Converting Certificates¶
TLS certificates may be provided in different formats or containers, e. g. PEM or PKCS#12.
Additionally, the certificate files may have different extensions, e. g. .crt
and .key
for PEM or .p12
and .pfx
for PKCS#12. Some of the files may be encrypted and signed. Still the formats and the files can be converted one into another.
Literature
Keycloak requires a Java keystore with PKCS#12 credentials to be secured. For details on setting up SSL/HTTPS, refer to Setting up HTTPS/SSL in the Keycloak documentation.
Hint - tools
You may download the openssl
program mentioned below from heise.de
.
The keytool
program for creating a Java keystore is part of the Java installation. For further information, refer to keytool.
Converting a Certificate¶
.cer (PEM) into .pem (PEM)¶
-
Convert from .crt to .cer as described below.
-
Replace the
.cer
extension of the saved file by.pem
.
.crt (PEM) into .cer (PEM)¶
-
Double-click the .crt file to open the Windows certificate dialog.
-
In the
Details
tab, clickCopy to File...
. -
Select the CER format you want to use.
PEM into PKCS#12¶
openssl pkcs12 -export -in <certificate.crt> -inkey <certificate.key> -out <certificate.p12> -name default -CAfile <cacerts.crt> -caname <root>
Extracting a Certificate¶
From .pfx (PKCS#12) into .cer (PEM)¶
openssl pkcs12 -in <certificate.pfx> -cacerts -nokeys -chain -out <cacerts.cer>
From .pfx (PKCS#12) into .crt (PEM)¶
openssl pkcs12 -in <certificate.pfx> -clcerts -nokeys -out <certificate.crt>
From .pfx (PKCS#12) into .pem (PEM)¶
openssl pkcs12 -in <certificate.pfx> -clcerts -nokeys -out <certificate.pem>
Extracting the Private Key¶
From .pfx (PKCS#12) into .key with Encryption (PEM)¶
openssl pkcs12 -in <certificate.pfx> -nocerts -out <key_encrypted.key>
From .pfx (PKCS#12) into .pem (PEM).¶
openssl pkcs12 -in <certificate.pfx> -nocerts -out <key.pem>
Removing the Encryption from .key (PEM)¶
openssl rsa -in <key_encrypted.key> -out <key_decrypted.key>
Creating a Java Keystore from .p12 (PKCS#12)¶
keytool -importkeystore -deststorepass <keystore_password> -destkeypass <key_password> -destkeystore <keystore.jks> -srckeystore <keystore.p12> -srcstoretype PKCS12 -srcstorepass <secret_password_used_in_csr> -alias default
If the PKCS#12 keystore doesn't contain a "default" alias, drop the "-alias" option for the conversion.
Listing Aliases in a Java Keystore¶
If you do not have a "default" alias, you need to know the imported alias to configure the standalone.yml
.
keytool -list -keystore <keystore.jks>
The result looks as follows:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
<alias>, <date>, PrivateKeyEntry,
Certificate fingerprint (<algorithm>): <fingerprint>
Use the <alias>
part for the standalone.yml
.
Cloning an Alias in a Java Keystore¶
keytool -keyclone -alias "<existing_alias>" -dest "<cloned_alias>" -keypass <key_password> -new <key_password> -keystore <keystore.jks> -storepass <keystore_password>
Renaming an Alias in a Java Keystore¶
keytool -changealias -alias "<existing_alias>" -destalias <new_alias> -keypass <key_password> -keystore <keystore.jks> -storepass <keystore_password>