SSLSetup

    Tomcat configurations

     

    JBoss-3.2.3/Tomcat-4.1.x

    • Create a test keystore in the server/default/conf directory:

        starksm@banshee9100 conf$ keytool -genkey -alias tc-ssl -keyalg RSA -keystore server.keystore -validity 3650
        Enter keystore password:  tc-ssl
        What is your first and last name?
          [Unknown]:  www.myhost.com
        What is the name of your organizational unit?
          [Unknown]:  Some dot com
        What is the name of your organization?
          [Unknown]:  Security
        What is the name of your City or Locality?
          [Unknown]:  SomeCity
        What is the name of your State or Province?
          [Unknown]:  Washington
        What is the two-letter country code for this unit?
          [Unknown]:  US
        Is CN=www.myhost.com, OU=Some dot com, O=Security, L=SomeCity, ST=Washington, C=US correct?
          [no]:  yes

        Enter key password for <tc-ssl>
                (RETURN if same as keystore password):

     

    • Please note that the answer to the "first and last name?" question is important. This answer consitutes the CN= part of your so called distinguished name. The browser will check that the CN= part matches the end of the domain it requested the web page from. If the CN= and the the web page domain do not match the browser will display an additional warning. So for local development you may want to use "localhost" as CN and later on use the domain name of the host that will serve request from the internet.

     

    • Edit jbossweb-tomcat41.sar/META-INF/jboss-service.xml and uncomment the following section and update the keystoreFile,

     <!-- SSL/TLS Connector configuration -->
    <Connector className = "org.apache.coyote.tomcat4.CoyoteConnector"
         address="${jboss.bind.address}" port = "8443" scheme = "https"
         secure = "true">

         <Factory className = "org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
             keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
             keystorePass="tc-ssl"
             protocol = "TLS">
    </Factory>
    </Connector>

     

    • You need to replace the value for keystorePass with the password you used while creating the key.

     

     

    On startup the log may contain this warning:

    10:31:48,952 DEBUG [SSLImplementation] [getInstance.119] Error loading SSL Implementation org.apache.tomcat.util.net.puretls.PureTLSImplementation
    java.lang.ClassNotFoundException: No ClassLoaders found for: org.apache.tomcat.util.net.puretls.PureTLSImplementation

     

    Ignore it unless you are tyring to use the PureTLS SSL implementation. Tomcat tries to find different SSL implementations and defaults to JSSE if no others are found.

     

    JBoss-3.2.4+/Tomcat-5.0.x

    In jboss-3.2.4+ the tomcat-5.0.x container has its configuration in the jbossweb-tomcat50.sar/server.xml descriptor.

     

    JBoss-4.2.1

    In jboss-4.2.1 the web container has its configuration in the deploy/jboss-web.deployer/server.xml descriptor.

     

    JBoss-5 and later

    In JBoss 5 and later, the web deployer is configured from deploy/jbossweb.sar/server.xml.

     

     

     

    Using a trusted certificate obtained from a well known CA

     

    You may get the certificate in a format not appropriate for using it directly in JBoss/Tomcat. You may use the openssl tool to convert the certifcate and key in a suitable format:

     

    openssl pkcs12 -export -out server.keystore -in certificate.pem -inkey private.key 

     

    If you get an error like this

    10300:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1002:
    10300:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:305:Type=PKCS12

    you might have forgotten to add the "-export" option.

     

    You can check if you have a valid keystore with the keytool (comes with the JDK):

     

    $> keytool -list -keystore ssl.keystore -storetype PKCS12

    Enter keystore password:

    Keystore type: PKCS12
    Keystore provider: SunJSSE

    Your keystore contains 1 entry

    2, Jun 14, 2006, keyEntry,
    Certificate fingerprint (MD5): CB:47:4F:56:75:23:FA:9E:9C:7B:11:D9:8C:B3:D4:1E

     

    It's important that you have a keyEntry in there.

     


     

    Authentication scenarios

     

    In this section, we'll describe four typical SSL scenarios

    • 1 - SSL enabled on the server - the common case

    • 2 - SSL enabled on the server with self-signed client certs - aka mutual authentication - standalone HTTP client

    • 3 - SSL enabled on the server with self-signed client certs - aka mutual authentication - Web Browser Client

    • 4 - SSL enabled on the server with an openssl CA issued client cert - aka mutual authentication with CA issued client cert

     

    Setup

     

    • Grab a copy of the latest JBossAS release and explode it.

    • Download the java client client-server-certs.zip from the attachment section

    • Download the http client httpclient.zip from the attachment section

    • Download openssl if you don't have it so that a pkcs12 key can be generated from the client x509 cert to import into your browser. For win32 you can download Cygwin and for nix platforms you can either build the dist from source obtained from the OpenSSL Site or search the web for an rpm or other binary package as required for your platform.

     

     

     

     

     

    Use Cases

     

    1 - SSL enabled on the server - the common case

     

      In this configuration you need three files

     

     

    1. server.keystore - contains the key pair

    2. server.cer - server certificate exported from the keystore

    3. client.truststore - contains the server certificate

     

     

    • Create the server keystore

    keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass 123456 -keypass 123456 -dname "CN=localhost, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY"

     

     

    • Create the server certificate

    keytool -export -alias serverkeys -keystore server.keystore -storepass 123456 -file server.cer

     

     

    • Configure Tomcat

    Copy server.keystore to /server/xxx/conf and update the following in server.xml

    (For JBoss AS 4.2.1 don't forget two additional attributes: protocol="HTTP/1.1" and SSLEnabled="true".)

     

          <!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
          <Connector port="8443" address="${jboss.bind.address}"
               maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
               emptySessionPath="true"
               scheme="https" secure="true" clientAuth="false"           
               sslProtocol = "TLS"
               keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
               keystorePass="123456" 
           >
    </Connector>

     

     

    • Start the server

     run -c default

     

     

    • Creating client.truststore (by importing server certificate)

    keytool -import -v -keystore client.truststore  -storepass 123456 -file server.cer

     

     

    • Run the client

    java -Djavax.net.ssl.trustStore=client.truststore -Djavax.net.ssl.trustStorePassword=123456 acme/ReadHttpsURL2 https://localhost:8443

     

     

     

    2 - SSL enabled on the server with self-signed client certs - aka mutual authentication - standalone HTTP client

     

    To require that a http client presents a valid client certificate you need to add a clientAuth="true" attribute to the Connector configuration. Depending on how what root CA has signed the client cert you may need to also specify the truststoreFile and truststorePass for the keystore containing the client cert signer.

     

      In this configuration you need 6 files:

     

    1. server.keystore - contains the key pair

    2. server.cer - server certificate exported from the keystore

    3. client.truststore - contains the the server certificate

    4. client.keystore - contains the key pair

    5. client.cer - client certificate exported from the keystore

    6. server.truststore - contains the client certificate

     

     

    • Create the server keystore

    keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass 123456 -keypass 123456 -dname "CN=localhost, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY"

     

     

    • Create the server certificate

    keytool -export -alias serverkeys -keystore server.keystore -storepass 123456 -file server.cer

     

     

    • Create the client keystore

    keytool -genkey -alias clientkeys  -keyalg RSA -keystore client.keystore -storepass 123456 -keypass 123456 -dname "CN=localhost, OU=MYOU, O=MYORG, L=MYCITY, S=MYSTATE, C=MY" 

     

     

    • Create the client certificate

    keytool -export -alias clientkeys -keystore client.keystore -storepass 123456 -file client.cer

     

     

    • Import server certificate into client truststore

    keytool -import -v -keystore client.truststore  -storepass 123456 -file server.cer

     

     

    • Import client certificate into server truststore

    keytool -import -v -keystore server.truststore  -storepass 123456 -file client.cer

     

     

    • Update the Tomcat configuration

       

    Copy both server.keystore and server.truststore to /server/xxx/conf and update the following in server.xml

     

    NOTE: The attribute clientAuth is set to "true".

     

         <!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
         <Connector port="8443" address="${jboss.bind.address}"
               maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
               emptySessionPath="true"
               scheme="https" secure="true" clientAuth="true"
               sslProtocol = "TLS"
               keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
               keystorePass="123456" 
               truststoreFile="${jboss.server.home.dir}/conf/server.truststore"
               truststorePass="123456">

         </Connector>

     

     

    • Start the server

    run -c default

     

     

     

    • Run the client

    java -Djavax.net.ssl.keyStore=client.keystore -Djavax.net.ssl.keyStorePassword=123456 
           -Djavax.net.ssl.trustStore=client.truststore -Djavax.net.ssl.trustStorePassword=123456
            acme/ReadHttpsURL2 https://localhost:8443

     

     

     

     

     

     

    3 - SSL enabled on the server with self-signed client certs - aka mutual authentication - Web Browser Client

     

    • To enable mutual authentication between the client and server, a client cert must be generated. Both the client and server certs can be generated using the java keytool utility similar to how step 1 was done. An issue with using the client cert in a browser is that the cert must be imported into the browser from a key format such as pkcs12, and keytool does not currently support this format.

    Because of this, openssl must be used to generate the required format from the keytool x509 certificate. Since there are many steps in this process, the steps have been scripted in an ant 1.6.x build.xml file that can be found in the ClientServerCerts.zip attachment. Download and unpack this zip file to create a client-server-certs directory that contains the build.xml script.

    • Cd to client-server-certs, and simply run ant to generate the client and server certs, keystores and trustores. The output will be something like:

    [starksm@banshee9100 client-server-certs]$ ant

    Buildfile: build.xml

    self-signed-certs:
         [echo] keytool -genkey -alias clientCert -keyalg RSA -validity 730 -keystore client.keystore -dname cn=ClientCert,o=SomeCA,ou=SomeCAOrg -keypass clientcert -storepass clientcert

         [exec] Keystore type: jks
         [exec] Keystore provider: SUN

         [exec] Your keystore contains 1 entry

         [exec] clientcert, Jun 17, 2005, keyEntry,
         [exec] Certificate fingerprint (MD5): A4:60:1C:44:17:F8:B4:80:BA:BC:AA:CF:5C:E9:50:32
         [echo] keytool -genkey -alias serverCert -keyalg RSA -validity 730 -keystore server.keystore -dname cn=localhost,o=SomeCA,ou=SomeCAOrg -keypass servercert -storepass servercert

         [exec] Keystore type: jks
         [exec] Keystore provider: SUN

         [exec] Your keystore contains 1 entry

         [exec] servercert, Jun 17, 2005, keyEntry,
         [exec] Certificate fingerprint (MD5): E1:46:C5:54:22:6B:D6:E5:AF:E3:11:98:55:AC:17:C9
         [echo] keytool -export -alias clientCert -keystore client.keystore -storepass clientcert -file client.cer
         [exec] Certificate stored in file <client.cer>
         [exec] Owner: CN=ClientCert, O=SomeCA, OU=SomeCAOrg
         [exec] Issuer: CN=ClientCert, O=SomeCA, OU=SomeCAOrg
         [exec] Serial number: 42b37131
         [exec] Valid from: Fri Jun 17 17:56:17 PDT 2005 until: Sun Jun 17 17:56:17 PDT 2007
         [exec] Certificate fingerprints:
         [exec]      MD5:  A4:60:1C:44:17:F8:B4:80:BA:BC:AA:CF:5C:E9:50:32
         [exec]      SHA1: 29:66:59:3B:9F:9E:2B:C4:E0:1C:37:BB:7B:58:C3:DD:19:E5:DE:D4
         [echo] keytool -export -alias serverCert -keystore server.keystore -storepass servercert -file server.cer
         [exec] Certificate stored in file <server.cer>
         [exec] Owner: CN=localhost, O=SomeCA, OU=SomeCAOrg
         [exec] Issuer: CN=localhost, O=SomeCA, OU=SomeCAOrg
         [exec] Serial number: 42b37132
         [exec] Valid from: Fri Jun 17 17:56:18 PDT 2005 until: Sun Jun 17 17:56:18PDT 2007
         [exec] Certificate fingerprints:
         [exec]      MD5:  E1:46:C5:54:22:6B:D6:E5:AF:E3:11:98:55:AC:17:C9
         [exec]      SHA1: 12:BC:6D:D5:06:B7:49:CD:DA:F4:C2:9D:5F:3F:C2:9C:5D:AF:EA:15
         [echo] keytool -import -alias serverCert -keystore client.truststore -storepass clientcert -file server.cer
         [exec] Owner: CN=localhost, O=SomeCA, OU=SomeCAOrg
         [exec] Issuer: CN=localhost, O=SomeCA, OU=SomeCAOrg
         [exec] Trust this certificate? [no]:  Certificate was added to keystore
         [exec] Serial number: 42b37132
         [exec] Valid from: Fri Jun 17 17:56:18 PDT 2005 until: Sun Jun 17 17:56:18 PDT 2007
         [exec] Certificate fingerprints:
         [exec]      MD5:  E1:46:C5:54:22:6B:D6:E5:AF:E3:11:98:55:AC:17:C9
         [exec]      SHA1: 12:BC:6D:D5:06:B7:49:CD:DA:F4:C2:9D:5F:3F:C2:9C:5D:AF:EA:15
         [echo] keytool -import -alias clientCert -keystore server.truststore -storepass servercert -file client.cer
         [exec] Owner: CN=ClientCert, O=SomeCA, OU=SomeCAOrg
         [exec] Issuer: CN=ClientCert, O=SomeCA, OU=SomeCAOrg
         [exec] Trust this certificate? [no]:  Certificate was added to keystore
         [exec] Serial number: 42b37131
         [exec] Valid from: Fri Jun 17 17:56:17 PDT 2005 until: Sun Jun 17 17:56:17 PDT 2007
         [exec] Certificate fingerprints:
         [exec]      MD5:  A4:60:1C:44:17:F8:B4:80:BA:BC:AA:CF:5C:E9:50:32
         [exec]      SHA1: 29:66:59:3B:9F:9E:2B:C4:E0:1C:37:BB:7B:58:C3:DD:19:E5:DE:D4
         [echo] client.keystore contents:

         [exec] Keystore type: jks
         [exec] Keystore provider: SUN

         [exec] Your keystore contains 1 entry

         [exec] clientcert, Jun 17, 2005, keyEntry,
         [exec] Certificate fingerprint (MD5): A4:60:1C:44:17:F8:B4:80:BA:BC:AA:CF:5C:E9:50:32
         [echo] server.keystore contents:

         [exec] Keystore type: jks
         [exec] Keystore provider: SUN

         [exec] Your keystore contains 1 entry

         [exec] servercert, Jun 17, 2005, keyEntry,
         [exec] Certificate fingerprint (MD5): E1:46:C5:54:22:6B:D6:E5:AF:E3:11:98:55:AC:17:C9

    BUILD SUCCESSFUL
    Total time: 3 seconds
    [starksm@banshee9100 client-server-certs]$ ls
    build.xml    client.keystore*    server.cer*       server.truststore*
    client.cer*  client.truststore*  server.keystore*  src/
    • Next, create a pkcs12 formatted key to import into your browser. This is done by running the cer2pkcs12 target.

    [starksm@banshee9100 client-server-certs]$ ant cer2pkcs12
    Buildfile: build.xml

    cer2pkcs12:
        [mkdir] Created dir: C:\tmp\client-server-certs\classes
        [javac] Compiling 1 source file to C:\tmp\client-server-certs\classes
         [echo] openssl x509 -out client-pem.cer -outform pem -text -in client.cer -inform der
         [echo] openssl pkcs12 -export -out client.p12 -inkey client.8 -in client-pem.cer -passout pass:clientcert

    BUILD SUCCESSFUL
    Total time: 2 seconds
    [starksm@banshee9100 client-server-certs]$ ls
    build.xml       client.cer*       client.p8*          server.keystore*
    classes/        client.keystore*  client.truststore*  server.truststore*
    client-pem.cer  client.p12        server.cer*         src/
    • The resulting client.p12 file is the pkcs12 formatted private key for the x509 client cert created in the first step. This should be imported into your browser. For Mozilla Firefox 1.0.x, this entails selecting Tools/Options menu, selecting the Advanced section of the options dialog, and selecting the Manage Certificates... button to display the import dialog. The client.p12 password to use for the import is "clientcert", without the quotes.

    • You should also import the server.cer x509 cert into the Authorities section so that the server's self signed cert is seen as trusted. Otherwise, the browser should prompt you about an untrusted server cert when you try an https connection.

    • Next, copy the server.keystore and server.truststore to the jboss server/default/conf directory, or the conf directory of whatever server configuration you are using.

    • Next, edit the deploy/jbossweb-tomcat55.sar/server.xml file to enable the SSL connector. The Connector element should look like the following, with clientAuth="true" to require that clients provide a certificate.

          <!-- SSL/TLS Connector conf using the server.{keystore,truststore}
          -->

          <Connector port="8443" address="${jboss.bind.address}"
               protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
               emptySessionPath="true"
               scheme="https" secure="true" clientAuth="true"
               keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
               keystorePass="servercert"
               truststoreFile="${jboss.server.home.dir}/conf/server.truststore"
               truststorePass="servercert"
               sslProtocol = "TLS">

          </Connector>
    • You should now be able to connect to the jboss server using https and the browser should display a dialog asking for the cert to use (unless the browser is configured to do this automatically). An example of the dialog from the Firefox 1.0.4 browser is shown here:

     

     

     

     

     

     

    4 - SSL enabled on the server with an openssl CA issued client cert - aka mutual authentication with CA issued client cert

     

    • Install openssl and configure its CA

    First, you need to configure the certificate authority application of OpenSSL. churchillobjects.com has a good overview of the required steps in the Generating a Certificate Authority article. See the ca manpage for the full details of the OpenSSL ca command.

     

    • Create server openssl CA signed cert using keytool

    [starksm@banshee9100 openssl-ca]$ keytool -genkey -alias unit-tests-server -keystore localhost.keystore
    Enter keystore password:  unit-tests-server
    What is your first and last name?
      [Unknown]:  localhost
    What is the name of your organizational unit?
      [Unknown]:  QA
    What is the name of your organization?
      [Unknown]:  JBoss Inc.
    What is the name of your City or Locality?
      [Unknown]:  Snoqualmie Pass
    What is the name of your State or Province?
      [Unknown]:  Washington
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=localhost, OU=QA, O=JBoss Inc., L=Snoqualmie Pass, ST=Washington, C=US correct?
      [no]:  yes

    Enter key password for <unit-tests-server>
            (RETURN if same as keystore password):

     

    • Create a cert signing request for the server key

    [starksm@banshee9100 conf]$ keytool -keystore localhost.keystore -certreq -alias unit-tests-server -file unit-tests-server.csr
    Enter keystore password:  unit-tests-server

     

    • Sign the cert request

    [starksm@banshee9100 openssl-ca]$ openssl ca -config openssl.cnf -in unit-tests
    -server.csr -out unit-tests-server.pem
    Using configuration from openssl.cnf
    Enter pass phrase for ./private/cakey.pem: openssl-ca
    DEBUG[load_index]: unique_subject = "no"
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           PRINTABLE:'US'
    stateOrProvinceName   PRINTABLE:'Washington'
    localityName          PRINTABLE:'Snoqualmie Pass'
    organizationName      PRINTABLE:'JBoss Inc.'
    organizationalUnitName:PRINTABLE:'QA'
    commonName            PRINTABLE:'localhost'
    Certificate is to be certified until Jul 30 21:39:21 2005 GMT (365 days)
    Sign the certificate? [y/n]:y


    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

     

    • Convert to DER

    [starksm@banshee9100 openssl-ca]$ openssl x509 -in unit-tests-server.pem -out unit-tests-server.cer

     

    • import CA root to keystore

    [starksm@banshee9100 openssl-ca]$ keytool -keystore localhost.keystore -alias openssl-ca -import -file cacert.pem
    Enter keystore password:  unit-tests-server
    Owner: CN=jboss.com, C=US, ST=Washington, L=Snoqualmie Pass, EMAILADDRESS=admin@
    jboss.com, OU=QA, O=JBoss Inc.
    Issuer: CN=jboss.com, C=US, ST=Washington, L=Snoqualmie Pass, EMAILADDRESS=admin
    @jboss.com, OU=QA, O=JBoss Inc.
    Serial number: 0
    Valid from: Wed May 26 00:53:20 PDT 2004 until: Sat May 24 00:53:20 PDT 2014
    Certificate fingerprints:
             MD5:  B3:34:05:D0:7D:7E:18:A5:E3:0B:82:0A:D9:54:41:7E
             SHA1: F0:85:B4:14:8C:4E:92:CB:68:E6:D6:08:DC:86:94:E5:BF:DC:58:32
    Trust this certificate? [no]:  yes
    Certificate was added to keystore

     

    • Import CA reply

    [starksm@banshee9100 openssl-ca]$ keytool -keystore localhost.keystore -alias unit-tests-server -import -file unit-tests-server.cer
    Enter keystore password:  unit-tests-server
    Certificate reply was installed in keystore
    [starksm@banshee9100 openssl-ca]$ ls -l localhost.keystore
    -rwxrwxrwx    1 starksm  None         3247 Jul 30 14:44 localhost.keystore*
    [starksm@banshee9100 openssl-ca]$ keytool -list -keystore localhost.keystore
    Enter keystore password:  unit-tests-server

    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 2 entries

    unit-tests-server, Jul 30, 2004, keyEntry,
    Certificate fingerprint (MD5): 34:35:A5:4A:EB:F3:3C:F8:60:C1:86:05:07:01:4B:DD
    openssl-ca, Jul 30, 2004, trustedCertEntry,
    Certificate fingerprint (MD5): B3:34:05:D0:7D:7E:18:A5:E3:0B:82:0A:D9:54:41:7E

     

    • Import the client cert

    [starksm@banshee9100 openssl-ca]$ keytool -import -keystore localhost.keystore -alias unit-tests-client -file unit-tests-client.cer
    Enter keystore password:  unit-tests-server
    Certificate was added to keystore

    [starksm@banshee9100 openssl-ca]$ keytool -list -keystore localhost.keystore
    Enter keystore password:  unit-tests-server

    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 3 entries

    unit-tests-client, Jul 30, 2004, trustedCertEntry,
    Certificate fingerprint (MD5): 4A:9C:2B:CD:1B:50:AA:85:DD:89:F6:1D:F5:AF:9E:AB
    unit-tests-server, Jul 30, 2004, keyEntry,
    Certificate fingerprint (MD5): 34:35:A5:4A:EB:F3:3C:F8:60:C1:86:05:07:01:4B:DD
    openssl-ca, Jul 30, 2004, trustedCertEntry,
    Certificate fingerprint (MD5): B3:34:05:D0:7D:7E:18:A5:E3:0B:82:0A:D9:54:41:7E
    [starksm@banshee9100 openssl-ca]$

     

    Another (untested) keystore/openssl recipe:

     

    Create Keystore certificate:

     

    1. keytool -genkey -keystore {keystore location} -keyalg RSA -alias postgresql -dname "cn=www.beyarecords.com, ou=Music, o=Urban Music, c=GB" -keystore ~/postgresql -validity 365

    2. keytool -selfcert -keystore {keystore location} -alias postgresql

    3. keytool -export -keystore {keystore location} -alias postgresql -rfc -file postgresql.cer

    4. keytool -import -keystore {keystore location} -alias postgresql -file postgresql.cer

     

    Export private key from keystore alias:

     

    1. java ExportPrivateKey <keystore> <alias> <password> > exported-pkcs8.key

    2. openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out postgresql.key

     

    Note: main keystore location on OS X is: /library/java/home/lib/security/cacerts

     

     

    The ExportPrivateKey class:

    package security;

    import java.io.File;
    import java.io.FileInputStream;
    import java.security.Key;
    import java.security.KeyPair;
    import java.security.KeyStore;
    import java.security.KeyStoreException;
    import java.security.NoSuchAlgorithmException;
    import java.security.PrivateKey;
    import java.security.PublicKey;
    import java.security.UnrecoverableKeyException;
    import java.security.cert.Certificate;

    import sun.misc.BASE64Encoder;

    public class ExportPrivateKey
    {
       public static void main(String args[]) throws Exception
       {
          for (int i = 0; i < args.length; i++)
          {
             System.out.println(i + ": " + args);
          }
          if (args.length < 2)
          {
             //Yes I know this sucks (the password is visible to other users via ps
             // but this was a quick-n-dirty fix to export from a keystore to pkcs12
             // someday I may fix, but for now it'll have to do.
             System.err.println("Usage: java ExportPriv <keystore> <alias> <password>");
             System.exit(1);
          }
          ExportPrivateKey myep = new ExportPrivateKey();
          myep.doit(args[0], args[1], args[2]);
       }

       public void doit(String fileName, String aliasName, String pass) throws Exception
       {

          KeyStore ks = KeyStore.getInstance("JKS");

          char[] passPhrase = pass.toCharArray();
          BASE64Encoder myB64 = new BASE64Encoder();

          File certificateFile = new File(fileName);
          ks.load(new FileInputStream(certificateFile), passPhrase);

          KeyPair kp = getPrivateKey(ks, aliasName, passPhrase);

          PrivateKey privKey = kp.getPrivate();


          String b64 = myB64.encode(privKey.getEncoded());

          System.out.println("-----BEGIN PRIVATE KEY-----");
          System.out.println(b64);
          System.out.println("-----END PRIVATE KEY-----");

       }

    // From http://javaalmanac.com/egs/java.security/GetKeyFromKs.html

       public KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password)
       {
          try
          {
             // Get private key
             Key key = keystore.getKey(alias, password);
             if (key instanceof PrivateKey)
             {
                // Get certificate of public key
                Certificate cert = keystore.getCertificate(alias);
       
                // Get public key
                PublicKey publicKey = cert.getPublicKey();
       
                // Return a key pair
                return new KeyPair(publicKey, (PrivateKey) key);
             }
          }
          catch (UnrecoverableKeyException e)
          {
          }
          catch (NoSuchAlgorithmException e)
          {
          }
          catch (KeyStoreException e)
          {
          }
          return null;
       }

    }

     

    More Info

     

    Another guide to creating certificates using OpenSSL and JBoss Setup - Creating an SSL Keystore Using the Java Keytool

     

     

    References