Skip to content

Converting Certificates


TLS certificates may be provided in different formats or containers, e. g. PEM or PKCS#12.

Additionally, the certificate files may have different extensions, e. g. .crt and .key for PEM or .p12 and .pfx for PKCS#12. Some of the files may be encrypted and signed. Still the formats and the files can be converted one into another.

Literature

Keycloak requires a Java keystore with PKCS#12 credentials to be secured. For details on setting up SSL/HTTPS, refer to Setting up HTTPS/SSL in the Keycloak documentation.


Hint - tools

You may download the openssl program mentioned below from heise.de.

The keytool program for creating a Java keystore is part of the Java installation. For further information, refer to keytool.


Converting a Certificate

.cer (PEM) into .pem (PEM)

  1. Convert from .crt to .cer as described below.

  2. Replace the .cer extension of the saved file by .pem.


.crt (PEM) into .cer (PEM)

  1. Double-click the .crt file to open the Windows certificate dialog.

  2. In the Details tab, click Copy to File....

  3. Select the CER format you want to use.


PEM into PKCS#12

openssl pkcs12 -export -in <certificate.crt> -inkey <certificate.key> -out <certificate.p12> -name default -CAfile <cacerts.crt> -caname <root>

Extracting a Certificate

From .pfx (PKCS#12) into .cer (PEM)

openssl pkcs12 -in <certificate.pfx> -cacerts -nokeys -chain -out <cacerts.cer>

From .pfx (PKCS#12) into .crt (PEM)

openssl pkcs12 -in <certificate.pfx> -clcerts -nokeys -out <certificate.crt>

From .pfx (PKCS#12) into .pem (PEM)

openssl pkcs12 -in <certificate.pfx> -clcerts -nokeys -out <certificate.pem>

Extracting the Private Key

From .pfx (PKCS#12) into .key with Encryption (PEM)

openssl pkcs12 -in <certificate.pfx> -nocerts -out <key_encrypted.key>

From .pfx (PKCS#12) into .pem (PEM).

openssl pkcs12 -in <certificate.pfx> -nocerts -out <key.pem>

Removing the Encryption from .key (PEM)

openssl rsa -in <key_encrypted.key> -out <key_decrypted.key>

Creating a Java Keystore from .p12 (PKCS#12)

keytool -importkeystore -deststorepass <keystore_password> -destkeypass <key_password> -destkeystore <keystore.jks> -srckeystore <keystore.p12> -srcstoretype PKCS12 -srcstorepass <secret_password_used_in_csr> -alias default

If the PKCS#12 keystore doesn't contain a "default" alias, drop the "-alias" option for the conversion.


Listing Aliases in a Java Keystore

If you do not have a "default" alias, you need to know the imported alias to configure the standalone.yml.

keytool -list -keystore <keystore.jks>

The result looks as follows:

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

<alias>, <date>, PrivateKeyEntry,
Certificate fingerprint (<algorithm>): <fingerprint>

Use the <alias> part for the standalone.yml.


Cloning an Alias in a Java Keystore

keytool -keyclone -alias "<existing_alias>" -dest "<cloned_alias>" -keypass <key_password> -new <key_password> -keystore <keystore.jks> -storepass <keystore_password>

Renaming an Alias in a Java Keystore

keytool -changealias -alias  "<existing_alias>" -destalias <new_alias> -keypass <key_password> -keystore  <keystore.jks> -storepass <keystore_password>