Extract .key and .crt files from JKS file

JKS file is a Java keystore. Using the Java keytool program, run the following commands

Export the .der file

keytool -export -alias sample -file sample.der -keystore my.jks

Convert the .der file to unencrypted PEM (crt file)

openssl x509 -inform der -in sample.der -out sample.crt

Export the .p12 file

keytool -importkeystore -srckeystore my.jks -destkeystore keystore.p12 -deststoretype PKCS12

Convert the .p12 file to unencrypted PEM (key file)

openssl pkcs12 -in keystore.p12 -nodes -nocerts -out server.key

 

More info here: http://www.gtopia.org/blog/2010/02/der-vs-crt-vs-cer-vs-pem-certificates/

Install SSL certificates on Nginx

This article show how the SSL certificates purchased from Comodo can be deployed on a server running Nginx

You must have the server.key file (Private Key that was generated with the CSR code that used to activate/purchase the certificate.

You also have these two files, *.crt and *.ca-bundle, that must have been sent to you as a zip archive from Comodo. Combine these file into a chain file

cat mydomain.crt mydomain.ca-bundle >> chain.crt

Now copy this chain.crt file and the server.key file to the nginx server in a folder that is readable by Nginx.

Edit nginx.conf file, and add the following 4 lines

server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/chain.crt;
ssl_certificate_key /etc/ssl/server.key;

.....
}

 

Certificate Signing Request (CSR) using openssl

Used the following mechanism to generate a CSR needed to buy an SSL certificate. The server in this case was a Linux server and certificate was a “wildcard certificate” purchased at GoDaddy.com

# openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr

Generating a 2048 bit RSA private key
.............................................................................+++
...............................................................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Los Angeles
Organization Name (eg, company) [Default Company Ltd]:Acme
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:*.acme.com
Email Address []:admin@acme.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

At this point, two files were created.

# ll
total 8
-rw-r--r-- 1 root root 1054 Dec 28 03:31 server.csr
-rw-r--r-- 1 root root 1704 Dec 28 03:31 server.key

The csr file can be used to purchase the certificate.