0

I created a KeyStore and from that KeyStore I generate a CSR file. When I received Signed Certificate from CA, I imported root and intermediate certificates and signed certificate to my KeyStore.

After I add signed certificate I got "certificate reply was installed in keystore" response. In this format I can use my KeyStore in Tomcat. However, for another application container I need only private key containing PEM encoded file. When I try to export private key as follows:

keytool -importkeystore -srckeystore server.jks -destkeystore server.pkcs \
        -srcstoretype JKS -deststoretype PKCS12

openssl pkcs12 -in server.pkcs -out server.pem

I am getting a PEM file which only contains certificate info, and not private key.

So is it possible to export private key after establishing a certificate chain in KeyStore? If it is, then how?

tshepang
  • 12,111
  • 21
  • 91
  • 136
Murat Güvenç
  • 111
  • 1
  • 5
  • I've just noticed that there is a vote to re-open, since I marked it as a duplicate yesterday. Please feel free to leave a comment saying why it should be re-opened. I'm quite happy to re-consider and admit I got it wrong. (Although I've recently got the "super-power" to close as duplicate on my on, I'm not sure I can undo it on my own, but that's a different thing...) – Bruno Jul 08 '14 at 11:49
  • well I did not vote to re-open :) my question seems to be a little different than the question you mention but actually two questions have same answers, and your answer worked for me :) So I do not see a reason to re-open. – Murat Güvenç Jul 12 '14 at 11:06
  • [this](http://stackoverflow.com/questions/3730236/how-can-i-migrate-ssl-from-tomcat-to-apache-httpd) is the question I get the answer – Murat Güvenç Jul 12 '14 at 11:11

1 Answers1

1

You will not be able extract your private key from a signed certificate.

Your signed certificate is presented in its entire form to all users who visit your website so they can verify your site is who it claims to be.

If you could extract your key from your signed certificate, then anyone who visits your site could do this as well.

If this is lost, you will need to request a new certificate after generating a new key pair and CSR.

user207421
  • 305,947
  • 44
  • 307
  • 483
Martin Konecny
  • 57,827
  • 19
  • 139
  • 159
  • 1
    I am not trying to export private key from signed certificate, I am trying to export private key from keystore which is containing a certificate chain. – Murat Güvenç Jul 07 '14 at 20:20
  • You never added the private key to the keystore? In your words "I imported root and intermediate certificates to my keystore and finally my signed certificate. " – Martin Konecny Jul 07 '14 at 20:22
  • I guess that is where I got the wrong direction, yes I never imported private key. I even didn't know I should add it, since it is working fine on Tomcat. – Murat Güvenç Jul 07 '14 at 20:28
  • 1
    Are you sure Tomcat is running with https correctly? The private key needs to be available to Tomcat somewhere. – Martin Konecny Jul 07 '14 at 20:30
  • Yes it is, I actually think that keystore is storing private key and therefore it can create a certificate chain, once I tried to import a different certificate(not generated from that key store) to a keystore I got private-public key not matching and this is the main reason why I think that way – Murat Güvenç Jul 07 '14 at 20:34
  • 1
    The only other thing I can think of is make sure you specify `-srcalias` argument. See here: http://stackoverflow.com/a/2641032/276949 - best of luck. – Martin Konecny Jul 07 '14 at 20:38
  • well that is something I did not try, thanks for advice – Murat Güvenç Jul 07 '14 at 20:48
  • Th answer is not correct. You need to find the private key file that you already had when you generated the CSR. The CA did not use this key for any purpose, as the CA never had it. The CA used his own private key to sign the CSR, and the CA's own private key is completely irrelevant and completely inaccessible to you. – user207421 Jul 08 '14 at 00:38
  • @EJP: Read my comments plz. – Martin Konecny Jul 08 '14 at 00:38
  • Your comments do not address the fact that the final paragraph of your answer is nonsense. – user207421 Jul 08 '14 at 00:41
  • You are correct. The CA signs your certificate with their own private key. Some Certificate authorities will autogenerate a private key upon your behalf, and I made it sound like that key was used to sign cert. – Martin Konecny Jul 08 '14 at 00:48
  • I've heard that, with some incredulity. A private key generated by someone else isn't private at all, and completely worthless for the purpose it is created for. – user207421 Jul 08 '14 at 00:51
  • @MartinKonecny, it looks like the OP first created the JKS keystore and created a CSR within that keystore with `keytool` (which would have generated a key pair), then converted it into a PKCS#12 keystore (usable by OpenSSL for example), therefore containing the private key and associated cert chain. There should be a private key to export from that p12 file, which can be done with OpenSSL. Tomcat is working because the private key is in the JKS file. – Bruno Jul 08 '14 at 11:55
  • @MuratGüvenç If that's not what you're trying to do, why does the title of your question say that it is? – user207421 Jul 12 '16 at 02:31