Extracting SSL Certificates from the Java Keystore for use in Apache

You used keytool to generate a keystore and keypair for a Tomcat (Java) instance. However, you now have a need to extract the certificates from the keystore for use in an Apache (non-Java) web server.

This solution is very easy, yet notoriously hard to come across online. You will find tons of useless documentation on Stack Overflow, Experts Exchange, and other forums. Follow my steps below to extract your private key and SSL certificates from an existing Java Key Store.

First, locate your JKS file

This sounds simple enough, but you will be surprised how many people have an issue in finding exactly -where- their Java Keystore file is. Here are some common linux commands to help you find .jks file

find / -name *.jks

Verify the contents are what you are looking for

keytool –list -keystore yourjavakeystore.jks

Export your private key and SSL certificates to a PKCS (.p12) keystore

keytool -importkeystore -srckeystore yourjavakeystore.jks -destkeystore output2.p12 -deststoretype PKCS12

Use openSSL to crack open pkcs12 file and export keys to .pem

openssl pkcs12 -in output2.p12 -nodes -out temporary.pem

Extract your private key

  • Open temporary.pem with your text editor of choice
  • Copy from “—–BEGIN PRIVATE KEY—–” to “—–END PRIVATE KEY—–“
  • Save this text as private.key

Extract your certificates

  • Open temporary.pem with your text editor of choice
  • Copy from “—–BEGIN CERTIFICATE—–” to “—–END CERTIFICATE—–“
  • Save this as your certificate.pem

Note:: Often times there are multiple SSL Certificates in the Store. An example would be 3 SSL certificates, one corresponding to your server certificate, one to the intermediate certificate, and one for the root certificate. Depending on your goal, you may require one, two, or all three of these certificates. This discussion is beyond the scope of this document.

Configure Apache

You can use the .key and .pem files to configure Apache. See my page on Renewing Apache SSL Certificates here: http://jgomez.net/renewing-ssl-certificates-for-apache-non-tomcat/

Leave a Comment

Your email address will not be published. Required fields are marked *