Erik's Weblog 2.0

Converting a JSSE Keystore to OpenSSL

Allon and I have spent the last couple days trying to figure out how to convert a JSSE certificate for use with OpenSSL.

We needed to move one of our standalone Resin server from a Windows box to Linux.

Unfortunately, the Linux resin binary (which is required in order to run the server on ports 80/443 as a non-privileged user) is compiled against the OpenSSL libraries. Under Windows, JSSE is usually used.

We looked everywhere, asked anyone for help and tried everything we could think of. From portforwarding to various kernel hacks. Nothing really worked to our satisfaction.

Luckily, Allon stumbled onto this nifty little tool called KeyTool GUI, which allowed us to convert our Keystore to the PKCS#12 format.

Here's what we did:
1.Opened our keystore with KeyTool GUI.
 
2.Exported the keystore using the Private Key and Certificates (PKCS#12) option. The file was saved as “server.pfx.”
 
3.Converted the PFX file to the PEM format using the following OpenSSL command:

openssl pkcs12 -in server.pfx -out server.pem

Finally, we added the following to our Resin configuration file:
<http host='127.0.0.1' port='443'>
    <ssl>openssl</ssl>
    <certificate-pem>path/to/dir/server.pem</certificate-pem>
    <certificate-key-password>password</certificate-key-password>
</http>
That's it.

It may sound pretty simple when it is all said and done, but it actually took an awful lot of efforts to get there.