I have to admit I struggle to understand why SSL is one of the weirdest and most difficult things I get stuck configuring about 2 or 3 times a year.  Today I was trying to see a private key as I had a REN server that would not boot properly after a new SSL certificate was installed and I wanted to compare the key that was getting loaded by REN with what I had in my certificate.

It turns out that I had done something very similar a few weeks ago, but in reverse, and I posted this blog on it.

This time in order to see the private key, you have to take the jks keystore and convert it to a p12 keystore, and then export the private key. Again nothing ever is easy with SSL, so this requires two tools:  keytool and openssl.  You can get openssl from the great folks at sourceforge – click here.

First the conversion from jks to p12:

keytool -v -importkeystore -srckeystore keystore.jks -srcalias certificatekey -destkeystore myp12file.p12 -deststoretype PKCS12

Secondly, now that you have the p12 keystore you can extract the private key:

openssl pkcs12 -in myp12file.p12 -out private.pem