JKS TO PEM

tomcat 的ssl 会使用到jks，而haproxy的ssl（非tcp代理方式）会使用到pem

如果从tomcat的ssl需要迁移到haproxy的ssl，就需要从jks中读取相关信息生成pem文件。

========================

先通过keytool导出成PKCS12格式(.p12后缀):

$ keytool -importkeystore -srckeystore tankywoo.jks -destkeystore tankywoo.p12 -srcstoretype jks -deststoretype pkcs12
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias foo successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

指定源(jks)文件和目标(pkcs)文件的文件名和类型.

执行时输入设置给pkcs12证书的密码, 以及jks证书的密码.

再通过openssl将pkcs12文件导出成pem格式文件.

# 生成key 加密的pem证书
$ openssl pkcs12 -in tankywoo.p12 -out tankywoo.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
# 生成key 非加密的pem证书
$ openssl pkcs12 -nodes -in tankywoo.p12 -out tankywoo.pem
Enter Import Password:
MAC verified OK

也可以分开导出:

导出key:

# 生成加密的key
$ openssl pkcs12 -in tankywoo.p12  -nocerts -out server.key
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
# 生成非加密的key
$ openssl pkcs12 -in tankywoo.p12 -nocerts -nodes -out server.key
Enter Import Password:
MAC verified OK

导出server证书:

$ openssl pkcs12 -in tankywoo.p12  -nokeys -clcerts -out server.crt
Enter Import Password:
MAC verified OK

导出ca证书:

$ openssl pkcs12 -in tankywoo.p12  -nokeys -cacerts -out ca.crt
Enter Import Password:
MAC verified OK

========================
参考：
http://ju.outofmemory.cn/entry/108566
http://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format#comment1252648_656559