Last active
April 24, 2025 11:41
-
-
Save vepetkov/3f8a64219ffb6451cfc54ce2fbfdc00e to your computer and use it in GitHub Desktop.
PKCS12 & JKS keystores from a signed cert, private key and DigiCert CA chain
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Concatenate the Root and SubCA certs from DigiCert | |
| # to get the full certification chain | |
| cat DigiCert_Global_Root_CA.pem DigiCertSHA2SecureServerCA.pem > DigiCertCA_Chain.pem | |
| # Generate a new key store from the signed cert, the private key | |
| openssl pkcs12 -export \ | |
| -in my_cert_signed.crt | |
| -inkey my_cert_key.pem | |
| -chain -CAfile DigiCertCA_Chain.pem \ | |
| -name "my_cert" -out my_cert.keystore.p12 | |
| # Convert from PKCS12 to JKS | |
| keytool -importkeystore \ | |
| -deststorepass:file my_cert.keystore.pass -destkeystore my_cert.keystore.jks \ | |
| -srckeystore my_cert.keystore.p12 -srcstoretype PKCS12 -srcstorepass:file my_cert.keystore.pass | |
| # Show the contents of the final keystore | |
| keytool -list -v -keystore my_cert.keystore.jks -storepass:file my_cert.keystore.pass | |
| ## Debug in case of issues | |
| # Show contents | |
| openssl req -in my_cert.csr -text -noout | |
| openssl rsa -in delxvi49_key.pem -check | |
| openssl x509 -in my_cert_self_signed.crt -text -noout | |
| openssl x509 -in my_cert_signed.crt -text -noout | |
| # Remove the pass from the key | |
| openssl rsa -in [file1.key] -out [file2.key] | |
| # Check MD5 Sums: need to be equal for CSR, KEY & CERTs if they belong together | |
| openssl req -noout -modulus -in my_cert.csr | openssl md5 | |
| openssl rsa -noout -modulus -in my_cert_key.pem | openssl md5 | |
| openssl x509 -noout -modulus -in my_cert_self_signed.crt | openssl md5 | |
| openssl x509 -noout -modulus -in my_cert_signed.crt | openssl md5 | |
| # Export PFX to Cert, Key & Chain | |
| openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key> | |
| openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.crt> | |
| openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.crt> | |
| # .. in case old alg is used, adde the "-legacy" arg: | |
| openssl pkcs12 -in <filename.pfx> -legacy -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key> | |
| openssl pkcs12 -in <filename.pfx> -legacy -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.crt> | |
| openssl pkcs12 -in <filename.pfx> -legacy -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.crt> | |
| # Export the priv key without a pass | |
| openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key] | |
| # Extract the cert directly from the server | |
| openssl s_client -connect your.dsm.name.com:8443 –showcerts | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment