How to export private key from a certificate chain


I create a keystore and from that keysore I generate a CSR file and when I receive Signed Certificate from CA, I imported root and intermediate certificates to my keystore and finally my signed certificate. After I add signed certificate I got "certificate reply was installed in keystore" response. In this format I can use my keystore in Tomcat, however, for another application container I need only private key containing pem encoded file. And

keytool -importkeystore -srckeystore server.jks -destkeystore server.pkcs -srcstoretype JKS -deststoretype PKCS12

openssl pkcs12 -in server.pkcs -out server.pem

seems not working. I am getting a pem file which only contains certificate info not private key.

So is it possible to export private key after establishing a certificate chain? If it is how?

Best Answer

The openssl pkcs12 command you used should also export the private key

openssl pkcs12 -in server.pkcs -out server.pem

I guess that the p12 input file does not contain the private key.

Are you sure there is not some kind of warning when exporting the key from the p12 file.

One thing which is important is that it seems that JKS supports a separate key password and a store password. When exporting the p12 from the JKS it can happen that the password for the p12 is different then the password for the key. It seems that this is not supported by openssl (just tried) and results in a "bad decrypt" error. You should make sure that the key password is the same as the p12 password.

Related Question