Keytool to OpenSSL Conversion tips

Export the public key (certificate) from a keystore

keytool -export -alias mykey -keystore keystore -file exported.crt

The result is a DER (binary) formatted certificate in exported.crt

openssl x509 -noout -text -in exported.crt -inform der

Now you will want to convert it to another format - PEM - whichis more widely used in applications such as apache and by openssl to dothe pkcs12 conversion.

openssl x509 -out exported-pem.crt -outform pem -text -in exported.crt -inform der

Extracting the private key

Download, compile & run ExportPriv crafted from Andrew Morrow‘s posting @
http://forum.java.sun.com/thread.jsp?forum=2&thread=154587&message=449486. The key will be produced to STDOUT. I suggest you redirect > to exported.key

javac ExportPriv.java
java ExportPriv <keystore> <alias> <password> > exported-pkcs8.key

The private key is being exported as PKCS#8 PEM format.To get it into the RSA format that works with Apache (see below) you can issue the following command:
openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key

Alternate way to extract the private key

Another option would be purchase Keystore Explorer,which claims to support exporting private keys and keypairs. I haven‘ttried it myself. Let me know if you have and if it works.

[2006-Feb-01] Ambarish Mitra writes:
It(Keystore Explorer) works. It exports the key pair to pkcs12 format.However this feature is not present in the evaluation version.

Combine and convert the extracted public/private key pair into PKCS12 format

A PKCS12 format file is typically suffixed with .p12 or .pfx. It is more commonly used on the Microsoft platform.

Now that you have the private key and public key (certificate) combothat go together you can package them in pkcs12-formatted file... thisshould do the trick.

openssl pkcs12 -export -out exported.pfx -inkey exported.key -in exported-pem.crt

[2004-Oct-22] Dave Kilzer writes:
Thanks foryour "OpenSSL to Keytool Conversion tips" web page. It‘s helped me agreat deal to set up client authentication via SSL between Apache 2 andTomcat 5.

However, I ran into one problem with Apache 2 when using theJava-base64-encoded private key. I wrote up this bug about the issue:

http://issues.apache.org/bugzilla/show_bug.cgi?id=31856

In summary, I had to re-encode the Java-base64-encoded private key using openssl to make it palatable to Apache:

openssl rsa -in privkey-java.key -out privkey.key

I‘m not sure why this is required (or why Apache can‘t decode thebase64-encoded version of the private key created by Java), but itfixed the problem I was seeing.

See Also

For further assistance, check out theopenssl-users list archives and consider posing your question to the list. Another great resource isthe tomcat-users mailing list .
If you need OpenSSL for Windows if can be found here or better yet here.NOTE: I have not used nor do I endorse the Windows port ofOpenSSL. Do not ask me for help using it. I am only providing the linkas a convenience to the poor souls who have not switched to a betterOS.

If I was helpful, please let me know!

$Id: openssl-keytool.html,v 1.5 2006/03/30 16:11:20 mdf Exp $