38

I have the mycert.jks file only. Now i need to extract and generate .key and .crt file and use it in apache httpd server.

SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key

Can anybody list the all steps to get this done. I searched but there is no concrete example to understand, mixed and matched steps.

Please suggest!

[EDIT] Getting error after following steps from below answer.

8/‎21/‎2015 9:07 PM] Sohan Bafna: [Fri Aug 21 15:32:03.008511 2015] [ssl:emerg] [pid 14:tid 140151694997376] AH02562: Failed to configure certificate 0.0.0.0:4545:0 (with chain), check /home/certs/smp_c ert_key_store.crt [Fri Aug 21 15:32:03.008913 2015] [ssl:emerg] [pid 14:tid 140151694997376] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [Fri Aug 21 15:32:03.008959 2015] [ssl:emerg] [pid 14:tid 140151694997376] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
Improve this question

4 Answers 4

Reset to default
60

.jks is a keystore, which is a Java thing

use keytool binary from Java.

export the .crt:

keytool -export -alias mydomain -file mydomain.der -keystore mycert.jks

convert the cert to PEM:

openssl x509 -inform der -in mydomain.der -out certificate.pem

export the key:

keytool -importkeystore -srckeystore mycert.jks -destkeystore keystore.p12 -deststoretype PKCS12

convert PKCS12 key to unencrypted PEM:

openssl pkcs12 -in keystore.p12 -nodes -nocerts -out mydomain.key

credits:

Improve this answer
7
  • Not working , getting error Commented Aug 21, 2015 at 15:52
  • 1
    exported cert is DER format. added a step to convert it to PEM Commented Aug 21, 2015 at 16:14
  • thnx, that may work i did not tried yet though Commented Aug 21, 2015 at 16:18
  • 3
    keytool -exportcert -rfc writes in PEM format and doesn't need conversion. Alternatively once you have the p12, openssl pkcs12 -nokeys writes the entire cert chain in PEM, which is usually better for a server using OpenSSL (like httpd) if this cert is from a real CA rather than the keytool-default self-signed cert. Commented Oct 17, 2016 at 14:58
  • 2
    note: The Alias can be the name of the certificate, if you know what the name was when it was exported. Wanted to mention that in case people were struggling to run the first command. Commented Dec 1, 2017 at 11:40
36

Here is what I do,

First export the key:

keytool -importkeystore -srckeystore mycert.jks -destkeystore keystore.p12 -deststoretype PKCS12

For the Apache SSL certificate file you need the certificate only:

openssl pkcs12 -in keystore.p12 -nokeys -out my_key_store.crt

For SSL key file you need only keys:

openssl pkcs12 -in keystore.p12 -nocerts -nodes -out my_store.key
Improve this answer
8
  • I am getting the following error when I ran the keystore command. ------------------------------ destination pkcs12 storepass and keypass are different. Commented Jan 24, 2020 at 4:36
  • are you trying to set new password? what exactly you are trying to do? Check if you have similar problem, stackoverflow.com/questions/36197143/… Commented Jan 24, 2020 at 5:40
  • I guess pkcs12 supports same password for store and keystore. That worked. Commented Jan 24, 2020 at 5:43
  • It is recommend to have the same password always. If this works, please upvote the answer Commented Jan 24, 2020 at 5:45
  • I am new to all this jks and truststore. Can we chat so I get my doubts cleared ? @sohan Commented Jan 24, 2020 at 5:46
-1

Found answer here:

https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate?page=2&tab=Votes

It shown how to create crt from jks keystore file in Chrome on Windows:

  • go to the url in browser that's uses jks with the red line and there will be a lock symbol to the left

  • by clicking on the not secure part, information dialog opens up

  • click on certificate (invalid) and when it opens click on Details

  • press on copy to file... and follow instruction

At the end you have keystore file in crt

Improve this answer
1
  • This answer has nothing whatever to do with the question asked here Commented Oct 5, 2024 at 6:35
-1

Generate p12 from JKS

/opt/apps/java/java/bin/keytool -importkeystore -srckeystore certname.jks -destkeystore certname.jks password -srcalias cert -srcstoretype certname.jks deststoretype pkcs12

Generate pem from p12

openssl pkcs12 -in cert.p12 -out cert.pem

Generate cert from pem

openssl x509 -outfrom der -in cert.pem -out cert.crt

Generate key from pem

openssl der -in cert.pem -out cert.key enter pass phrase fro cert.pem
Improve this answer
1
  • This is mostly wrong, and the semi-right bits are the same as the answers given and accepted many years earlier Commented Oct 5, 2024 at 6:36

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.