How to Extract .key and .crt Files from a JKS Keystore for Apache HTTPD SSL Configuration


1 views

When working with Apache HTTPD servers, SSL/TLS configuration typically requires two separate files: a certificate file (.crt) and a private key file (.key). However, many Java applications use JKS (Java KeyStore) files for certificate storage. Here's how to properly convert these formats.

Ensure you have OpenSSL and Java keytool installed:

# Check OpenSSL version
openssl version

# Check keytool availability
keytool -help

1. Extract the PKCS12 File from JKS

First convert the JKS to PKCS12 format:

keytool -importkeystore \
  -srckeystore mycert.jks \
  -destkeystore mycert.p12 \
  -deststoretype PKCS12 \
  -srcstorepass yourpassword \
  -deststorepass yourpassword

2. Extract Private Key (.key file)

Use OpenSSL to extract the private key:

openssl pkcs12 -in mycert.p12 \
  -nocerts \
  -out server.key \
  -passin pass:yourpassword \
  -passout pass:yourpassword

# Remove password if needed
openssl rsa -in server.key -out server.key.unencrypted

3. Extract Certificate (.crt file)

Extract the certificate chain:

openssl pkcs12 -in mycert.p12 \
  -clcerts \
  -nokeys \
  -out server.crt \
  -passin pass:yourpassword

If you encounter the "PEM_read_bio:no start line" error:

# Verify file contents
file server.crt
file server.key

# Check for proper PEM format
head -n 1 server.crt
# Should show: -----BEGIN CERTIFICATE-----

Configure httpd.conf with the extracted files:

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/server.crt
    SSLCertificateKeyFile /path/to/server.key.unencrypted
    
    # For intermediate certificates
    SSLCertificateChainFile /path/to/intermediate.crt
</VirtualHost>

After configuration:

# Check Apache config
apachectl configtest

# Verify SSL connection
openssl s_client -connect yourdomain:443 -showcerts

Java KeyStore (JKS) files are commonly used in Java environments, but Apache HTTPD requires PEM format certificates. Let me walk you through the complete extraction process I've used successfully in production environments.

Ensure you have OpenSSL and keytool installed:

openssl version
keytool -help

First convert JKS to PKCS12 format, then extract the private key:

keytool -importkeystore -srckeystore mycert.jks \\
  -destkeystore mycert.p12 -deststoretype PKCS12

openssl pkcs12 -in mycert.p12 -nocerts -out server.key -nodes

Now extract the certificate chain:

openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out server.crt

Check the extracted files' validity:

openssl x509 -in server.crt -text -noout
openssl rsa -in server.key -check

The error you encountered typically indicates either:

  • Incorrect file format (not proper PEM)
  • Certificate chain issues
  • Mismatched key-certificate pair

To fix the specific error you saw:

# Ensure proper PEM format
openssl x509 -in server.crt -out server.pem -outform PEM

# Verify the certificate chain
openssl verify -CAfile server.pem server.crt

Here's a complete virtual host configuration:

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/server.crt
    SSLCertificateKeyFile /path/to/server.key
    SSLCertificateChainFile /path/to/ca-bundle.crt
    
    # Recommended security settings
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
</VirtualHost>

If you prefer sticking with Java tools:

keytool -exportcert -alias myalias -keystore mycert.jks -file server.cer

# Convert DER to PEM
openssl x509 -inform der -in server.cer -out server.crt