I used Java Keytool to generate domain.csr
, domain.keystore
and domain.cer
. I need to secure the domain using SSL for which I need domain.crt
and domain.key
. How can I get these two? Are domain.jks
and domain.keystore
both same? What is difference among all extensions like csr
, pem
, crt
,etc ?
Getting Certificates from Java Keystore
keystorekeytoolopensslssl-certificate
Related Topic
- Ssl – In Stud, which Private RSA Key should be concatenated in the x509 SSL certificate pem file to avoid “self-signed” browser warning
- Tomcat – Installing SSL Thawte Certificates for tomcat from pre-generated Private Key
- SSL Error: self signed certificate in certificate chain
- How to properly generate a keystore for ssl
- Ssl – import an SSL certificate that was created by the CA into the Java keystore
- Ssl – How to create tomcat keystore from existing Godaddy .key and .crt file
Best Answer
Mostly dupe How to generate .key and .crt file from JKS file for httpd apache server .
All file extensions are only conventions; what matters is what operations you did to create a file, which you leave very vague. For one thing, it doesn't make sense to 'generate' both a CSR and a certificate; they do conflicting things.
Java KeyStore JKS is the keystore format used by Java (currently; it is expected to change in Java 9). People often name these files
.jks
but if you used.keystore
in a command likekeytool -genkeypair
that did not specify-storetype
then you created a JKS file named.keystore
..cer
and.crt
are commonly used for files containing a certificate, or sometimes multiple certificates in PEM format. There are two common formats, usually called by the names OpenSSL uses which are DER and PEM. If you look at the file with normal text tools likemore cat type vi notepad
and you see a line like-----BEGIN CERTFICATE-----
(possibly withX.509
inserted) and then several lines of almost all letters and digits and then a similar-----END
line that's PEM format. People sometimes use these extensions instead or in addition to designate the format likexyzcert.pem xyzcert.der xyz.crt.pem xyz.crt.der
.CSR means Certificate Signing Request, which is generated (in this context) by
keytool -certreq
. A CSR is used as part of the process of obtaining a certificate from a 'real' CA like Verisign GoDaddy etc. In this case, you will normally get from the CA a certificate for your server AND a 'chain' or intermediate certificate (sometimes more than one); you put these in one or more file(s) and then import those into your JKS for use with Java programs like Tomcat etc. In this case your certificate file(s) would have been generated by the CA not by you.If you don't get a cert from a CA, by default
keytool -genkeypair
creates a self-signed cert good for testing. You can put this cert into a separate file withkeytool -exportcert [-rfc]
, and that is a certificate you generated, but in that case you would not have any use for a CSR..key
is sometimes used for a separate (private)key file in one of several formats used by OpenSSL, and thus by programs that use OpenSSL like Apache httpd and nginx. The OpenSSL formats for privatekeys have DER and PEM variants much like certficates do, so people also use those extensions likexyzkey.pem xyzkey.der xyz.key.pem xyz.key.der
.Finally, PKCS12 is another keystore format, supported by lots of software including Java, OpenSSL, Windows and Mozilla NSS. Often the extension
.p12
is used for PKCS12. (PKCS12 is always binary; it has no PEM variant.)TLDR: if you need OpenSSL-format separate files for privatekey and certificate(s) from a JKS-format keystore, first use
keytool
to convert to pkcs12 and then useopenssl
to convert pkcs12 to separate PEM (usually) or DER (rarely).