
  • 2
    `keytool -exportcert -rfc` writes in PEM format and doesn't need conversion. Alternatively once you have the p12, `openssl pkcs12 -nokeys` writes the entire cert _chain_ in PEM, which is usually better for a server using OpenSSL (like httpd) if this cert is from a real CA rather than the keytool-default self-signed cert. – dave_thompson_085 Oct 17 '16 at 14:58
  • 2
    note: The Alias can be the name of the certificate, if you know what the name was when it was exported. Wanted to mention that in case people were struggling to run the first command. – GM Lucid Dec 01 '17 at 11:40
  • Please note that when exporting the key, the password for source and dest keystores should match. Otherwise you'll get: `java.lang.Exception: The destination pkcs12 keystore has different storepass and keypass. Please retry with -destkeypass specified`. – Aleksandr Erokhin Jun 25 '21 at 11:10
  • Thank you. I would just add the `"--storepass "`, `"--srcstorepass --deststorepass "`, and `"-password pass:"` for the 1st, 3rd and 4th commands, in case user need to use it in a script. – Rafael Borja Dec 02 '21 at 16:44
30

Here is what I do,

First export the key :

keytool -importkeystore -srckeystore mycert.jks -destkeystore keystore.p12 -deststoretype PKCS12

For apache ssl certificate file you need certificate only:

openssl pkcs12 -in keystore.p12 -nokeys -out my_key_store.crt

For ssl key file you need only keys:

openssl pkcs12 -in keystore.p12 -nocerts -nodes -out my_store.key

Sohan
  • 729
  • 1
  • 6
  • 12
  • I am getting the following error when I ran the keystore command. ------------------------------ destination pkcs12 storepass and keypass are different. – cafebabe1991 Jan 24 '20 at 04:36
  • are you trying to set new password? what exactly you are trying to do? Check if you have similar problem, https://stackoverflow.com/questions/36197143/extract-pkcs12-file-from-java-keystore-while-changing-the-password-using-keytool – Sohan Jan 24 '20 at 05:40
  • I guess pkcs12 supports same password for store and keystore. That worked. – cafebabe1991 Jan 24 '20 at 05:43
  • It is recommend to have the same password always. If this works, please upvote the answer – Sohan Jan 24 '20 at 05:45
  • I am new to all this jks and truststore. Can we chat so I get my doubts cleared ? @sohan – cafebabe1991 Jan 24 '20 at 05:46
  • sure, i can try – Sohan Jan 24 '20 at 05:48
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/103638/discussion-between-sohan-and-cafebabe1991). – Sohan Jan 24 '20 at 05:49
0

Found answer here:

https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate?page=2&tab=Votes

It shown how to create crt from jks keystore file in Chrome on Windows:

  • go to the url in browser that's uses jks with the red line and there will be a lock symbol to the left

  • by clicking on the not secure part, information dialog opens up

  • click on certificate (invalid) and when it opens click on Details

  • press on copy to file... and follow instruction

At the end you have keystore file in crt

Zeghra
  • 101
  • 1