Convert CA-signed JKS keystore to PEM

僤鯓⒐⒋嵵緔 提交于 2019-12-20 10:34:40

问题


I have a JKS keystore with certicate signed by CA. I need to export it in PEM format in order to use it with nginx. I need to do it in such a way that it includes the whole chain, so that my client can verify the signature.

If I do something like:

keytool -exportcert -keystore mykestore.jks -file mycert.crt -alias myalias
openssl x509 -out mycert.crt.pem -outform pem -in mycert.crt -inform der

It only includes the lowest level certificate. The verification fails:

$ openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=0 /O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=123123
... (only one certificate!)
...
SSL-Session:
    ...
    Verify return code: 21 (unable to verify the first certificate)

From Java:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Whereas Jetty with the same JKS keystore prints the following:

$ openssl s_client -connect localhost:8084
CONNECTED(00000003)
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=1234
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=1234
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
...
SSL-Session:
    Verify return code: 19 (self signed certificate in certificate chain)

Although openssl returns that 19 error, it no longer is an issue for Java HttpsURLConnection and that is all I care about.

So, how can I export the whole chain from JKS in a format (e.g. PEM) which works with both nginx server and Java client? What am I missing?


回答1:


A rather large problem that I frequently encounter is that, when generating the CSR to get our certificate, the keystore (Sun formatted jks keystore) does not output the .key or provide any facility for obtaining the .key. So I always had ended up with a .pem/.crt with no way of using it with Apache2, which cannot read a JKS keystore like Tomcat can, but instead requires a unpackaged .key + .pem/.crt pair.

To start, get a “copy” of your existing keystore and skip to the 5th command below, or create your own like this:

C:\Temp>keytool -genkey -alias tomcat -keyalg RSA -keystore
 keystore.jks -keysize 2048 -validity 730 -storepass changeit

Then, optionally, create a 2-year CSR and then import the CSR response, in the next 3 step process:

C:\Temp>keytool -certreq -alias mydomain -keystore keystore.jks
 -file mydomain.csr
C:\Temp>keytool -import -trustcacerts -alias root -file
 RootPack.crt -keystore keystore.jks -storepass changeit
C:\Temp>keytool -import -trustcacerts -alias tomcat -file mydomain.response.crt
 -keystore keystore.jks -storepass changeit

To get this working, and if you already have your JKS keystore file that you use for a Tomcat application server, follow the following steps:

First, get the DER (binary) formatted certificate into a file called “exported-der.crt”:

C:\Temp>keytool -export -alias tomcat -keystore keystore.jks -file
 exported-der.crt

Then, view & verify it:

C:\Temp>openssl x509 -noout -text -in exported-der.crt -inform der

Now you will want to convert it to PEM format, which is more widely used in applications such as Apache and by OpenSSL to do the PKCS12 conversion:

C:\Temp>openssl x509 -in exported-der.crt -out exported-pem.crt 
-outform pem -inform der

Then, download and use ExportPriv to get the unencrypted private key from your keystore:

C:\Temp>java ExportPriv <keystore> <alias> <password> > exported-pkcs8.key

By now you probably realize, the private key is being exported as PKCS#8 PEM format. To get it into the RSA format that works with Apache (PKCS#12??) you can issue the following command:

C:\Temp>openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key
 -out exported-pem.key



回答2:


You can easily convert a JKS file into a PKCS12 file:

keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12

You can then extract the private key and any certs with:

openssl pkcs12 -in keystore.p12



回答3:


I'm not sure it is possible to extract the chain with keytool but it can be done with a small Java program:

public void extract(KeyStore ks, String alias, char[] password, File dstdir) throws Exception
{
    KeyStore.PasswordProtection pwd = new KeyStore.PasswordProtection(password);
    KeyStore.PrivateKeyEntry entry = (KeyStore.PasswordKeyEntry)ks.getEntry(alias, pwd);
    Certificate[] chain = entry.getCertificateChain();
    for (int i = 0; i < chain.length; i++) {
        Certificate c = chain[i];
        FileOutputStream out = new FileOutputStream(new File(dstdir, String.format("%s.%d.crt", alias, i)));
        out.write(c.getEncoded());
        out.close();
    }
}

This code should write all certificates of the chain in DER format in the submitted directory.



来源:https://stackoverflow.com/questions/7528944/convert-ca-signed-jks-keystore-to-pem

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!