How can I use an SSL certificate generated with Java keytool with Nginx?

Question

I used the Java keytool to generate a "keystore":

keytool -genkey -alias example.com -keyalg RSA -keystore example.com.keystore

Then I generated a CSR (Certificate Signing Request):

keytool -certreq -keyalg RSA -alias example.com -file example.com.csr
-keystore example.com.keystore

Then I issued an certificate and saved it in a textfile example.com.crt

Now I want to use this certificate with Nginx.

I have placed my certificate on /etc/ssl/certs/example.com.cert and I placed my "keystore" (I think it contains my private key?) on /etc/ssl/private/example.com.keystore

Then I configured my Nginx following Nginx, SSL and vhosts. But when I reload the Nginx configuration file I get this error message:

sudo service nginx reload
Reloading nginx configuration: [emerg]: SSL_CTX_use_certificate_chain_file("/etc/ssl/certs/myssl.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib)
configuration file /etc/nginx/nginx.conf test failed

When I followed the same guide and generated an SSL-certificate using openssl it worked fine. But using Java keytool I get this error.

How can I use a SSL-certificate and keys from Java keytool with Nginx?

Answer 1

You can't use a keystore with just about anything not written in Java, as far as I know. It's also not possible to extract the key with keytool.

I'd recommend using something like http://www.openssl.org/docs/HOWTO/keys.txt or the easy-rsa-tools included with OpenVPN to generate a new key/certificate-combo, which will by default be generated in a format readable by nginx.

If it is important to extract the key from the keystore, there's a guide at http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips on how to extract it.