Javaのkeytoolのキーストア(JKS)からPEM形式の証明書、秘密鍵に変換した際の手順を紹介します。
環境
- OS:CentOS Linux release 7.8.2003
[root@CENTOS7 test]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[root@CENTOS7 test]#
- openssl:OpenSSL 1.0.2k-fips
[root@CENTOS7 test]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@CENTOS7 test]#
- java:java version "14" 2020-03-17
[root@CENTOS7 test]# java -version
java version "14" 2020-03-17
Java(TM) SE Runtime Environment (build 14+36-1461)
Java HotSpot(TM) 64-Bit Server VM (build 14+36-1461, mixed mode, sharing)
[root@CENTOS7 test]#
手順
JKSのキーストアは前回の「OpenSSLで作成したPEM形式の証明書をJavaのkeytoolのキーストア(JKS)に変換する方法」で作成したkeystore.jks
を使用しています。
[root@CENTOS7 test2]# ls -l
合計 4
-rw-r--r-- 1 root root 2213 7月 10 01:16 keystore.jks
[root@CENTOS7 test2]# keytool -list -v -keystore keystore.jks -storetype JKS -storepass storepass1
キーストアのタイプ: JKS
キーストア・プロバイダ: SUN
キーストアには1エントリが含まれます
別名: test
作成日: 2021/07/10
エントリ・タイプ: PrivateKeyEntry
証明書チェーンの長さ: 1
証明書[1]:
所有者: CN=yasushi.local, OU=DEV1, O=SAMPLE CORP, L=YOKOHAMA, ST=KANAGAWA, C=JP
発行者: CN=yasushi.local, OU=DEV1, O=SAMPLE CORP, L=YOKOHAMA, ST=KANAGAWA, C=JP
シリアル番号: c63af200fc301068
有効期間の開始日: Sat Jul 10 00:59:44 JST 2021終了日: Mon Jul 11 00:59:44 JST 2022
証明書のフィンガプリント:
SHA1: 63:2D:44:40:8B:2D:B4:3C:05:7F:F6:0A:B4:C1:19:40:D6:E9:44:D0
SHA256: B2:4F:21:E7:6B:96:42:EE:F2:9B:55:3D:83:A3:8D:2B:F3:1A:69:B1:94:30:2B:D3:23:E3:08:FF:43:93:C2:E8
署名アルゴリズム名: SHA256withRSA
サブジェクト公開キー・アルゴリズム: 2048ビットRSAキー
バージョン: 1
*******************************************
*******************************************
Warning:
JKSキーストアは独自の形式を使用しています。"keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12"を使用する業界標 準の形式であるPKCS12に移行することをお薦めします。
[root@CENTOS7 test2]#
1. JKSキーストアをPKCS12キーストアに変換
keytool -importkeystore -srckeystore <JKSキーストアのファイル名> -srcstoretype JKS -srcalias <エイリアス> -srcstorepass <JKSキーストアのパスワード> -srckeypass <秘密鍵のパスワード> -destkeystore <PKCS12キーストアのファイル名> -deststoretype PKCS12 -deststorepass <PKCS12キーストアのパスワード>
※PKCS形式に変換するとキーストアのパスワードと秘密鍵のパスワードが同じになります。
[root@CENTOS7 test2]# keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -srcalias test -srcstorepass storepass1 -srckeypass keypass1 -destkeystore keystore.p12 -deststoretype PKCS12 -deststorepass storepass2
キーストアkeystore.jksをkeystore.p12にインポートしています...
[root@CENTOS7 test2]# ls -l
合計 8
-rw-r--r-- 1 root root 2213 7月 10 01:16 keystore.jks
-rw-r--r-- 1 root root 2547 7月 10 02:20 keystore.p12
[root@CENTOS7 test2]#
2. keytoolでPKCS12キーストアの内容確認
keytool -list -v -keystore <PKCS12キーストアのファイル名> -storetype PKCS12 -storepass <PKCS12キーストアのパスワード>
[root@CENTOS7 test2]# keytool -list -v -keystore keystore.p12 -storetype PKCS12 -storepass storepass2
キーストアのタイプ: PKCS12
キーストア・プロバイダ: SUN
キーストアには1エントリが含まれます
別名: test
作成日: 2021/07/10
エントリ・タイプ: PrivateKeyEntry
証明書チェーンの長さ: 1
証明書[1]:
所有者: CN=yasushi.local, OU=DEV1, O=SAMPLE CORP, L=YOKOHAMA, ST=KANAGAWA, C=JP
発行者: CN=yasushi.local, OU=DEV1, O=SAMPLE CORP, L=YOKOHAMA, ST=KANAGAWA, C=JP
シリアル番号: c63af200fc301068
有効期間の開始日: Sat Jul 10 00:59:44 JST 2021終了日: Mon Jul 11 00:59:44 JST 2022
証明書のフィンガプリント:
SHA1: 63:2D:44:40:8B:2D:B4:3C:05:7F:F6:0A:B4:C1:19:40:D6:E9:44:D0
SHA256: B2:4F:21:E7:6B:96:42:EE:F2:9B:55:3D:83:A3:8D:2B:F3:1A:69:B1:94:30:2B:D3:23:E3:08:FF:43:93:C2:E8
署名アルゴリズム名: SHA256withRSA
サブジェクト公開キー・アルゴリズム: 2048ビットRSAキー
バージョン: 1
*******************************************
*******************************************
[root@CENTOS7 test2]#
3. OpenSSLでPKCS12キーストアの内容確認
openssl pkcs12 -in <PKCS12キーストアのファイル名> -nodes -passin pass:<PKCS12キーストアのパスワード> | openssl x509 -noout -fingerprint -text
[root@CENTOS7 test2]# openssl pkcs12 -in keystore.p12 -nodes -passin pass:storepass2 | openssl x509 -noout -fingerprint -text
MAC verified OK
SHA1 Fingerprint=63:2D:44:40:8B:2D:B4:3C:05:7F:F6:0A:B4:C1:19:40:D6:E9:44:D0
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
c6:3a:f2:00:fc:30:10:68
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=KANAGAWA, L=YOKOHAMA, O=SAMPLE CORP, OU=DEV1, CN=yasushi.local
Validity
Not Before: Jul 9 15:59:44 2021 GMT
Not After : Jul 10 15:59:44 2022 GMT
Subject: C=JP, ST=KANAGAWA, L=YOKOHAMA, O=SAMPLE CORP, OU=DEV1, CN=yasushi.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:77:ca:bc:15:78:bc:70:4a:d3:8a:2d:c2:3e:
e8:50:74:f1:53:ef:98:9b:ae:19:67:0a:48:83:45:
3b:c9:64:93:8a:c2:71:2d:7f:89:64:26:c6:e1:5a:
c1:70:58:85:c8:24:23:e9:ff:85:0a:00:54:2e:c6:
0b:a7:b1:70:7d:d4:11:80:0f:4e:a4:9b:05:72:fc:
d5:89:c3:29:18:a6:36:4a:27:10:45:64:46:e7:cd:
00:1e:ee:40:82:43:ff:25:a8:6d:fd:aa:d9:92:47:
e1:46:cd:c9:41:96:89:4c:3c:cb:0b:00:46:a9:53:
af:9a:b8:d1:93:b9:73:12:cc:f8:78:89:8c:99:92:
79:d6:f0:3e:00:08:b1:5e:12:6e:f5:47:01:f7:b3:
94:2a:2f:cd:df:bf:3b:10:6c:d0:e2:6e:5d:b2:8a:
3d:c5:70:2d:2a:f4:21:ae:cd:e6:a3:cd:d7:25:02:
6d:3e:13:2d:49:71:0e:93:1f:03:18:b1:28:e8:0f:
98:23:e3:9b:ff:e9:e7:7b:7b:0c:bf:7b:b2:80:4f:
d9:f4:e7:d9:c0:fb:46:22:59:31:a9:06:d5:b1:71:
45:8f:eb:3c:ea:92:2e:59:1b:71:2b:4b:8e:bc:00:
38:64:68:cc:94:72:98:34:26:eb:21:0b:63:90:03:
75:65
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
2b:50:10:ec:74:7d:b1:49:17:7c:4c:8c:f5:6e:67:65:f5:8b:
fc:b1:ff:46:d5:9d:ea:f6:ec:0e:1b:4e:50:d6:77:55:b5:32:
56:d8:f3:35:81:ef:41:64:55:ae:d9:fe:eb:e6:59:a3:75:20:
b2:9a:39:85:3e:52:ee:30:fa:dc:06:ea:29:51:b9:58:b2:5d:
5d:d1:8b:22:1c:f3:2e:22:00:bf:34:6b:5b:84:c6:84:a8:37:
f8:55:6a:13:92:e3:ab:ee:5f:c2:17:41:9c:17:4d:13:40:ce:
47:39:9f:56:57:e3:80:c0:66:d2:42:48:ff:68:ff:e7:47:6b:
4e:67:5a:38:49:c6:86:72:ba:ac:45:95:52:80:8d:a0:b3:ec:
bd:9e:9b:f6:46:79:9d:e7:2a:20:8b:47:ca:72:d9:b6:5b:e1:
12:eb:e3:30:01:49:7e:be:fa:be:79:99:98:b2:ba:8b:82:10:
99:54:bf:a3:0a:08:c5:2f:c2:5e:ca:32:15:9e:ea:4d:68:3c:
6d:79:6c:bc:9d:a1:3d:4f:75:a9:f1:d4:0c:ba:94:82:05:27:
d2:19:a0:48:05:67:d3:3c:fd:af:fc:40:54:9f:0a:cc:7f:21:
b8:f7:88:05:7f:7f:bd:86:24:ec:12:a3:bc:9e:f5:87:8d:70:
22:44:7f:9a
[root@CENTOS7 test2]#
4. PKCS12キーストアからPEM形式の証明書を出力
openssl pkcs12 -in <PKCS12キーストアのファイル名> -nokeys -passin pass:<PKCS12キーストアのパスワード> -out <証明書のファイル名>
[root@CENTOS7 test2]# openssl pkcs12 -in keystore.p12 -nokeys -passin pass:storepass2 -out cert.pem
MAC verified OK
[root@CENTOS7 test2]# ls -l
合計 12
-rw-r--r-- 1 root root 1484 7月 10 02:22 cert.pem
-rw-r--r-- 1 root root 2213 7月 10 01:16 keystore.jks
-rw-r--r-- 1 root root 2547 7月 10 02:20 keystore.p12
[root@CENTOS7 test2]#
5. 証明書の内容確認
openssl x509 -text -noout -in <証明書のファイル名>
[root@CENTOS7 test2]# openssl x509 -text -noout -in cert.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
c6:3a:f2:00:fc:30:10:68
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=JP, ST=KANAGAWA, L=YOKOHAMA, O=SAMPLE CORP, OU=DEV1, CN=yasushi.local
Validity
Not Before: Jul 9 15:59:44 2021 GMT
Not After : Jul 10 15:59:44 2022 GMT
Subject: C=JP, ST=KANAGAWA, L=YOKOHAMA, O=SAMPLE CORP, OU=DEV1, CN=yasushi.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:77:ca:bc:15:78:bc:70:4a:d3:8a:2d:c2:3e:
e8:50:74:f1:53:ef:98:9b:ae:19:67:0a:48:83:45:
3b:c9:64:93:8a:c2:71:2d:7f:89:64:26:c6:e1:5a:
c1:70:58:85:c8:24:23:e9:ff:85:0a:00:54:2e:c6:
0b:a7:b1:70:7d:d4:11:80:0f:4e:a4:9b:05:72:fc:
d5:89:c3:29:18:a6:36:4a:27:10:45:64:46:e7:cd:
00:1e:ee:40:82:43:ff:25:a8:6d:fd:aa:d9:92:47:
e1:46:cd:c9:41:96:89:4c:3c:cb:0b:00:46:a9:53:
af:9a:b8:d1:93:b9:73:12:cc:f8:78:89:8c:99:92:
79:d6:f0:3e:00:08:b1:5e:12:6e:f5:47:01:f7:b3:
94:2a:2f:cd:df:bf:3b:10:6c:d0:e2:6e:5d:b2:8a:
3d:c5:70:2d:2a:f4:21:ae:cd:e6:a3:cd:d7:25:02:
6d:3e:13:2d:49:71:0e:93:1f:03:18:b1:28:e8:0f:
98:23:e3:9b:ff:e9:e7:7b:7b:0c:bf:7b:b2:80:4f:
d9:f4:e7:d9:c0:fb:46:22:59:31:a9:06:d5:b1:71:
45:8f:eb:3c:ea:92:2e:59:1b:71:2b:4b:8e:bc:00:
38:64:68:cc:94:72:98:34:26:eb:21:0b:63:90:03:
75:65
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
2b:50:10:ec:74:7d:b1:49:17:7c:4c:8c:f5:6e:67:65:f5:8b:
fc:b1:ff:46:d5:9d:ea:f6:ec:0e:1b:4e:50:d6:77:55:b5:32:
56:d8:f3:35:81:ef:41:64:55:ae:d9:fe:eb:e6:59:a3:75:20:
b2:9a:39:85:3e:52:ee:30:fa:dc:06:ea:29:51:b9:58:b2:5d:
5d:d1:8b:22:1c:f3:2e:22:00:bf:34:6b:5b:84:c6:84:a8:37:
f8:55:6a:13:92:e3:ab:ee:5f:c2:17:41:9c:17:4d:13:40:ce:
47:39:9f:56:57:e3:80:c0:66:d2:42:48:ff:68:ff:e7:47:6b:
4e:67:5a:38:49:c6:86:72:ba:ac:45:95:52:80:8d:a0:b3:ec:
bd:9e:9b:f6:46:79:9d:e7:2a:20:8b:47:ca:72:d9:b6:5b:e1:
12:eb:e3:30:01:49:7e:be:fa:be:79:99:98:b2:ba:8b:82:10:
99:54:bf:a3:0a:08:c5:2f:c2:5e:ca:32:15:9e:ea:4d:68:3c:
6d:79:6c:bc:9d:a1:3d:4f:75:a9:f1:d4:0c:ba:94:82:05:27:
d2:19:a0:48:05:67:d3:3c:fd:af:fc:40:54:9f:0a:cc:7f:21:
b8:f7:88:05:7f:7f:bd:86:24:ec:12:a3:bc:9e:f5:87:8d:70:
22:44:7f:9a
[root@CENTOS7 test2]#
6. PKCS12キーストアからPEM形式の秘密鍵を出力
openssl pkcs12 -in <PKCS12キーストアのファイル名> -passin pass:<PKCS12キーストアのパスワード> -nodes -nocerts -out <秘密鍵のファイル名>
[root@CENTOS7 test2]# openssl pkcs12 -in keystore.p12 -passin pass:storepass2 -nodes -nocerts -out key.pem
MAC verified OK
[root@CENTOS7 test2]# ls -l
合計 16
-rw-r--r-- 1 root root 1484 7月 10 02:22 cert.pem
-rw-r--r-- 1 root root 1845 7月 10 02:25 key.pem
-rw-r--r-- 1 root root 2213 7月 10 01:16 keystore.jks
-rw-r--r-- 1 root root 2547 7月 10 02:20 keystore.p12
[root@CENTOS7 test2]#
7. 秘密鍵の内容確認
openssl rsa -text -noout -in key.pem -passin pass:<秘密鍵のパスフレーズ>
[root@CENTOS7 test2]# openssl rsa -text -noout -in key.pem -passin pass:storepass2
Private-Key: (2048 bit)
modulus:
00:b1:77:ca:bc:15:78:bc:70:4a:d3:8a:2d:c2:3e:
e8:50:74:f1:53:ef:98:9b:ae:19:67:0a:48:83:45:
3b:c9:64:93:8a:c2:71:2d:7f:89:64:26:c6:e1:5a:
c1:70:58:85:c8:24:23:e9:ff:85:0a:00:54:2e:c6:
0b:a7:b1:70:7d:d4:11:80:0f:4e:a4:9b:05:72:fc:
d5:89:c3:29:18:a6:36:4a:27:10:45:64:46:e7:cd:
00:1e:ee:40:82:43:ff:25:a8:6d:fd:aa:d9:92:47:
e1:46:cd:c9:41:96:89:4c:3c:cb:0b:00:46:a9:53:
af:9a:b8:d1:93:b9:73:12:cc:f8:78:89:8c:99:92:
79:d6:f0:3e:00:08:b1:5e:12:6e:f5:47:01:f7:b3:
94:2a:2f:cd:df:bf:3b:10:6c:d0:e2:6e:5d:b2:8a:
3d:c5:70:2d:2a:f4:21:ae:cd:e6:a3:cd:d7:25:02:
6d:3e:13:2d:49:71:0e:93:1f:03:18:b1:28:e8:0f:
98:23:e3:9b:ff:e9:e7:7b:7b:0c:bf:7b:b2:80:4f:
d9:f4:e7:d9:c0:fb:46:22:59:31:a9:06:d5:b1:71:
45:8f:eb:3c:ea:92:2e:59:1b:71:2b:4b:8e:bc:00:
38:64:68:cc:94:72:98:34:26:eb:21:0b:63:90:03:
75:65
publicExponent: 65537 (0x10001)
privateExponent:
06:a6:8e:9a:6d:d3:90:7c:44:d1:98:a4:0e:5b:7d:
29:46:b8:a4:84:9e:1b:77:72:cc:41:be:65:ec:fa:
48:99:d4:4d:a6:eb:c6:e0:b8:ad:60:26:a3:db:5a:
d4:72:fc:d0:7b:4a:3d:42:ae:21:a9:d1:7d:cf:3e:
30:92:9d:bc:99:6d:ee:76:a4:63:d6:cb:65:7b:c4:
24:dd:83:74:c1:05:d7:d1:8e:f2:8a:c7:7d:78:59:
40:cf:7c:eb:64:d0:f3:00:54:de:e4:c0:32:93:2f:
06:10:40:32:8d:09:a8:29:bf:12:32:78:73:70:07:
6c:ac:f0:6d:b0:cd:77:2e:d7:38:a8:1d:47:13:47:
a8:ac:62:66:ce:aa:63:94:54:44:1c:ce:01:cd:5d:
1d:ac:05:33:23:dd:ff:18:d0:13:00:4f:97:47:d1:
3e:f4:9a:aa:92:61:5a:da:b4:1e:49:8f:08:94:49:
7b:6f:2d:ad:c7:d5:6b:57:d6:b5:06:53:96:a7:68:
78:8d:9e:b5:7b:24:68:ae:39:48:c9:65:62:11:66:
88:4e:20:1d:49:b7:54:42:e7:3c:5b:bd:fb:62:bb:
db:9b:34:29:bc:ea:ae:d2:5a:0b:fc:61:b9:e1:96:
14:b9:79:7c:57:70:fc:10:c1:c4:4e:11:cc:2f:2e:
21
prime1:
00:e7:de:f4:ba:81:5c:c0:dc:bb:b6:09:ca:be:fb:
23:eb:d5:d6:b3:00:e1:cd:cd:42:a4:57:01:24:eb:
31:8f:2f:c8:93:df:ef:a5:8d:66:e7:1a:86:9e:3a:
32:5a:f3:25:a1:32:8a:44:75:09:d3:b7:af:48:3e:
37:9b:da:06:1f:62:cb:6e:e0:6f:72:68:df:fe:e9:
b4:4e:99:c6:5e:0c:76:7a:a8:d7:89:b3:4e:1f:9f:
67:52:e6:49:5d:33:b0:b4:0a:c2:ff:c2:85:6a:f6:
d6:61:b3:d8:55:ec:16:35:44:00:e4:b8:1a:ec:66:
42:b8:bb:35:8a:dd:cb:a7:b3
prime2:
00:c3:ef:8a:32:13:26:02:c7:c0:4d:42:03:73:67:
3c:14:2b:d5:d2:07:25:46:76:a8:7c:2c:e7:a9:6e:
bc:98:05:fe:be:30:e4:c1:34:ec:c0:ba:d8:ac:9a:
8a:f9:a8:8f:79:44:ad:50:01:ab:d6:f7:bf:c6:00:
22:65:11:f2:af:c6:d4:83:53:7f:14:6b:7b:f3:d8:
61:a3:90:ff:bc:53:74:69:20:37:76:0e:51:c6:d3:
99:1d:60:dd:bf:76:2c:37:a2:70:cf:67:4f:d8:ac:
cb:39:55:6c:ca:16:72:c5:98:87:c7:91:32:6c:e5:
e4:6c:3d:d3:8a:e9:26:e2:87
exponent1:
72:71:b6:43:13:b4:8f:30:a3:a9:ae:dd:96:33:e8:
bf:ef:54:c0:17:50:5c:3e:d2:84:c0:b8:bc:db:25:
23:f2:46:c2:ce:05:bf:a5:b2:43:a0:f1:0e:c9:d4:
ae:d5:52:1e:65:0e:9f:c9:50:a7:62:03:2e:da:1e:
a2:5b:13:28:8c:9f:b2:43:2e:5e:be:ea:c8:2b:db:
a5:eb:fa:5f:d3:30:eb:4b:c8:ce:9b:64:94:f1:1d:
93:6a:3c:8d:b7:04:a1:68:aa:64:88:43:47:cf:3b:
73:0f:cc:58:64:65:75:b6:f1:e5:f2:04:bf:e7:9d:
49:06:85:df:db:a7:38:47
exponent2:
60:79:78:b5:31:42:7d:09:f7:c0:d2:a9:3a:50:71:
7f:89:19:ee:21:40:94:52:66:a1:45:c7:07:61:14:
11:52:9a:5c:f1:5c:21:59:ba:dd:26:e2:fb:11:d9:
2e:16:76:16:82:df:47:4e:9b:5a:ec:80:0b:b1:13:
3e:6a:b8:f1:1d:d8:93:95:30:34:50:bc:26:93:bb:
77:bb:34:80:79:23:0f:84:22:6a:c9:a0:30:63:0d:
b8:2e:72:e1:0c:01:b7:9f:0f:26:c0:3a:cb:78:41:
54:48:a0:99:5c:b6:44:5e:d7:34:47:64:e9:c3:c4:
56:1b:97:26:85:a8:74:cf
coefficient:
4e:de:4b:4f:d4:b8:ac:4e:f1:67:aa:28:2c:e5:80:
e2:02:ee:24:22:d8:67:9f:1a:57:26:01:08:73:16:
b3:51:96:75:65:15:91:ae:92:b2:9b:29:d9:98:8a:
5c:17:e5:44:27:d3:c0:07:96:8a:f2:14:1d:6b:6d:
58:b9:54:dc:fc:6d:d1:80:02:c1:09:eb:5a:ab:8f:
c8:3b:b2:64:2b:4b:fd:f9:e2:c9:24:07:d9:21:36:
47:1a:c9:cb:82:1d:fb:d3:b7:6c:09:16:ba:c6:5d:
99:52:60:da:3e:ac:45:36:53:d9:b8:7f:0b:35:2f:
c2:aa:3c:7f:41:e0:b9:64
[root@CENTOS7 test2]#
以上