How to generate .key and .crt file from JKS file for httpd apache server

Question

I have the mycert.jks file only. Now i need to extract and generate .key and .crt file and use it in apache httpd server.

SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt 
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key 

Can anybody list the all steps to get this done. I searched but there is no concrete example to understand, mixed and matched steps.

Please suggest!

[EDIT] Getting error after following steps from below answer.

8/‎21/‎2015 9:07 PM] Sohan Bafna: 
    [Fri Aug 21 15:32:03.008511 2015] [ssl:emerg] [pid 14:tid 140151694997376] AH02562: Failed to configure certificate 0.0.0.0:4545:0 (with chain), check /home/certs/smp_c
    ert_key_store.crt
    [Fri Aug 21 15:32:03.008913 2015] [ssl:emerg] [pid 14:tid 140151694997376] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED
     CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
    [Fri Aug 21 15:32:03.008959 2015] [ssl:emerg] [pid 14:tid 140151694997376] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib 

Answer 1

.jks is a keystore, which is a Java thing

use keytool binary from Java.

export the .crt:

keytool -export -alias mydomain -file mydomain.der -keystore mycert.jks

convert the cert to PEM:

openssl x509 -inform der -in mydomain.der -out certificate.pem

export the key:

keytool -importkeystore -srckeystore mycert.jks -destkeystore keystore.p12 -deststoretype PKCS12

convert PKCS12 key to unencrypted PEM:

openssl pkcs12 -in keystore.p12  -nodes -nocerts -out mydomain.key

---

credits:

• https://security.stackexchange.com/questions/3779/how-can-i-export-my-private-key-from-a-java-keytool-keystore
• https://stackoverflow.com/questions/2640691/how-to-export-private-key-from-a-keystore-of-self-signed-certificate
• https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Answer 2

Here is what I do,

First export the key:

keytool -importkeystore -srckeystore mycert.jks -destkeystore keystore.p12 -deststoretype PKCS12

For the Apache SSL certificate file you need the certificate only:

openssl pkcs12 -in keystore.p12 -nokeys -out my_key_store.crt

For SSL key file you need only keys:

openssl pkcs12 -in keystore.p12 -nocerts -nodes -out my_store.key

Answer 3

Generate p12 from JKS

/opt/apps/java/java/bin/keytool -importkeystore -srckeystore certname.jks -destkeystore certname.jks password -srcalias cert -srcstoretype certname.jks deststoretype pkcs12

Generate pem from p12

openssl pkcs12 -in cert.p12 -out cert.pem

Generate cert from pem

openssl x509 -outfrom der -in cert.pem -out cert.crt

Generate key from pem

openssl der -in cert.pem -out cert.key 
  enter pass phrase fro cert.pem

Answer 4

Found answer here:

https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate?page=2&tab=Votes

It shown how to create crt from jks keystore file in Chrome on Windows:

• go to the url in browser that's uses jks with the red line and there will be a lock symbol to the left

• by clicking on the not secure part, information dialog opens up

• click on certificate (invalid) and when it opens click on Details

• press on copy to file... and follow instruction

At the end you have keystore file in crt