JKS TO PEM

时间:2021-09-14 12:15:32

tomcat 的ssl 会使用到jks,而haproxy的ssl(非tcp代理方式)会使用到pem

如果从tomcat的ssl需要迁移到haproxy的ssl,就需要从jks中读取相关信息生成pem文件。

========================

先通过keytool导出成PKCS12格式(.p12后缀):

$ keytool -importkeystore -srckeystore tankywoo.jks -destkeystore tankywoo.p12 -srcstoretype jks -deststoretype pkcs12

Enter destination keystore password:

Re-enter new password:

Enter source keystore password:

Entry for alias foo successfully imported.

Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

指定源(jks)文件和目标(pkcs)文件的文件名和类型.

执行时输入设置给pkcs12证书的密码, 以及jks证书的密码.

再通过openssl将pkcs12文件导出成pem格式文件.

# 生成key 加密的pem证书

$ openssl pkcs12 -in tankywoo.p12 -out tankywoo.pem

Enter Import Password:

MAC verified OK

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

# 生成key 非加密的pem证书

$ openssl pkcs12 -nodes -in tankywoo.p12 -out tankywoo.pem

Enter Import Password:

MAC verified OK

也可以分开导出:

导出key:

# 生成加密的key

$ openssl pkcs12 -in tankywoo.p12  -nocerts -out server.key

Enter Import Password:

MAC verified OK

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

# 生成非加密的key

$ openssl pkcs12 -in tankywoo.p12 -nocerts -nodes -out server.key

Enter Import Password:

MAC verified OK

导出server证书:

$ openssl pkcs12 -in tankywoo.p12  -nokeys -clcerts -out server.crt

Enter Import Password:

MAC verified OK

导出ca证书:

$ openssl pkcs12 -in tankywoo.p12  -nokeys -cacerts -out ca.crt

Enter Import Password:

MAC verified OK

========================
参考:
http://ju.outofmemory.cn/entry/108566
http://*.com/questions/652916/converting-a-java-keystore-into-pem-format#comment1252648_656559

相关文章