Results 1 to 3 of 3

Thread: Exporting private key from keystore for use with Postfix/Apache

Threaded View

  1. #1
    Join Date
    Apr 2006
    Rep Power

    Default Exporting private key from keystore for use with Postfix/Apache

    As cited elsewhere it is a rather big hassle to setup commercial ssl certificates within Zimbra for Tomcat, Postfix etc... This is definitely an area that could use some improvement!

    A rather large problem we encountered is that when generating the CSR to get our certificate, the keystore (jks keystore) does not output the .key or provide any facility for obtaining the .key.
    So in the end we ended up with a .pem/.crt with no way of using it with Postfix/Apache, both of which need a .key + .pem/.crt pair.
    The primary reason for this forum post is that the wiki doesn't allow file uploads other than images and I wanted to make sure there was a version of the java program necessary to do this somewhere within the wiki or forums, to reference to, in the event that the original site/location is moved or removed and it consequently becomes difficult to find.

    The following instructions are from this page, which originally got them from here.
    Here is a summary of the steps needed to export a private key from a jks keystore
    Download from the attachments of this post or the original location.
    java -jar {keystore_path} JKS {keystore_password} {alias} {target_file}
    This would export the key to PKCS #8 PEM format. Now run openssl to convert it to the format apache modssl expects the file in
    openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key
    The java code for exporting the private key in PKCS #8 format (already compiled and packaged within the .zip file, ready to run)
    import sun.misc.BASE64Encoder;
    public class ExportPrivateKey {
            private File keystoreFile;
            private String keyStoreType;
            private char[] password;
            private String alias;
            private File exportedFile;
            public static KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password) {
                    try {
                            Key key=keystore.getKey(alias,password);
                            if(key instanceof PrivateKey) {
                                    Certificate cert=keystore.getCertificate(alias);
                                    PublicKey publicKey=cert.getPublicKey();
                                    return new KeyPair(publicKey,(PrivateKey)key);
                    } catch (UnrecoverableKeyException e) {
            } catch (NoSuchAlgorithmException e) {
            } catch (KeyStoreException e) {
            return null;
            public void export() throws Exception{
                    KeyStore keystore=KeyStore.getInstance(keyStoreType);
                    BASE64Encoder encoder=new BASE64Encoder();
                    keystore.load(new FileInputStream(keystoreFile),password);
                    KeyPair keyPair=getPrivateKey(keystore,alias,password);
                    PrivateKey privateKey=keyPair.getPrivate();
                    String encoded=encoder.encode(privateKey.getEncoded());
                    FileWriter fw=new FileWriter(exportedFile);
                    fw.write(“—–BEGIN PRIVATE KEY—–\n“);
                    fw.write(“—–END PRIVATE KEY—–”);
            public static void main(String args[]) throws Exception{
                    ExportPrivateKey export=new ExportPrivateKey();
                    export.keystoreFile=new File(args[0]);
                    export.exportedFile=new File(args[4]);
    How we used it:
    # Export the tomcat key (from the tomcat csr request) in pkcs8 format
    java -jar /opt/zimbra/tomcat/conf/keystore JKS zimbra tomcat /opt/zimbra/ssl/ssl/server/tomcat-pkcs8.key
    # Convert the pkcs8 formatted key to a non binary one
    openssl pkcs8 -inform PEM -nocrypt -in /opt/zimbra/ssl/ssl/server/tomcat-pkcs8.key -out /opt/zimbra/ssl/ssl/server/tomcat.key
    # Copy the tomcat.key and tomcat.pem to overwrite the default self signed smtpd ones
    cp /opt/zimbra/ssl/ssl/server/tomcat.key /opt/zimbra/conf/smtpd.key
    cp /opt/zimbra/ssl/ssl/server/tomcat.pem /opt/zimbra/conf/smtpd.crt
    # Restart Zimbra (or just Postfix if you choose)
    su zimbra
    zmcontrol stop
    zmcontrol start
    Now to test and see if it worked.
    For Postfix:
    nc 25                       (or telnet instead of nc if you don't have netcat but do have telnet)
    220 ESMTP Postfix
    ehlo world                                   <-- type this line
    250-SIZE 10240000
    250 8BITMIME
    starttls                                     <-- type this line
    # If you get this:
    220 Ready to start TLS                       <-- SUCCESS !!!
    454 TLS not available due to local problem   <-- FAILURE :(
    For Apache (which needs slightly separate instructions for setting up the file pair, but the principles for extracting the key and such are the same):
    Open a browser, browse to the site, use your browser to verify the validity of the certificate.

    Disclaimer: I did not write the java code used for exporting the private key and the instructions on this page are only slightly edited and updated instructions found on the linked websites. This edited version of the instructions is what worked for us, there are no guarantees that it will work for you. If you have any problems running the java program to extract the key, please seek help from the person who wrote it. For anything Zimbra related however feel free to follow up in this post and someone will surely try to help.



    Post Scriptum: To the Zimbra devs reading this... Wouldn't it be nice if Zimbra included the functionality to do all of this from within the interface so that people who require commercial certificates (most likely a large majority of your NE users) don't have to follow half baked howtos/tutorials, like the one I have just done , which are the source of much frustration ?
    Attached Files Attached Files

Similar Threads

  1. Initializing ldap...FAILED (256) on Mac OSX 10.4.4
    By kenzoida in forum Installation
    Replies: 19
    Last Post: 02-13-2007, 11:19 PM
  2. certs
    By rmvg in forum Administrators
    Replies: 11
    Last Post: 11-02-2005, 10:37 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts