Menu
I have a Java SSL server to which I want my Java SSL client and C++ SSL client to be able to connect. The Java client connects without issues. Now I want to have my C++ SSL client to be able to connect. So for this purpose ,I imagined, that I want to export the serverpub.jks to an .pem file so that my C++ client can load it into its ssl context. But this is not working.
Below is a description of how I created the jks keystores for Java client and server and then how I am trying to export the serverpub.jks to .pem file.
step 1: Generate the Client and Server Keystores
c:\keytool -genkeypair -alias myserverkeys -keyalg RSA -dname "CN=my Server,OU=kl2217,O=kl2217org,L=NYC,ST=NY,C=US" -keypass password -keystore server.jks -storepass password
c:\keytool -genkeypair -alias myclientkeys -keyalg RSA -dname "CN=my Client,OU=kl2217,O=kl2217org,L=NYC,ST=NY,C=US" -keypass password -keystore myclient.jks -storepass password
step 2: Export the server public certificate and create a seperate keystore
c:\keytool -exportcert -alias myserverkeys -file serverpub.cer -keystore myserver.jks -storepass spacex
c:\keytool -importcert -keystore serverpub.jks -alias serverpub -file serverpub.cer -storepass password
step 3: Export the client public certificate and create a seperate keystore
c:\keytool -exportcert -alias myclientkeys -file clientpub.cer -keystore myclient.jks -storepass spacey
c:\keytool -importcert -keystore clientpub.jks -alias clientpub -file clientpub.cer -storepass password
So far so good.
Now here is where I run into problems.
step 4: Convert serverpub.jks to .pem format
c:\keytool -importkeystore -srckeystore serverpub.jks -destkeystore serverpub.p12 -srcstoretype jks -deststoretype pkcs12
And the reply
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Problem importing entry for alias serverpub: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias serverpub not imported.
Do you want to quit the import process? [no]:
What does this mean? What am I doing wrong?
step 5: Would have been
c:\openssl pkcs12 -in serverpub.p12 -out serverpub.pem
But as you can see I couldn't get that far.
I would really appreciate some help understanding how to do this right.
Thanks
377
We've successfully converted an entire JKS into PEM format using keytool, openssl, and the intermediary stage of the PKCS#12 format. We've also covered converting a single public key certificate using keytool alone.
You can export the certificate of your new app signature from . jks file in two way: Via CMD/PowerShell or Terminal : keytool -export -rfc -alias upload -file upload_certificate. pem -keystore keystore.
The server truststore of trusted Certificate Authority (CA) certificates is a single file in the /etc/security/pmfa/certificates directory that contains the client PIV/CAC card issuing certificate chain in Privacy Enhanced Mail (PEM) format.
Unfortunately keytool explicitly will not let you export from a trust store since they are of the opinion that PEM files do not support the concept of trusted certificate. So I would use the keystore of cer files instead.
From a cer:
openssl x509 -inform der -in serverpub.cer -out serverpub.pem
From a keystore:
keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -deststoretype PKCS12
openssl pkcs12 -in server.p12 -nokeys -out server.cer.pem
openssl pkcs12 -in server.p12 -nodes -nocerts -out server.key.pem
or just try
keytool -exportcert -alias myserverkeys -keystore serverpub.jks -rfc -file serverpub.pem
The following simple single line command will export the certificate to PEM format. Yes, you need openssl, keytool alone can't do this.
keytool -exportcert -alias <CERT-ALIAS> -keystore <KEYSTORE-FILE> | openssl x509 -inform DER >cert.pem
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
