How to convert trust certificate from .jks to .pem?
I have a Java SSL server to which I want my Java SSL client and C++ SSL client to be able to connect. The Java client connects without issues. Now I want to have my C++ SSL client to be able to connect. So for this purpose ,I imagined, that I want to export the serverpub.jks to an .pem file so that my C++ client can load it into its ssl context. But this is not working.
Below is a description of how I created the jks keystores for Java client and server and then how I am trying to export the serverpub.jks to .pem file.
step 1: Generate the Client and Server Keystores
c:\keytool -genkeypair -alias myserverkeys -keyalg RSA -dname "CN=my Server,OU=kl2217,O=kl2217org,L=NYC,ST=NY,C=US" -keypass password -keystore server.jks -storepass password
c:\keytool -genkeypair -alias myclientkeys -keyalg RSA -dname "CN=my Client,OU=kl2217,O=kl2217org,L=NYC,ST=NY,C=US" -keypass password -keystore myclient.jks -storepass password
step 2: Export the server public certificate and create a seperate keystore
c:\keytool -exportcert -alias myserverkeys -file serverpub.cer -keystore myserver.jks -storepass spacex
c:\keytool -importcert -keystore serverpub.jks -alias serverpub -file serverpub.cer -storepass password
step 3: Export the client public certificate and create a seperate keystore
c:\keytool -exportcert -alias myclientkeys -file clientpub.cer -keystore myclient.jks -storepass spacey
c:\keytool -importcert -keystore clientpub.jks -alias clientpub -file clientpub.cer -storepass password
So far so good.
Now here is where I run into problems.
step 4: Convert serverpub.jks to .pem format
c:\keytool -importkeystore -srckeystore serverpub.jks -destkeystore serverpub.p12 -srcstoretype jks -deststoretype pkcs12
And the reply
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Problem importing entry for alias serverpub: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias serverpub not imported.
Do you want to quit the import process? [no]:
What does this mean? What am I doing wrong?
step 5: Would have been
c:\openssl pkcs12 -in serverpub.p12 -out serverpub.pem
But as you can see I couldn't get that far.
I would really appreciate some help understanding how to do this right.
Thanks
Answer
Unfortunately keytool explicitly will not let you export from a trust store since they are of the opinion that PEM files do not support the concept of trusted certificate. So I would use the keystore of cer files instead.
From a cer:
openssl x509 -inform der -in serverpub.cer -out serverpub.pemFrom a keystore:
keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -deststoretype PKCS12 openssl pkcs12 -in server.p12 -nokeys -out server.cer.pem openssl pkcs12 -in server.p12 -nodes -nocerts -out server.key.pem
or just try
keytool -exportcert -alias myserverkeys -keystore serverpub.jks -rfc -file serverpub.pem