Keytool to OpenSSL Conversion tips: Difference between revisions

You may find yourself in a situation where you have a JKS-format keystore, and need to extract the certificate and private key. With the keytool program you can only extract the certificate (public key), so a separate method is needed (such as 'ExportPriv' or 'Keystore Explorer') to export the private key. Then the public and private key can be combined into a PKCS12 file, or just left separate depending on your needs.

Extracting the certificate (public key)

The result is a DER (binary) formatted certificate into the file exported.crt

keytool -export -alias mykey -keystore keystore -file exported-der.crt

Simply view & verify it

openssl x509 -noout -text -in exported-der.crt -inform der

Now you will want to convert it to another format - PEM - which is more widely used in applications such as apache and by openssl to do the PKCS12 conversion.

openssl x509 -out exported-pem.crt -outform pem -in exported-der.crt -inform der

Extracting the private key

New version of ExportPriv.java - now compiles on Java2 1.6!

Download, compile & run ExportPriv. You will also need the Base64Coder.java file from http://www.source-code.biz/snippets/java/2.htm (rename without .txt).

javac ExportPriv.java Base64Coder.java

The key will be produced to STDOUT so I suggest you redirect > to exported-pkcs8.key. Enter your own values for keystore, alias and password.

java ExportPriv <keystore> <alias> <password> > exported-pkcs8.key

cat exported-pkcs8.key 
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMKTXSLw/mT0IHfIvwXd3Mr9DSL+oOHF0Rqmfdd4Mtb
OaMXQyk34G6/Yhx6WRthqQ62GgHwEsJayAAOWRc+ZcaueJVsoeWFJfJXxLQ7Rq6JJNL6AmCWK5rfFvAvArpXdxQ0M+w
[...]
yS03EKrUnMA2k8U6OpeqIZynvnFkw8Di76b0PeKacmMHK6+qdk5+MtjuXlgX0exGBNsG8ChGAPeYI7w==
-----END PRIVATE KEY-----

NOTE: Some users have reported that ExportPriv is outputting the base64 private key all on one line. In order to function properly with openssl, you need to ensure that there are no more than 64 printable characters on each line. See Base64 for more information.

By now you probably realize, the private key is being exported as PKCS#8 PEM format. To get it into the RSA format that works with Apache (see below) you can issue the following command:

openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key

Alternate method to extract the private key

Another option would be purchase Keystore Explorer, which claims to support exporting private keys and key-pairs. I haven't tried it myself. Let me know if you have and if it works.

It (Keystore Explorer) works. It exports the key pair to pkcs12 format. However this feature is not present in the evaluation version. --Ambarish Mitra, 2006-Feb-01

Here is a freeware tool (KeyTool-IUI) that will do it as well. [1]. I just used it to pull the key out.

Combine extracted public/private keys into PKCS12 format

A PKCS12 format file is typically suffixed with .p12 or .pfx. It is more commonly used on the Microsoft platform.

Now that you have the private key and public key (certificate) combo that go together you can package them in pkcs12-formatted file... this should do the trick for using with IIS, for example.

openssl pkcs12 -export -out exported.pfx -inkey exported.key -in exported-pem.crt

Export from keystore private key and certificate directly into PEM format

Portecle is a free java application that can be used to export the private key (in RSA format) and a certificate into one file in PEM or PKCS12 format. The result can be used directly to configure HTTPS with APR in tomcat.

Quips, quotes and other user comments

Thanks for your "OpenSSL to Keytool Conversion tips" web page. It's helped me a great deal to set up client authentication via SSL between Apache 2 and Tomcat 5.

However, I ran into one problem with Apache 2 when using the Java-base64-encoded private key. I wrote up a bug report about the issue.

In summary, I had to re-encode the Java-base64-encoded private key using openssl to make it palatable to Apache:

openssl rsa -in privkey-java.key -out privkey.key

I'm not sure why this is required (or why Apache can't decode the base64-encoded version of the private key created by Java), but it fixed the problem I was seeing.

--Dave Kilzer, 2004-Oct-22

I had to insert line breaks after 64 chars in ExportPriv.java for it to work in nginx:

	char[] b64 = Base64Coder.encode(privKey.getEncoded());
	byte[] b64b = new byte[b64.length];
	for (int c = 0; c < b64.length; c++) {
	  b64b[c] = (byte) b64[c];
	}

	System.out.println("-----BEGIN PRIVATE KEY-----");
	for (int c = 0; c < b64b.length; c+=64) {
	    int l = Math.min(64, b64b.length - c);
	    System.out.write(b64b, c, l);
	}
	System.out.println("\n-----END PRIVATE KEY-----");

--Elecnix 18:43, 13 February 2009 (UTC)

KeyStoreBuilder (part of Not-Yet-Commons-SSL) converts PKCS12 and PKCS8 to/from Java "Keystore".

Check it out http://juliusdavies.ca/commons-ssl/

--Julius Davies, 2007-Feb-9

Additional help and information

You can also check out the openssl-users mailing list archives and consider posing your question to the list.

Another great resource is the tomcat-users mailing list.

If you need OpenSSL for Windows if can be found here or better yet here.

My thanks to Alexey Zilber who provided the patch which enables compilation of ExportPriv.java under Java2 SDK 1.6. --User:Fostermarkd 2007-01-13

NOTE: I have not used nor do I endorse the Windows port of OpenSSL. Do not ask me for help using it. I am only providing the link as a convenience to the poor souls who have not switched to a better OS. --User:Fostermarkd

NOTE: I cleaned up the code for ExportPriv.java a bit - you can get it here Also note that for Windows, openssl works fine on cygwin. --Rfreedman 14:35, 30 October 2007 (PDT)

See Also

• OpenSSL to Keytool Conversion tips
• OpenSSL Usage tips
• Keytool