*.jks file (Java KeyStore repository) to apache2 *.key and *.crt conversion

In this article we would like to show how to convert *.jks file (Java KeyStore repository) to apache2 *.key file (with private RSA key) and *.crt file (with certificate).

Note: in below examples password / pass phrase were set to my_secret_password to simplyfy examples.

To make conversion do following steps:

1. convert *.jks file to *.p12 archive file

Use following command:

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12

Where: keystore.jks and keystore.p12 should be replaced with own names of files if it is necessary.

Output:

Importing keystore keystore.jks to keystore.p12...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias my_key successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Where:

• Enter destination keystore password: and Re-enter new password: required to type new password for created *.p12 file,
• Enter source keystore password: requred to type password for *.jks that was source file,
• my_key was alias that describes stored private key and certificate.

2. convert *.p12 file to *.pem file

Use following command:

openssl pkcs12 -in keystore.p12 -out keystore.pem

Output:

Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Where:

• Enter Import Password: requred to type password for *.p12 that was source file,
• Enter PEM pass phrase: and Verifying - Enter PEM pass phrase: required to type new password for created *.pem file,

3. split *.pem file to *.key and *.crt files

It is necessary to do it manually.

We have keystore.pem that we want to split to private.key and certificate.crt files.

keystore.pem looks following way:

Bag Attributes
    friendlyName: my_key
    localKeyID: 54 69 6D 65 20 31 36 30 33 36 33 38 39 33 35 33 33 30 
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI2l0N+2E3qWkCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEtowzZYCB6gBIIEyGFY1HpPFi1o
...
...
HsqbUaeb6U4B63yHVIxSpTg8Ff4eTJvgCn7REqecMfKqbaTAzh5VnNUcA5WX5OFH
xBSv+u2sI/HCRxtT074SFV5VYI5y7oyHn4QIoMu4wbbk/sv9u/JMyjvTyUOKI1hU
btsm+9dz7ppWFzZrM8B0/w==
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
    friendlyName: my_key
    localKeyID: 54 69 6D 65 20 31 36 30 33 36 33 38 39 33 35 33 33 30 
subject=C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = Unknown

issuer=C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = Unknown

-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEWW1HujANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdV
bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD
...
...
gUS6C5g7l2irjUdADKCTlqy4a0lAWopoEo94nW/JtAfkIpevoIJc3JYJHzU2x00K
iwBS4VFe101EVUMBgSqQbiArftpGWfeLOGD+tFhJU37Yjs2+vj5MxS4Vk6kox0Zh
4tGZQ735dGerX3IWsm7ZV1yOSGJqKYqPI8vO
-----END CERTIFICATE-----

We want to create:

- private.key file with content:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI2l0N+2E3qWkCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEtowzZYCB6gBIIEyGFY1HpPFi1o
...
...
HsqbUaeb6U4B63yHVIxSpTg8Ff4eTJvgCn7REqecMfKqbaTAzh5VnNUcA5WX5OFH
xBSv+u2sI/HCRxtT074SFV5VYI5y7oyHn4QIoMu4wbbk/sv9u/JMyjvTyUOKI1hU
btsm+9dz7ppWFzZrM8B0/w==
-----END ENCRYPTED PRIVATE KEY-----

- certificate.crt file with content:

-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEWW1HujANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdV
bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD
...
...
gUS6C5g7l2irjUdADKCTlqy4a0lAWopoEo94nW/JtAfkIpevoIJc3JYJHzU2x00K
iwBS4VFe101EVUMBgSqQbiArftpGWfeLOGD+tFhJU37Yjs2+vj5MxS4Vk6kox0Zh
4tGZQ735dGerX3IWsm7ZV1yOSGJqKYqPI8vO
-----END CERTIFICATE-----

4. convert private.key from ENCRYPTED PRIVATE KEY format to RSA PRIVATE KEY format

Use following command:

openssl.exe" rsa -in private.key -out private.key 

Where: private.key should be replaced with own names of files if it is necessary.

Output:

Enter pass phrase for private.key:
writing RSA key

Where:

• Enter pass phrase for private.key: requred to type password for *.key that was source file.

Now private.key file content should look like:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAgvrPXmOjfGKQZEwqUaNX+ssJdwfoAyUCu96xDsVtFpfKQsw8
CjiYbNFluFxkxBDihb/E5ORFmIDDCruu0Qyv5S3X7LEQ9dEo/KCihCh/vBF1Gwjg
...
...
an++UQKBgDoQCWDOJmq9V06qSc7PkXpvBHKAXb9zzYnWX8xmga2wg3+Wp3ADbayK
CtWF4d+LaPVk7TUV/c8orzXPsLoN6aYIookNIBtN/R/1sQy0WV7nqp71Fu9q3W/+
Iqumvy0b/d6PSv7C65KHnixfwQdEtiICSeb3/D3Bw/IKuUGTg7sU
-----END RSA PRIVATE KEY-----

5. apache2 VirtualHost configuration

Now we can use private.key and certificate.crt to configure VirtualHost.

Note: read this or this article to know more about below examples.

Example HTTPS configuration:

<VirtualHost *:443>
  ServerName localhost
  ServerAlias localhost
  DocumentRoot "${INSTALL_DIR}/www"
  SSLEngine on
  SSLCertificateKeyFile "/path/to/private.key"
  SSLCertificateFile "/path/to/certificate.crt"
  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  <Directory "${INSTALL_DIR}/www/">
    Options +Indexes +Includes +FollowSymLinks +MultiViews
    AllowOverride All
    Require local
  </Directory>
</VirtualHost>

Example HTTP2 / h2 proxy configuration:

<VirtualHost *:443>
  ServerName localhost
  ServerAlias localhost
  SSLEngine on
  SSLCertificateKeyFile "/path/to/private.key"
  SSLCertificateFile "/path/to/certificate.crt"
  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  Protocols h2 http/1.1
  ProtocolsHonorOrder Off
  SSLProxyEngine on
  ProxyPass "/tomcat" "h2://localhost:8080"
  ProxyPassReverse "/tomcat" "https://localhost:8080"
</VirtualHost>