Move your Java Keytool SSL Certificate to OpenSSL

Have you ever had to move an SSL certificate from a Java keystore to use on Apache with OpenSSL? It's not an easy task. But Dr. Herong Yang shows us how it is done.

Keep in mind that it is probably easier to just create a new CSR in OpenSSL and reissue your certificate with your certificate authority. But when it is absolutely necessary to use the same private key, you can use a Java program that Dr. Yang wrote to extract the key from a Java keystore:

The other type of questions I received is related to moving keys from "keytool" keystore files to "OpenSSL" key files. Since "keytool" does not support key exporting function, I wrote a Java program to dump keys out of the keystore file. In this chapter, I recorded the following testing scenarios to find a way to move keys from "keytool" keystore files to "OpenSSL" key files:

  • Using "keytool" to generate a private and public key pair.
  • Using "keytool" to export the self-signed certificate from PrivateKeyEntry.
  • Using "keytool" to display details of a certificate.
  • Using "OpenSSL" to view certificate exported by "keytool".
  • Writing "" to dump key pair out of "keytool" keystore files.
  • Using "OpenSSL" to convert dumped key pair from binary to Base64 encoding.
  • Using "OpenSSL" to view key pair dumped and converted from "keytool" keystore files.

Migrating Keys from 'keytool' to 'OpenSSL' - [Dr. Herong Yang's Cryptography Tutorials]

Originally posted on Wed Aug 8, 2007