How to extract private certificate key from java keystore using keytool and openssl
Article ID: 249649
Updated On:
Products
Messaging Gateway
Issue/Introduction
A certificate signing request (CSR) was generated using keytool and signed by a third party certificate authority but cannot be imported into Messaging Gateway (SMG) without the private key. The following process demonstrates how to extract the private key from a java keystore and format it for import into SMG.
Environment
Release : 10.7.5
Component :
Resolution
This may not work for all keystores or private keys depending on keytool version or how the CSR was originally created
- Creating a cert / key pair
keytool -genkeypair -alias SMG -keyalg RSA -keysize 2048 -keystore .keystore -validity 365 -storepass storepassword -dname "CN=smg.example.com, O=DOMAIN, C=US" -ext san=email:[email protected],dns: smg.example.com,ip: 192.0.2.5
- Create the certificate signing request
keytool -certreq -alias SMG -keyalg RSA -keystore .keystore -storepass storepassword -file "SMG.csr" -ext san=email:[email protected],dns: smg.example.com,ip: 192.0.2.5
- Export the key as a pkcs12 file
keytool -srckeystore .keystore -srcstorepass storepassword -srcalias SMG -destalias SMG -destkeystore private.p12 -deststoretype PKCS12 -deststorepass password -destkeypass password -importkeystore
- Convert the pkcs12 file to PEM format
openssl pkcs12 -in private.p12 -nodes -nocerts -out private.key
- Strip any passwords and reformat the key data
openssl rsa -in private.key -out private_nopass.key
- Append the private key to the signed certificate pem file
cat private_nopass.key >> signed_certificate.pem
- Confirm formatting
cat signed_certificate.pem
-----BEGIN CERTIFICATE-----
[certificate data redacted]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[key data redacted]
-----END RSA PRIVATE KEY-----
Feedback
Yes
No
Powered by
