Keytool to OpenSSL Conversion tips: Difference between revisions
Fostermarkd (talk | contribs) No edit summary |
Fostermarkd (talk | contribs) mNo edit summary |
||
Line 19: | Line 19: | ||
== Extracting the private key == | == Extracting the private key == | ||
http://mark.foster.cc/image/ | http://mark.foster.cc/image/icons/info.gif New version of ExportPriv.java - now compiles on Java2 1.6! | ||
Download, compile & run [http://mark.foster.cc/pub/java/ExportPriv.java ExportPriv]. You will also need the Base64Coder.java file from http://www.source-code.biz/snippets/java/2.htm (rename without .txt). | Download, compile & run [http://mark.foster.cc/pub/java/ExportPriv.java ExportPriv]. You will also need the Base64Coder.java file from http://www.source-code.biz/snippets/java/2.htm (rename without .txt). |
Revision as of 11:52, 3 February 2010
You may find yourself in a situation where you have a JKS-format keystore, and
need to extract the certificate and private key. With the keytool program you
can only extract the certificate (public key), so a separate method is needed (such as 'ExportPriv' or 'Keystore Explorer') to export the private key. Then the public and private
key can be combined into a PKCS12 file, or just left separate depending on your needs.
Extracting the certificate (public key)
The result is a DER (binary) formatted certificate into the file exported.crt
keytool -export -alias mykey -keystore keystore -file exported-der.crt
Simply view & verify it
openssl x509 -noout -text -in exported-der.crt -inform der
Now you will want to convert it to another format - PEM - which is more widely used in applications such as apache and by openssl to do the PKCS12 conversion.
openssl x509 -out exported-pem.crt -outform pem -in exported-der.crt -inform der
Extracting the private key
New version of ExportPriv.java - now compiles on Java2 1.6!
Download, compile & run ExportPriv. You will also need the Base64Coder.java file from http://www.source-code.biz/snippets/java/2.htm (rename without .txt).
javac ExportPriv.java Base64Coder.java
The key will be produced to STDOUT so I suggest you redirect > to exported-pkcs8.key. Enter your own values for keystore, alias and password.
java ExportPriv <keystore> <alias> <password> > exported-pkcs8.key cat exported-pkcs8.key -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMKTXSLw/mT0IHfIvwXd3Mr9DSL+oOHF0Rqmfdd4Mtb OaMXQyk34G6/Yhx6WRthqQ62GgHwEsJayAAOWRc+ZcaueJVsoeWFJfJXxLQ7Rq6JJNL6AmCWK5rfFvAvArpXdxQ0M+w [...] yS03EKrUnMA2k8U6OpeqIZynvnFkw8Di76b0PeKacmMHK6+qdk5+MtjuXlgX0exGBNsG8ChGAPeYI7w== -----END PRIVATE KEY-----
NOTE: Some users have reported that ExportPriv is outputting the base64 private key all on one line. In order to function properly with openssl, you need to ensure that there are no more than 64 printable characters on each line. See Base64 for more information.
By now you probably realize, the private key is being exported as PKCS#8 PEM format. To get it into the RSA format that works with Apache (see below) you can issue the following command:
openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key
Alternate method to extract the private key
Another option would be purchase Keystore Explorer, which claims to support exporting private keys and key-pairs. I haven't tried it myself. Let me know if you have and if it works.
It (Keystore Explorer) works. It exports the key pair to pkcs12 format. However this feature is not present in the evaluation version. --Ambarish Mitra, 2006-Feb-01
Here is a freeware tool (KeyTool-IUI) that will do it as well. [1]. I just used it to pull the key out.
Combine extracted public/private keys into PKCS12 format
A PKCS12 format file is typically suffixed with .p12 or .pfx. It is more commonly used on the Microsoft platform.
Now that you have the private key and public key (certificate) combo that go together you can package them in pkcs12-formatted file... this should do the trick for using with IIS, for example.
openssl pkcs12 -export -out exported.pfx -inkey exported.key -in exported-pem.crt
Export from keystore private key and certificate directly into PEM format
Portecle is a free java application that can be used to export the private key (in RSA format) and a certificate into one file in PEM or PKCS12 format. The result can be used directly to configure HTTPS with APR in tomcat.
Quips, quotes and other user comments
Thanks for your "OpenSSL to Keytool Conversion tips" web page. It's helped me a great deal to set up client authentication via SSL between Apache 2 and Tomcat 5.
However, I ran into one problem with Apache 2 when using the Java-base64-encoded private key. I wrote up a bug report about the issue.
In summary, I had to re-encode the Java-base64-encoded private key using openssl to make it palatable to Apache:
openssl rsa -in privkey-java.key -out privkey.key
I'm not sure why this is required (or why Apache can't decode the base64-encoded version of the private key created by Java), but it fixed the problem I was seeing.
--Dave Kilzer, 2004-Oct-22
I had to insert line breaks after 64 chars in ExportPriv.java for it to work in nginx:
char[] b64 = Base64Coder.encode(privKey.getEncoded()); byte[] b64b = new byte[b64.length]; for (int c = 0; c < b64.length; c++) { b64b[c] = (byte) b64[c]; } System.out.println("-----BEGIN PRIVATE KEY-----"); for (int c = 0; c < b64b.length; c+=64) { int l = Math.min(64, b64b.length - c); System.out.write(b64b, c, l); } System.out.println("\n-----END PRIVATE KEY-----");
--Elecnix 18:43, 13 February 2009 (UTC)
KeyStoreBuilder (part of Not-Yet-Commons-SSL) converts PKCS12 and PKCS8 to/from Java "Keystore".
Check it out http://juliusdavies.ca/commons-ssl/
--Julius Davies, 2007-Feb-9
Additional help and information
You can also check out the openssl-users mailing list archives and consider posing your question to the list.
Another great resource is the tomcat-users mailing list.
If you need OpenSSL for Windows if can be found here or better yet here.
My thanks to Alexey Zilber who provided the patch which enables compilation of ExportPriv.java under Java2 SDK 1.6. --User:Fostermarkd 2007-01-13
NOTE: I have not used nor do I endorse the Windows port of OpenSSL. Do not ask me for help using it. I am only providing the link as a convenience to the poor souls who have not switched to a better OS. --User:Fostermarkd
NOTE: I cleaned up the code for ExportPriv.java a bit - you can get it here
Also note that for Windows, openssl works fine on cygwin. --Rfreedman 14:35, 30 October 2007 (PDT)