Share the Knowledge
RSS icon Home icon

  • How to convert a Java keystore (JKS) to PEM format

    Posted on May 8th, 2011 webmaster No comments         Print Print

    I’m currently working on a new project where I need to write a service to serve static files to users.  Our web application currently runs on Tomcat alone as we don’t have many users (internal users only) and most of the content is dynamic.  But with this new project it just seems to make sense to put an Apache web server in front of Tomcat and use the mod_xsendfile module to serve the files, which will also allow us to control which users can access which files.

    So I started playing with Apache, mod_xsendfile, and mod_proxy and finally got things working.  The last step is to add encryption.  The Java keystore format won’t work with Apache, however, so I needed a way to export the certificate and private key from the Java keystore we used for Tomcat and import it to a new PEM file so I can use it with Apache.

    If we’re controlling the Certification Authority (CA) I probably would’ve just generated a new certificate, but this is unfortunately not the case in our environment (big company thing).  I would need to generate a certificate signing request, open a ticket with corporate IT, wait for approval, wait for someone to do it and send it to me, etc.  The process could take a few days so I decided to just do some Googling on how to extract the keys/certificates from the keystore and convert it to PEM which Apache web server will accept.

    There doesn’t seem to be a quick way to directly convert from JKS to PEM so I had to convert from JKS to PKCS#12 first, then to PEM.

    Here are the steps I took to do the conversion:

    1.  Export certificate from the Java keystore and import it to a new PKCS#12 keystore format using the Java keytool (C:\Program Files\Java\jre6\bin\keytool.exe by default on Windows).

    keytool -importkeystore -srckeystore myapp.jks -destkeystore myapp.p12 -srcalias myapp-dev -srcstoretype jks -deststoretype pkcs12

    2. Convert the new PKCS#12 file (myapp.p12) to PEM using openssl (openssl.exe is in the bin directory of the Apache installation on Windows).

    openssl pkcs12 -in myapp.p12 -out myapp.pem

    If you’re running Apache on *nix, you’re all set! But if you’re running on Windows (I know, I know), you will need to remove the passphrase from the PEM file.

    3. (Optional depending on enviroment) Create a version of the PEM file with the passphrase removed.

    You may get this message when using the certificate in Apache running on Windows:

    SSLPassPhraseDialog builtin is not supported on Win32.

    The solution is to remove the password/passphrase from the PEM file, so let’s create a version of the PEM file without the passphrase.

    openssl rsa -in myapp.pem -out myapp_nopassphrase.pem
openssl x509 -in myapp.pem >>myapp_nopassphrase.pem

    Reference the myapp_newpassphrase.pem in your httpd.conf, start the Apache service, and you’re good to go!

    Sources:

    Development, How-To, Security, SysAdmin , ,

  • Twitter

    Posted on March 1st, 2009 webmaster No comments         Print Print

    I just created a Twitter account.  I’ve been seeing a lot of articles about it lately so I decided to finally give it a try.  I’m still not sure whether I’m gonna keep using it, but so far I’m liking it a lot.  Very simple and easy to use and it looks like it will be a good complement to my blog.

    The first thing that actually came to mind when I signed up for an account was how to integrate it with my blog.  I found a WordPress plugin called “Twitter Tools” and installed it right away.  It seems to work pretty well, you can also use it to post a “tweet” directly from your WordPress blog and you can even set it to notify Twitter every time you write a new post.

    You can view my latest tweets on the sidebar on the right.

    Announcements ,

  • MindTouch Deki

    Posted on November 29th, 2008 webmaster 1 comment         Print Print

    I’ve been playing with this open source collaboration/wiki/mashup software for a couple of weeks now and I have to say that I’m very impressed with it so far.

    I set up a wiki website at work almost two years ago using the MediaWiki engine mainly for sharing documentations, which works fine but it could have been much better if certain features came built-in with it.

    MindTouch Deki has all these features that I wanted and a lot more.  It’s really designed for enterprise use and that’s why I’m migrating our wiki to this:

    • Active Directory/LDAP authentication with SSL/TLS support. There is an LDAP authentication extension for MediaWiki as well which works pretty well but with MindTouch Deki it’s built-in and easier to set up.  It also supports groups.
    • Access Control. MindTouch Deki lets you set permissions for each page.  It uses hierarchical pages so if you set a permission on a page, for example, new pages created under it will automatically inherit its permissions.  There’s also a checkbox when setting up the permissions that lets you apply the permissions to all the children pages.  Very easy to do and works with LDAP/Active Directory users and groups.  MediaWiki on the other hand was not designed for this so the access control extensions you’ll find for it will most likely have flaws.
    • WYSIWYG editor. There is an FCKEditor extension for MediaWiki but I find it buggy.  The one with MindTouch Deki works really well and you can even copy and paste from Microsoft Word or from another website to it.  I also like how the toolbar follows you when you scroll down while editing a page.
    • Easily attach files and images. There’s a button to quickly attach files/images to each page.  Each page also has a separate section for files and images.  You can attach multiple files/images at the same time and MindTouch Deki will automatically detect which are images.  The images section gives you a preview of the images.  You can also add a description for each file/image.
    • Search inside file attachments. By default, MindTouch Deki indexes .doc, .docx, .ppt, .pptx, .xls, .pdf, .odt, .opt, html, and text files.
    • Lots of extensions, here’s a few of them:
      • MySQL – Retrieve data from an external MySQL database as a value, table, list, record, or recordlist and use it in your page.  The table is also sortable, by the way.  You can also use the retrieved values as inputs to other extensions, like Google maps for example.
      • Flickr
      • Dapper
      • Twitter
      • Windows Live (contacts, map, etc.)
      • Google (search, map, calendar, spreadsheet, etc.) – Requires Google API key.
      • Yahoo!
      • AccuWeather
      • Atom/RSS feeds
      • Media
      • Here’s the entire list: MindTouch Deki Extensions

    There are still a lot of things for me to play with, so I’m gonna be pretty busy for a while :) .

    Here’s the link to download the open source edition: http://wiki.developer.mindtouch.com/MindTouch_Deki/Download

    Software ,
  • « Older Entries
    Newer Entries »

Let us so live that when we come to die even the undertaker will be sorry. — Mark Twain

Random Pics

roatan_honduras_20120308_030 dsc00085 road-to-hana-030 Antigua_Guatemala_20120204_089

Recent Tweets

Categories

Powered by WordPress
Designed by My Mobiles