EN
*.jks file (Java KeyStore repository) to apache2 *.key and *.crt conversion
6 points
In this article we would like to show how to convert *.jks file (Java KeyStore repository) to apache2 *.key file (with private RSA key) and *.crt file (with certificate).
Note: in below examples
password/pass phrasewere set tomy_secret_passwordto simplyfy examples.
To make conversion do following steps:
Use following command:
xxxxxxxxxx1
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12Where: keystore.jks and keystore.p12 should be replaced with own names of files if it is necessary.
Output:
xxxxxxxxxx1
Importing keystore keystore.jks to keystore.p12...2
Enter destination keystore password:3
Re-enter new password:4
Enter source keystore password:5
Entry for alias my_key successfully imported.6
Import command completed: 1 entries successfully imported, 0 entries failed or cancelledWhere:
Enter destination keystore password:andRe-enter new password:required to type new password for created *.p12 file,Enter source keystore password:requred to type password for *.jks that was source file,my_keywas alias that describes stored private key and certificate.
Use following command:
xxxxxxxxxx1
openssl pkcs12 -in keystore.p12 -out keystore.pemOutput:
xxxxxxxxxx1
Enter Import Password:2
Enter PEM pass phrase:3
Verifying - Enter PEM pass phrase:Where:
Enter Import Password:requred to type password for *.p12 that was source file,Enter PEM pass phrase:andVerifying - Enter PEM pass phrase:required to type new password for created *.pem file,
It is necessary to do it manually.
We have keystore.pem that we want to split to private.key and certificate.crt files.
keystore.pem looks following way:
xxxxxxxxxx1
Bag Attributes2
friendlyName: my_key3
localKeyID: 54 69 6D 65 20 31 36 30 33 36 33 38 39 33 35 33 33 30 4
Key Attributes: <No Attributes>5
-----BEGIN ENCRYPTED PRIVATE KEY-----6
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI2l0N+2E3qWkCAggA7
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEtowzZYCB6gBIIEyGFY1HpPFi1o8
...9
...10
HsqbUaeb6U4B63yHVIxSpTg8Ff4eTJvgCn7REqecMfKqbaTAzh5VnNUcA5WX5OFH11
xBSv+u2sI/HCRxtT074SFV5VYI5y7oyHn4QIoMu4wbbk/sv9u/JMyjvTyUOKI1hU12
btsm+9dz7ppWFzZrM8B0/w==13
-----END ENCRYPTED PRIVATE KEY-----14
Bag Attributes15
friendlyName: my_key16
localKeyID: 54 69 6D 65 20 31 36 30 33 36 33 38 39 33 35 33 33 30 17
subject=C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = Unknown18
19
issuer=C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = Unknown20
21
-----BEGIN CERTIFICATE-----22
MIIDdzCCAl+gAwIBAgIEWW1HujANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdV23
bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD24
...25
...26
gUS6C5g7l2irjUdADKCTlqy4a0lAWopoEo94nW/JtAfkIpevoIJc3JYJHzU2x00K27
iwBS4VFe101EVUMBgSqQbiArftpGWfeLOGD+tFhJU37Yjs2+vj5MxS4Vk6kox0Zh28
4tGZQ735dGerX3IWsm7ZV1yOSGJqKYqPI8vO29
-----END CERTIFICATE-----30
We want to create:
- private.key file with content:
xxxxxxxxxx1
-----BEGIN ENCRYPTED PRIVATE KEY-----2
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQI2l0N+2E3qWkCAggA3
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECEtowzZYCB6gBIIEyGFY1HpPFi1o4
...5
...6
HsqbUaeb6U4B63yHVIxSpTg8Ff4eTJvgCn7REqecMfKqbaTAzh5VnNUcA5WX5OFH7
xBSv+u2sI/HCRxtT074SFV5VYI5y7oyHn4QIoMu4wbbk/sv9u/JMyjvTyUOKI1hU8
btsm+9dz7ppWFzZrM8B0/w==9
-----END ENCRYPTED PRIVATE KEY------ certificate.crt file with content:
xxxxxxxxxx1
-----BEGIN CERTIFICATE-----2
MIIDdzCCAl+gAwIBAgIEWW1HujANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdV3
bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYD4
...5
...6
gUS6C5g7l2irjUdADKCTlqy4a0lAWopoEo94nW/JtAfkIpevoIJc3JYJHzU2x00K7
iwBS4VFe101EVUMBgSqQbiArftpGWfeLOGD+tFhJU37Yjs2+vj5MxS4Vk6kox0Zh8
4tGZQ735dGerX3IWsm7ZV1yOSGJqKYqPI8vO9
-----END CERTIFICATE-----Use following command:
xxxxxxxxxx1
openssl.exe" rsa -in private.key -out private.key Where: private.key should be replaced with own names of files if it is necessary.
Output:
xxxxxxxxxx1
Enter pass phrase for private.key:2
writing RSA keyWhere:
Enter pass phrase for private.key:requred to type password for *.key that was source file.
Now private.key file content should look like:
xxxxxxxxxx1
-----BEGIN RSA PRIVATE KEY-----2
MIIEowIBAAKCAQEAgvrPXmOjfGKQZEwqUaNX+ssJdwfoAyUCu96xDsVtFpfKQsw83
CjiYbNFluFxkxBDihb/E5ORFmIDDCruu0Qyv5S3X7LEQ9dEo/KCihCh/vBF1Gwjg4
...5
...6
an++UQKBgDoQCWDOJmq9V06qSc7PkXpvBHKAXb9zzYnWX8xmga2wg3+Wp3ADbayK7
CtWF4d+LaPVk7TUV/c8orzXPsLoN6aYIookNIBtN/R/1sQy0WV7nqp71Fu9q3W/+8
Iqumvy0b/d6PSv7C65KHnixfwQdEtiICSeb3/D3Bw/IKuUGTg7sU9
-----END RSA PRIVATE KEY-----10
Now we can use private.key and certificate.crt to configure VirtualHost.
Note: read this or this article to know more about below examples.
Example HTTPS configuration:
xxxxxxxxxx1
<VirtualHost *:443>2
ServerName localhost3
ServerAlias localhost4
DocumentRoot "${INSTALL_DIR}/www"5
SSLEngine on6
SSLCertificateKeyFile "/path/to/private.key"7
SSLCertificateFile "/path/to/certificate.crt"8
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.19
<Directory "${INSTALL_DIR}/www/">10
Options +Indexes +Includes +FollowSymLinks +MultiViews11
AllowOverride All12
Require local13
</Directory>14
</VirtualHost>Example HTTP2 / h2 proxy configuration:
xxxxxxxxxx1
<VirtualHost *:443>2
ServerName localhost3
ServerAlias localhost4
SSLEngine on5
SSLCertificateKeyFile "/path/to/private.key"6
SSLCertificateFile "/path/to/certificate.crt"7
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.18
Protocols h2 http/1.19
ProtocolsHonorOrder Off10
SSLProxyEngine on11
ProxyPass "/tomcat" "h2://localhost:8080"12
ProxyPassReverse "/tomcat" "https://localhost:8080"13
</VirtualHost>