发表新帖
发表新帖

Convert CA-signed JKS keystore to PEM

前端 未结
关注
3 1438
一个人的身影
一个人的身影 2021-02-01 23:20

I have a JKS keystore with certicate signed by CA. I need to export it in PEM format in order to use it with nginx. I need to do it in such a way that it includes the whole chai

3条回答
  • 囚心锁ツ
    囚心锁ツ (楼主)
    2021-02-01 23:41

    A rather large problem that I frequently encounter is that, when generating the CSR to get our certificate, the keystore (Sun formatted jks keystore) does not output the .key or provide any facility for obtaining the .key. So I always had ended up with a .pem/.crt with no way of using it with Apache2, which cannot read a JKS keystore like Tomcat can, but instead requires a unpackaged .key + .pem/.crt pair.

    To start, get a “copy” of your existing keystore and skip to the 5th command below, or create your own like this:

    C:\Temp>keytool -genkey -alias tomcat -keyalg RSA -keystore
 keystore.jks -keysize 2048 -validity 730 -storepass changeit

    Then, optionally, create a 2-year CSR and then import the CSR response, in the next 3 step process:

    C:\Temp>keytool -certreq -alias mydomain -keystore keystore.jks
 -file mydomain.csr
C:\Temp>keytool -import -trustcacerts -alias root -file
 RootPack.crt -keystore keystore.jks -storepass changeit
C:\Temp>keytool -import -trustcacerts -alias tomcat -file mydomain.response.crt
 -keystore keystore.jks -storepass changeit

    To get this working, and if you already have your JKS keystore file that you use for a Tomcat application server, follow the following steps:

    First, get the DER (binary) formatted certificate into a file called “exported-der.crt”:

    C:\Temp>keytool -export -alias tomcat -keystore keystore.jks -file
 exported-der.crt

    Then, view & verify it:

    C:\Temp>openssl x509 -noout -text -in exported-der.crt -inform der

    Now you will want to convert it to PEM format, which is more widely used in applications such as Apache and by OpenSSL to do the PKCS12 conversion:

    C:\Temp>openssl x509 -in exported-der.crt -out exported-pem.crt 
-outform pem -inform der

    Then, download and use ExportPriv to get the unencrypted private key from your keystore:

    C:\Temp>java ExportPriv    > exported-pkcs8.key

    By now you probably realize, the private key is being exported as PKCS#8 PEM format. To get it into the RSA format that works with Apache (PKCS#12??) you can issue the following command:

    C:\Temp>openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key
 -out exported-pem.key

    0 讨论(0)
 看不清?
提交回复
热议问题