How to convert a Java keystore (JKS) to PEM format
I’m currently working on a new project where I need to write a service to serve static files to users. Our web application currently runs on Tomcat alone as we don’t have many users (internal users only) and most of the content is dynamic. But with this new project it just seems to make sense to put an Apache web server in front of Tomcat and use the mod_xsendfile module to serve the files, which will also allow us to control which users can access which files.
So I started playing with Apache, mod_xsendfile, and mod_proxy and finally got things working. The last step is to add encryption. The Java keystore format won’t work with Apache, however, so I needed a way to export the certificate and private key from the Java keystore we used for Tomcat and import it to a new PEM file so I can use it with Apache.
If we’re controlling the Certification Authority (CA) I probably would’ve just generated a new certificate, but this is unfortunately not the case in our environment (big company thing). I would need to generate a certificate signing request, open a ticket with corporate IT, wait for approval, wait for someone to do it and send it to me, etc. The process could take a few days so I decided to just do some Googling on how to extract the keys/certificates from the keystore and convert it to PEM which Apache web server will accept.
There doesn’t seem to be a quick way to directly convert from JKS to PEM so I had to convert from JKS to PKCS#12 first, then to PEM.
Here are the steps I took to do the conversion:
1. Export certificate from the Java keystore and import it to a new PKCS#12 keystore format using the Java keytool (C:\Program Files\Java\jre6\bin\keytool.exe by default on Windows).
keytool -importkeystore -srckeystore myapp.jks -destkeystore myapp.p12 -srcalias myapp-dev -srcstoretype jks -deststoretype pkcs12
2. Convert the new PKCS#12 file (myapp.p12) to PEM using openssl (openssl.exe is in the bin directory of the Apache installation on Windows).
openssl pkcs12 -in myapp.p12 -out myapp.pem
If you’re running Apache on *nix, you’re all set! But if you’re running on Windows (I know, I know), you will need to remove the passphrase from the PEM file.
3. (Optional depending on enviroment) Create a version of the PEM file with the passphrase removed.
You may get this message when using the certificate in Apache running on Windows:
SSLPassPhraseDialog builtin is not supported on Win32.
The solution is to remove the password/passphrase from the PEM file, so let’s create a version of the PEM file without the passphrase.
openssl rsa -in myapp.pem -out myapp_nopassphrase.pem openssl x509 -in myapp.pem >>myapp_nopassphrase.pem
Reference the myapp_newpassphrase.pem in your httpd.conf, start the Apache service, and you’re good to go!