Keytool to OpenSSL Conversion tips
Introduction
You may find yourself in a situation where you have a JKS-format keystore, and need to extract the certificate and private key. With the keytool program you can only extract the certificate (public key), so a separate tool is needed (such as 'ExportPriv' or 'Keystore Explorer') to export the private key. Then the certificate and private key (sometimes called a "key-pair") can be combined into a PKCS12 file, or just left separate depending on your needs.
Tools
Besides the obvious OpenSSL and Keytool, listed below are some tools that can be used to convert from the keystore format to the PEM/DER formats used by openssl.
ExportPriv
This little Java utility is now a hosted project on Google Code at https://code.google.com/p/java-exportpriv/
The details of how to compile and use it are explained on the wiki pages.
Keystore Explorer
Another way to extract the key is to purchase Keystore Explorer, which claims to support exporting private keys and key-pairs. I haven't tried it myself. Let me know if you have and if it works.
It (Keystore Explorer) works. It exports the key pair to pkcs12 format. However this feature is not present in the evaluation version. --Ambarish Mitra, 2006-Feb-01
KeyTool-IUI
There is a freeware tool called KeyTool-IUI that will do it as well. [1]. I just used it to pull the key out.
Portecle
Portecle is a free java application that can be used to export the private key (in RSA format) and a certificate into one file in PEM or PKCS12 format. The result can be used directly to configure HTTPS with APR in tomcat.
KeyStoreBuilder
KeyStoreBuilder (part of Not-Yet-Commons-SSL) converts PKCS12 and PKCS8 to/from Java "Keystore".
Check it out http://juliusdavies.ca/commons-ssl/
--Julius Davies, 2007-Feb-9
Combine extracted public/private keys into PKCS#12 format
A PKCS12 format file is typically suffixed with .p12 or .pfx.
Once you have the private key and public key (certificate) combo that go together you can package them in pkcs12-formatted file... this should do the trick for using with IIS, for example.
openssl pkcs12 -export -out exported.pfx -inkey exported.key -in exported-pem.crt
Quips, quotes and other user comments
Thanks for your "OpenSSL to Keytool Conversion tips" web page. It's helped me a great deal to set up client authentication via SSL between Apache 2 and Tomcat 5.
IMPORTANT NOTE: Fix for problem below committed as of r10 (2011-09-30).
However, I ran into one problem with Apache 2 when using the Java-base64-encoded private key. I wrote up a bug report about the issue.
In summary, I had to re-encode the Java-base64-encoded private key using openssl to make it palatable to Apache:
openssl rsa -in privkey-java.key -out privkey.key
I'm not sure why this is required (or why Apache can't decode the base64-encoded version of the private key created by Java), but it fixed the problem I was seeing.
--Dave Kilzer, 2004-Oct-22
I had to insert line breaks after 64 chars in ExportPriv.java for it to work in nginx:
char[] b64 = Base64Coder.encode(privKey.getEncoded());
byte[] b64b = new byte[b64.length];
for (int c = 0; c < b64.length; c++) {
b64b[c] = (byte) b64[c];
}
System.out.println("-----BEGIN PRIVATE KEY-----");
for (int c = 0; c < b64b.length; c+=64) {
int l = Math.min(64, b64b.length - c);
System.out.write(b64b, c, l);
System.out.println();
}
System.out.println("-----END PRIVATE KEY-----");
--Elecnix 18:43, 13 February 2009 (UTC).
Additional help and information
You can also check out the openssl-users mailing list archives and consider posing your question to the list.
Another great resource is the tomcat-users mailing list.
If you need OpenSSL for Windows if can be found here or better yet here.
My thanks to Alexey Zilber who provided the patch which enables compilation of ExportPriv.java under Java2 SDK 1.6. --User:Fostermarkd 2007-01-13
NOTE: I have not used nor do I endorse the Windows port of OpenSSL. Do not ask me for help using it. I am only providing the link as a convenience to the poor souls who have not switched to a better OS. --User:Fostermarkd
NOTE: I cleaned up the code for ExportPriv.java a bit - you can get it here
Also note that for Windows, openssl works fine on cygwin. --Rfreedman 14:35, 30 October 2007 (PDT)