Monday, August 6, 2018

Using JKS Keystore Data with OpenSSL and cURL


Since Java SE8 Update 151 the Java keytool adds warnings when using JKS and JCEKS formats. This indicates the end of support for this proprietary format. Also: when using tools like OpenSSL and cURL, the Java specific formats aren't supported. Luckily the keytool also supports the PKCS12 format which is also supported by OpenSSL.



The following text describes, how to convert your Java JKS keystore into a PKCS12 keystore and how to create the private and public key PEM files, needed by cURL.

Assumption: you base is a JKS keystore, which contains one key pair (private/public key), generated more or less as follows:

keytool -genkeypair \
    -keystore ./mykeystore.jks \
    -storepass changeit \
    -alias wec \
    -keypass changeit \
    -dname "CN=Wile E. Coyote, OU=Rocket-Powered Products Department, O=ACME Corporation, L=Fairfield, ST=New Jersey, C=US" \
    -keyalg RSA \
    -keysize 4096 \
    -sigalg SHA256WithRSA \
    -validity 365 \
    -v



Convert JKS keystore into a PKCS12 keystore

keytool -importkeystore \
    -v \
    -srckeystore mykeystore.jks \
    -destkeystore mykeystore.p12 \
    -srcstoretype jks \
    -deststoretype pkcs12 \
    -srcstorepass changeit \
    -deststorepass changeit

Importing keystore mykeystore.jks to mykeystore.p12...
Entry for alias wec successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
[Storing mykeystore.p12]



Show content of imported PKCS12 keystore

keytool -list \
    -v \
    -keystore mykeystore.p12 \
    -storepass changeit \
    -storetype pkcs12
Keystore type: PKCS12Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: wec
Creation date: Aug 6, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Wile E. Coyote, OU=Rocket-Powered Products Department, O=ACME Corporation, L=Fairfield, ST=New Jersey, C=US
Issuer: CN=Wile E. Coyote, OU=Rocket-Powered Products Department, O=ACME Corporation, L=Fairfield, ST=New Jersey, C=US
Serial number: 33e22075
Valid from: Mon Aug 06 12:24:28 CEST 2018 until: Tue Aug 06 12:24:28 CEST 2019
Certificate fingerprints:
     MD5:  B4:47:C2:95:99:88:06:6A:C7:B2:88:EF:15:70:8E:41
     SHA1: AA:94:8A:2E:4E:24:DE:87:DB:9D:D7:CF:33:FC:A3:CA:39:36:86:46
     SHA256: EE:0A:8E:AD:5B:65:49:BF:07:DD:E7:DB:99:E0:6B:69:01:F3:91:03:41:8C:A4:93:E6:F8:70:6D:28:CF:6D:28
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E0 3B 47 ED 59 DA 88 60   00 88 2B C7 82 43 E7 BC  .;G.Y..`..+..C..
0010: 50 14 40 39                                        P.@9
]
]



*******************************************
*******************************************


Export the certificate from the PKCS12 keystore

keytool -exportcert \
     -keystore mykeystore.p12 \
     -storepass changeit \
     -storetype pkcs12 \
     -alias wec \
     -rfc \
     -file wec.crt
Certificate stored in file <wec.crt>



Show the certificate data

cat wec.crt
-----BEGIN CERTIFICATE-----
MIIFzzCCA7egAwIBAgIEM+IgdTANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxEjAQBgNVBAcTCUZhaXJmaWVsZDEZMBcG
A1UEChMQQUNNRSBDb3Jwb3JhdGlvbjErMCkGA1UECxMiUm9ja2V0LVBvd2VyZWQg
UHJvZHVjdHMgRGVwYXJ0bWVudDEXMBUGA1UEAxMOV2lsZSBFLiBDb3lvdGUwHhcN
MTgwODA2MTAyNDI4WhcNMTkwODA2MTAyNDI4WjCBlzELMAkGA1UEBhMCVVMxEzAR
BgNVBAgTCk5ldyBKZXJzZXkxEjAQBgNVBAcTCUZhaXJmaWVsZDEZMBcGA1UEChMQ
QUNNRSBDb3Jwb3JhdGlvbjErMCkGA1UECxMiUm9ja2V0LVBvd2VyZWQgUHJvZHVj
dHMgRGVwYXJ0bWVudDEXMBUGA1UEAxMOV2lsZSBFLiBDb3lvdGUwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQCGlIDs24aSzKHPC7WrQTUdtNOFVsBhB620
9O3bCMzN9NSXlnSrsWOHO5ejLKZcMZ7V54epjqa/cVk1DOXnj2xCPrgbMtjL/V0S
GTAIp7x228LzqPwtnYq0TwF8LrdxRy6LyAsU9XFROBWKf2VTlrpY57dmo2G42pBl
gDmo3Waj1VfwEW/5PecLf/LBXIT13tbshrLM2l72VF9SL6VD+lmAyuF59N1yBKDQ
hWI3Iu41LOzrCDlRVkDG3uPIiz7r0wQK2/VSzWjYYJfG1taaCYF7Z/H8H8KChmUK
hyM47gjBAox+U0aNn6M00raLtyixhT6hd7PwF/I6GQP9FXn91tMqGEWuYSEfUL6b
6O3hGiOINCaqWkaa1LdcDFWPTzG3iYVb4bB1//vyXVyWFssn7XNhp5OPl6/zsIz+
Ee9j9DZueJ6C0zYJrL+lue2GygYqkCxEzAQMhfB7YSwxcwPrweMS8h2JoC1I7t99
OEgZGiRcTYVfOoplRI/asYUTbADwax98U24fR+2yyTm5VSRW6T0W79GwMNq/EooX
PSlQ/JsN1krNyRCB4ZMaltGZ9b5vomk1BA0qMdiNYbD5t1uRSBje4l2+W4c/5l0e
OBiPxqGIrnjnF1qkBRD68+hOHgm23w2Dr1Ff9flHO36smVxvMuZdbLAU90ltJiqV
GQK94YkLrQIDAQABoyEwHzAdBgNVHQ4EFgQU4DtH7VnaiGAAiCvHgkPnvFAUQDkw
DQYJKoZIhvcNAQELBQADggIBAIXGZlgo5Xj3+2dGyb1s1nEPGBeZo33drGIlr3nr
wCIhE8fHuBF5qZ1oqKLc2T+25ElKOvEryDNM7P/qr2CmqgZu4V0R4KmEJ6FfjGXH
iyC3AkcPT8M44D+Sz7JeiK2U+uQ8LxpKGooFWYv89cOxmi2Y4hBcryjMMCFlci1y
KPH5Kvm9SKukLDN5h2yBYE+kdoRqVD0OLleWtrKFvbrzQWlvjVauSTeeACfBVWwq
CLO1RWA89O0rgBdKEVc9SJBEcdT2chnVgIJNUU4QzpDDWUgTf9XNkFEc5DWA0MH3
khIkNgFpWXzq4aQb2QCDXF3YvZovH0OMtSHUiVucSylFfRmL12h25W7FIloAFKcX
yL8GO0pD/GAvCtHNwPnZLGNjVapcHzM2SM3pUy4DS089YVb7OP13Hjookwyvk+6J
xbpOKL7yBA7ZWjcvwAPW7jZz9QzssBZ794PzHjXgs77SagG5KgiHnN1DqhfGugTE
Shu0v+3dYwr5W62J0Nkg2FtYzOZZrnnWi43bohxOAhtgUhSoOozeyeNXbG5PFx3K
jaSuP+76Xx1GyE7WuuQJCkbu9o9nbPBjm3AuPvVNhws2djmfFEAY94KZ6wvxKYPk
ptB4CaxJDkj4BpGFJYUpPAo++f7whI4Rl1iTd3iR5GpTpyie3iJXqVO9qxv5p+jH
jpEQ
-----END CERTIFICATE-----


Export the enrcypted private key (passphrase needed)

openssl pkcs12 -in mykeystore.p12 -nocerts \
    -out wec_key_enc.pem \
    -passin pass:changeit -passout pass:changeit


Show the encrypted private key data


cat wec_key_enc.pem
Bag Attributes
    friendlyName: wec
    localKeyID: 54 69 6D 65 20 31 35 33 33 35 35 33 33 38 36 33 39 33
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIlEAqlSVgfGACAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECBwhPdASqSZOBIIJSOX6ISsN3xHt
TeIMnVP3e9UeG5k9v+n+ZoNZ4WtHdJknRmdS51hCEtLe0iExiuJ30vbWfQ8dMVXq
AzhI3If+19XnkrhUKCTfxwk25YISDETGH6w54lcjX9niWZAqJ0jt8HmXwPIRmgRQ
lHAO7mWnuiV9zsVKXWC9XkSq49n7rwS/DHcCy+RjV1dgj5QOJIPuxTYrRtDgDrMl
6OAjZlxzWOZ3OPleAq/w7mqwXynzs3f0lkJ2OlLyA7bBXX9lQjKoGaRjIm8AN47l
hp4xh0+P653HdhwmnujIhDjLoYLFtcpg/nLj5sBqj7J4VrJiKVwBaapbT1mImWNT
LQ1avGNJjOYQmQntggg6w2yMx1oROL25ea6SoLgTWev6cVbxkuzc6v63myG0jupE
5v8XEQiSgKso8C/YuYaKejvJqL/+MitJtGhjrPKfWedZMBXIVWUqjy46zYzh5tPA
R9kTWViReKMrzBD9KvxSpfOftUor4FxlSZhCMnQpB2BqNjNG5AbhSjO0SFZJHWEj
Q2AYLl3AgNvCSovjKu/5c/QPxPmyUuUVtalYrrE4CZg4ZBYVX1H36HUoLxIY8hYZ
yCvjf/VlEO+K5we9mZzRId1oUYrWULd3HxbW0Z7elIxggypN+V/zeGdGfX5IZLSM
zs8WGe+oPkXmVy/pjRRUB4Rbj4K06aY2gBSPkXMzX1Q1EURDBuUq4ecW+64ksc8y
kmThk77eRwV9EhuYacohR1UsOKRc1vzet03zfGJ5tPxpsM7aetJblx+eRyrWBwIt
OMVvvmfpjnm0ZND6EVoBhLjM1916/Tso5qQLAg4z4Uzgcvddc742vBfxCFtVtlyk
PNrZ3lFfV7KS8TKnDnJISr+Qcoq2pKz9/+f6VCIXgLBtpDpSd+A6yP/Zh0XrIbo0
XJgDRdggNAGLCGcu1LqwscT+AZalOBDjJh5cG9Kb52gpWKNnlPTyfKNZGRHGhsIr
mps+YTFsR/i7gkEnZBSrXW5WCRtDn4l3Q4y2OwYHvNYIqu0/NsoWU2yZ9EoV9lwk
pBmDukYNKiS6vK+8WnS7BHCSyiGp6+QKEx1Hg8XWNk4+HOPTmKLvc8AAnus7WhNI
KtS0+iE6TDPGvCrthPRZ0PRwhbtZ0s4iFtniR3hQsOTkF8hXcM4ZcbrrmonjBsNb
8pm5p7gbHSf9PhYVDzhfSN89kbQ9sXU/q8TZ9OA+DRVXkVY6na2do79svvXrdivj
Tt5KjyRt8pgDQmjw7oxrNTY4HxQb5eg1PGwMA2/05ORvAYB/SdWQkhJrf9O3hV7G
nkU6e1OkdcUxmUyb5aK/WvsD8/P8PaE7ODzV2qVX+US5tTOxBuAV17PmJeSLiugw
WMdLXgPR+PYAzKpKewpwf44J+KNzgv3lgKATNHaH2NQhIFImoNHX/nrGPLG60l5U
Leu505aaRkhpH7kbyZ/36fjGhYbpYBx3P59VqRZhUVXYTP6l6pP7DoB8m5xbyBsz
FBjYJkMmJNAfHCW+aS3NV2v+Xk0kXX2/bXuX8yPTs6/2UB3jugy8bwWbufv4joZh
OsyfAeZtIf9bIboCj+nti+bZyc2U5jduweMV0h/yr5I/IDz/QBvJt3PoDZGSawYe
pxu/4ZfhSVkhTWdyAtdHLB6NOnOBEcsS/L09isYmwv6a0EmAYLFU5fB6XmCG/cS5
Cg//a2334y616bO/MTKBvYkUkPcYd9zL2CROWnXM6ltOcVu2mlNaAh/ccRBrHNUa
Hs6o1ubKn0xYf/Uo3HT3q8pv+nKgLNYaF7q8bklAVsnRnfh1YR40SqMYj0hXHr29
K9AEZ/1OdiGYIYbxl9o79hrGf4h96IOoDJnAqAqqP258cw02mtL4yron2yLDNolS
lHAIMWWr4FpoZ6IzMxF3HxBJotoy8U4IHlC5cnn5pzh7JONMVSXi9gcgbalmDH27
+uKwKgrORkI+UA2apDW0j/BQVO4TsoMUABihp74heoDC7PNUbKsN9axgRJYaRY2U
f8nVWtgvdV2ihHRXOpI2wy9NssPlCfZncDYs7pMSvBWDk0tb+5TqfwwUzUFX9Jk0
5tT8kVlCZx44RiDUqBtDaDOHRIMVf+Qw4MDpwINNmqTqRcJ/hi1/jjbhPIjMRq5A
MqvTg56L2qc9ld+soS48HlnvckJjWU5KmGNL3ycuFw2MymEmh7c+a9vY35+3Bu47
r1+abfuQhIqkGhdEYamHth/BQVljzBRAM5L1KeBCA1ZiUpUVJ6OQQjvZ2XlkObN1
iupVH9aAdNC+5MHNOA8ruBR8P8Qao8Z+B2KRyNmwGtpz3dZ+yzg92q2zvluqSeg5
PKu5Bfc52QurvUPh8xZFHl/GTTBm034jrNsuweUasVL3A25mUvNkFWrLl1pH20xF
XKR7m3C5tylEgR79R4QaK/eiU0mKZlLscR5Hzf+GIg6Qp+yOf9xNNqxUytHAX6P2
i4qf6KxJTNht8zZt54Av5kvbUoWnGPYJcqKTM8qoIrz9hnTfienBOv/x5we2GXuW
sHF+kAjgG2s4mBBJX5FtQsL4v9HIcWG+ZAKcWB9xOaJYVAbqXkiSexAzAWOOS7w0
NRYr2AYyeKzgP5dGOjZt1vOWDGhJDT6mmP6kWmIvqD1v4Mm4ApaaW6DgHtCTWjSe
i6zQqHEXM0PfRCUUZvQzd0C4mMhSej5m7SYNEQQPAKHrbsh+jEzXRc+gfiUlH6gy
qWOmiWlizeq1PWtWxn4qFDMPTBFt7hyT9LyJemhGOcVXwoP6/KFshZokkpnz+opP
g0iPIWkNxLKBqxthIA8P5grQMzUxR8lNpmpwge8VgF2Zi3wMe6IOB7C9MZEBOpug
y/nqYxEsN3yurFBizI4kN5m+ILyJl7XmCgtPsXtZbcIUE6JlFRElxUIsSY3dOyN+
zUy8UpaO9C3iBfUAHSh7woiCO2NCPp9rtkwpf9MKBHARJWkatwmEQ0sxURXuF8A+
KE+YR5W4LhH0d9raHjJThVWY8WN48Sb8bhf7wUtDZD33L9OE9k8tDZLZU2uIdlkr
GjQGuqL19XMkCkVycfigWnFmOAotK08U21qdkVXXLnWokDOyf95BT06tLfng7L8g
6YaQQQTVv7k1+Lj5Wa1aIeEUnZGhq17bT5FwMS3Z3rHtxjJryTc1CTkn59Cxjh8Y
LeMk3r67woG4iuAI0w3Etw==
-----END ENCRYPTED PRIVATE KEY-----


Export private key data (no passphrase needed)

openssl rsa -in wec_key_enc.pem -out wec_key.pem \
    -passin pass:changeit
writing RSA key


Show private key data


cat wec_key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAhpSA7NuGksyhzwu1q0E1HbTThVbAYQettPTt2wjMzfTUl5Z0
q7FjhzuXoyymXDGe1eeHqY6mv3FZNQzl549sQj64GzLYy/1dEhkwCKe8dtvC86j8
LZ2KtE8BfC63cUcui8gLFPVxUTgVin9lU5a6WOe3ZqNhuNqQZYA5qN1mo9VX8BFv
+T3nC3/ywVyE9d7W7IayzNpe9lRfUi+lQ/pZgMrhefTdcgSg0IViNyLuNSzs6wg5
UVZAxt7jyIs+69MECtv1Us1o2GCXxtbWmgmBe2fx/B/CgoZlCocjOO4IwQKMflNG
jZ+jNNK2i7cosYU+oXez8BfyOhkD/RV5/dbTKhhFrmEhH1C+m+jt4RojiDQmqlpG
mtS3XAxVj08xt4mFW+Gwdf/78l1clhbLJ+1zYaeTj5ev87CM/hHvY/Q2bniegtM2
Cay/pbnthsoGKpAsRMwEDIXwe2EsMXMD68HjEvIdiaAtSO7ffThIGRokXE2FXzqK
ZUSP2rGFE2wA8GsffFNuH0ftssk5uVUkVuk9Fu/RsDDavxKKFz0pUPybDdZKzckQ
geGTGpbRmfW+b6JpNQQNKjHYjWGw+bdbkUgY3uJdvluHP+ZdHjgYj8ahiK545xda
pAUQ+vPoTh4Jtt8Ng69RX/X5Rzt+rJlcbzLmXWywFPdJbSYqlRkCveGJC60CAwEA
AQKCAgBz+S1Q76x8fNNDtPeM6Nh5DQbqdOO7uf47XoZKpr63DTDWoNVRz7/RHc2C
1EtYT3ptIuSJfWC8wVT6nm7QqYvFWn8VETA6OdAmdIYsLz/9vUu25fzK4mRRFXRW
K3vxpkG6O10xZoGMWCRYAYi0C8PyMVyemlTwE4kzrtgBaSm2LXdmbeBsjKe6BTyQ
3MXHi4zyrvEOD3CeHf82t9BXUDoo/qxniFf8lXhvuUH1+agFMv3HXILoUMfpmNH6
U+SZHHLzWLGD9XdQX4zr0N+GRoLKcbzaZBQenuobtHDp8lag3S1s/x5hlRvzvVGJ
/QCYWhaq1pi9YiVfY4dIZWWHFcVJ0tgYLJnFFiSEyioRdt0BKj+Apd93BoJA+lq0
+JCVi9VLOpx4hRLnxmCvDcOl9ICNtvYBfDXN/lrGDlaEDHmOfcKazDA+5DOCvBsB
KRSoQoqEmXHOy/AIQHeJWF8YQ+uyLJTyZXb1JIzTDTzUxzLG4vBz281zQ5OlKsxH
SHaYdFRPfUoTplHy72J4Y+eVYw7IeTxYV+T6sMuIEemeQq9kN2rym7HWiGur1Utg
eYLhwwHbhuvMgT27olGQFzHBPXpwCCSFTXMG6/vqBqmPM8j5RW1Zvo/LMjXh114R
LtssVOrYod1qUJeeZIurECVOotXzJEX/FzcOwJTJiirXBpvwAQKCAQEA0ijOMacE
NkqaEJx9UKL/XO5UlOjHbmv/aeY6OKVkkpF02J//e148I+z4fKTnqqCUouOxDbmc
QVenfQ9JIYfOtjkuhmDQwMX7xVPUXvB4Jsrmg/kSH5GM5f0ks7kjfKYXjhBlvmAL
a433dV2K4vwwL0sU8f8ta9Wa8qRsAP7BNQG1dXMMwX6TcTzAgQyH23A3R/H24XQx
qAHeYU5lZjVWiJZpJl6zC+aQIL+aETQ1SQMtKjxHwLOx60eHlFmknOPeAqpQu5DR
jJRHxGgcA0AxO0d9F2qNfwVLLSws9yPiu/YhOGiXGjr/+5t07JBVbaW9CnftyIg0
EuRyMkEJhh3crQKCAQEAo+9jVADaLKsKm8gd/o/kUWfmM3YHAuQkGPHGLZq/TI6o
72QuM8UW/KOAdB1+prLzpAv+cMM39Q1kdx5uLbIJmLl1Fmf70Pdm+qYAp98rTHKm
ztcjiFYsU2duS67dpu5xzpi4yTDl2VNo9YWk4Tu6FKg+4KAuuMQ3z5/liJKZMgiC
YHd8s7OQQuBqbihENVOOqW31hiuPAPEXYZ9WzFl2y/VwqbWfpWEqqujL7G4b7xhA
tT9hjtC0Xt8lLs2Fr05mIIl3FKNQa4EePckxgRcfyxCiyc7c6RNWgkCUDDTZjtnk
s1UoBaL6C2MjPdSJkbzo3Rwyb9ZkSNY38FQTUubLAQKCAQEAzfcJ5eWenirNBTyp
IC8u///fyzS7x392iW4GX1/Qykhd8LQV6e14GWl0OoxPM40/PsjRy/a9qdhjIJCr
hn4X28T80Nvvmw4t6r12pDkeOD6gXnTrCx9VrE1E/BKVMeOBsExnuoVci+NNw6uS
o1SvUJpQA7+n30gwHF+CLhN+fRmYomvH85a+n7r/mzoRp8E5nHwKDfkXdWWncUwo
2lup3CE1GlKzPRWQ6Vd+gh/dnRnM2NjNJZG27DRlLsIQL2avPYN3reuHQzRLhbTW
x2TRGxy7/wgBdpxUiggCZY+49aeJ9UOj2yQ5nnhDxljKMLS/KZRR6Td7eYyEUrYk
xFld3QKCAQEAj30SMM3KKXzQfUgs0Mr7qjFJ8dMmEebEnbzJnNMtDAJ2ZYsHUbL6
CsnFvlyupZRO41DINcT5rpk5TXYqM/74nV/+10zOwbo6vbsdKdKRoIld7f+rD0N1
6s7GYKI/SkS9Anr0is0s8gsq/HQsvCQ+HKSi3JP4MSs2OpoXG3JNetit3WfYk6Xg
6Fhrb934zcBER5KCbBymP8nGkGEaZSUNcTp0kWbyxJuG8C9xhpFeC+nrgXlnl8yf
g8bHUe78S1RQ2bvYqgzEcESExsnadcZawq/d/Mv+2lddygZiT0jXAE1B+6HWtRBQ
0jTE/PKSMyjpndd3YiKChqpSLh45B8ARAQKCAQBXxl+/M1hgd0Q8M3lHKj0m9ti/
xdzM2D3Dl1kP2j9n7yqVHJr1eKMU+tjr3w3WH1SoDAxxD7iE18ga7iIXAeNA3HL/
HckuEF7QETjhaHjpbrNkHn8eUsye5nxZsNM+XoRRke3AF3Z/MJNk9iWoRJFu/TB3
haZWt8aMGv18amiFKCb5oZoSkjDSJSv4smnXvuznKDx70WOZXBznnNxcG0/BcUVM
jZ8bCLQr/RzhHianY/rdsNBOo7WmsAFopM+ckdzvJKGPGlt3HF713eZp5lNPeMTn
04cahPzaUL+ugLT1ldDPC3eO9w75Pe0FeR7JmOb7q8Rb1eqr1EUnqGMldut9
-----END RSA PRIVATE KEY-----


Export public key only

openssl pkcs12 -in mykeystore.p12 -clcerts -nokeys \
    -passin pass:changeit | openssl x509 -pubkey -noout \
    -out wec_pubkey.pem

Show public key data

cat wec_pubkey.pem
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhpSA7NuGksyhzwu1q0E1
HbTThVbAYQettPTt2wjMzfTUl5Z0q7FjhzuXoyymXDGe1eeHqY6mv3FZNQzl549s
Qj64GzLYy/1dEhkwCKe8dtvC86j8LZ2KtE8BfC63cUcui8gLFPVxUTgVin9lU5a6
WOe3ZqNhuNqQZYA5qN1mo9VX8BFv+T3nC3/ywVyE9d7W7IayzNpe9lRfUi+lQ/pZ
gMrhefTdcgSg0IViNyLuNSzs6wg5UVZAxt7jyIs+69MECtv1Us1o2GCXxtbWmgmB
e2fx/B/CgoZlCocjOO4IwQKMflNGjZ+jNNK2i7cosYU+oXez8BfyOhkD/RV5/dbT
KhhFrmEhH1C+m+jt4RojiDQmqlpGmtS3XAxVj08xt4mFW+Gwdf/78l1clhbLJ+1z
YaeTj5ev87CM/hHvY/Q2bniegtM2Cay/pbnthsoGKpAsRMwEDIXwe2EsMXMD68Hj
EvIdiaAtSO7ffThIGRokXE2FXzqKZUSP2rGFE2wA8GsffFNuH0ftssk5uVUkVuk9
Fu/RsDDavxKKFz0pUPybDdZKzckQgeGTGpbRmfW+b6JpNQQNKjHYjWGw+bdbkUgY
3uJdvluHP+ZdHjgYj8ahiK545xdapAUQ+vPoTh4Jtt8Ng69RX/X5Rzt+rJlcbzLm
XWywFPdJbSYqlRkCveGJC60CAwEAAQ==
-----END PUBLIC KEY-----


Export certificate data


openssl pkcs12 -in mykeystore.p12 -clcerts -nokeys \
    -passin pass:changeit | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > wec_cert.pem

Show certificate data

cat wec_cert.pem
-----BEGIN CERTIFICATE-----
MIIFzzCCA7egAwIBAgIEM+IgdTANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxEjAQBgNVBAcTCUZhaXJmaWVsZDEZMBcG
A1UEChMQQUNNRSBDb3Jwb3JhdGlvbjErMCkGA1UECxMiUm9ja2V0LVBvd2VyZWQg
UHJvZHVjdHMgRGVwYXJ0bWVudDEXMBUGA1UEAxMOV2lsZSBFLiBDb3lvdGUwHhcN
MTgwODA2MTAyNDI4WhcNMTkwODA2MTAyNDI4WjCBlzELMAkGA1UEBhMCVVMxEzAR
BgNVBAgTCk5ldyBKZXJzZXkxEjAQBgNVBAcTCUZhaXJmaWVsZDEZMBcGA1UEChMQ
QUNNRSBDb3Jwb3JhdGlvbjErMCkGA1UECxMiUm9ja2V0LVBvd2VyZWQgUHJvZHVj
dHMgRGVwYXJ0bWVudDEXMBUGA1UEAxMOV2lsZSBFLiBDb3lvdGUwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQCGlIDs24aSzKHPC7WrQTUdtNOFVsBhB620
9O3bCMzN9NSXlnSrsWOHO5ejLKZcMZ7V54epjqa/cVk1DOXnj2xCPrgbMtjL/V0S
GTAIp7x228LzqPwtnYq0TwF8LrdxRy6LyAsU9XFROBWKf2VTlrpY57dmo2G42pBl
gDmo3Waj1VfwEW/5PecLf/LBXIT13tbshrLM2l72VF9SL6VD+lmAyuF59N1yBKDQ
hWI3Iu41LOzrCDlRVkDG3uPIiz7r0wQK2/VSzWjYYJfG1taaCYF7Z/H8H8KChmUK
hyM47gjBAox+U0aNn6M00raLtyixhT6hd7PwF/I6GQP9FXn91tMqGEWuYSEfUL6b
6O3hGiOINCaqWkaa1LdcDFWPTzG3iYVb4bB1//vyXVyWFssn7XNhp5OPl6/zsIz+
Ee9j9DZueJ6C0zYJrL+lue2GygYqkCxEzAQMhfB7YSwxcwPrweMS8h2JoC1I7t99
OEgZGiRcTYVfOoplRI/asYUTbADwax98U24fR+2yyTm5VSRW6T0W79GwMNq/EooX
PSlQ/JsN1krNyRCB4ZMaltGZ9b5vomk1BA0qMdiNYbD5t1uRSBje4l2+W4c/5l0e
OBiPxqGIrnjnF1qkBRD68+hOHgm23w2Dr1Ff9flHO36smVxvMuZdbLAU90ltJiqV
GQK94YkLrQIDAQABoyEwHzAdBgNVHQ4EFgQU4DtH7VnaiGAAiCvHgkPnvFAUQDkw
DQYJKoZIhvcNAQELBQADggIBAIXGZlgo5Xj3+2dGyb1s1nEPGBeZo33drGIlr3nr
wCIhE8fHuBF5qZ1oqKLc2T+25ElKOvEryDNM7P/qr2CmqgZu4V0R4KmEJ6FfjGXH
iyC3AkcPT8M44D+Sz7JeiK2U+uQ8LxpKGooFWYv89cOxmi2Y4hBcryjMMCFlci1y
KPH5Kvm9SKukLDN5h2yBYE+kdoRqVD0OLleWtrKFvbrzQWlvjVauSTeeACfBVWwq
CLO1RWA89O0rgBdKEVc9SJBEcdT2chnVgIJNUU4QzpDDWUgTf9XNkFEc5DWA0MH3
khIkNgFpWXzq4aQb2QCDXF3YvZovH0OMtSHUiVucSylFfRmL12h25W7FIloAFKcX
yL8GO0pD/GAvCtHNwPnZLGNjVapcHzM2SM3pUy4DS089YVb7OP13Hjookwyvk+6J
xbpOKL7yBA7ZWjcvwAPW7jZz9QzssBZ794PzHjXgs77SagG5KgiHnN1DqhfGugTE
Shu0v+3dYwr5W62J0Nkg2FtYzOZZrnnWi43bohxOAhtgUhSoOozeyeNXbG5PFx3K
jaSuP+76Xx1GyE7WuuQJCkbu9o9nbPBjm3AuPvVNhws2djmfFEAY94KZ6wvxKYPk
ptB4CaxJDkj4BpGFJYUpPAo++f7whI4Rl1iTd3iR5GpTpyie3iJXqVO9qxv5p+jH
jpEQ
-----END CERTIFICATE-----


Hint: the files wec_cert.pem (created by OpenSSL) and wec.crt (created by the Java keytool) contain the same data but have a different size:

ls -l wec_cert.pem wec.crt
-rw-r----- 1 maro maro 2074 Aug  6 13:03 wec_cert.pem
-rw-r----- 1 maro maro 2105 Aug  6 14:27 wec.crt


Explanation: the OpenSSL software uses 0x0a for the line feeds and the keytool 0x0d0a.

You can use the following command line options with cURL to use the private/public key data, extracted from your PKCS12 keystore:
  • --key wec_key.pem
  • --cert wec_cert.pem
You can simply ignore the server certificate by adding the cURL option
  • --insecure
or you can fetch the server certificate directly from the running server by using OpenSSL:

echo -n | openssl s_client -connect host:port 2>&1 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >server.pem

If you have to use a proxy for your internet communication, you can add the following option to OpenSSL 1.1.0:
  • -proxy proxyHost:proxyPort
You can add the server certificate with the following cURL command line option
  • --cacert server.pem
Have in mind: modern servers use TLVv1.2. The minimal cURL version with TLSv1.2 support is 7.34.0


Software versions in use:
  • Debian 9.5
  • Oracle Java SE8 Update 181
  • OpenSSL 1.1.0f
  • cURL 7.52.1