Convert CA-signed JKS keystore to PEM

Question

I have a JKS keystore with certicate signed by CA. I need to export it in PEM format in order to use it with nginx. I need to do it in such a way that it includes the whole chai

Answer 1

I'm not sure it is possible to extract the chain with keytool but it can be done with a small Java program:

public void extract(KeyStore ks, String alias, char[] password, File dstdir) throws Exception
{
    KeyStore.PasswordProtection pwd = new KeyStore.PasswordProtection(password);
    KeyStore.PrivateKeyEntry entry = (KeyStore.PasswordKeyEntry)ks.getEntry(alias, pwd);
    Certificate[] chain = entry.getCertificateChain();
    for (int i = 0; i < chain.length; i++) {
        Certificate c = chain[i];
        FileOutputStream out = new FileOutputStream(new File(dstdir, String.format("%s.%d.crt", alias, i)));
        out.write(c.getEncoded());
        out.close();
    }
}

This code should write all certificates of the chain in DER format in the submitted directory.