How to export Gateway frontend certificate including key
Abstract
This article describes how to export the certificates on a Gateway, if the certificate files are not available, but needed for an update or a migration.
Convert JKS keystore to PKCS12 (5.4 or earlier)
Check if needed keystore type: PKCS12 or JKS:
Check keystore type
CODE
keytool -list --keystore /opt/SUNWsgdg/proxy/etc/keystore.client --storepass $(cat /opt/SUNWsgdg/etc/password)
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Convert if needed, otherwise just copy:
Export
CODE
keytool -importkeystore \
-srckeystore /opt/SUNWsgdg/proxy/etc/keystore.client \
-srcstorepass $(cat /opt/SUNWsgdg/etc/password)
-srcstoretype JKS \
-destkeystore /tmp/keystore.p12
-deststoretype PKCS12 \
-deststorepass $(cat /opt/SUNWsgdg/etc/password)Convert
CODE
openssl pkcs12 -in /tmp/keystore.p12 -nodes -nocerts -out private_key.pem
openssl pkcs12 -in /tmp/keystore.p12 -nokeys -out cert.pemThe cert.pem includes intermidate CA if exists.
Reuse old keystore after migration
Safe keystore to a folder outside of /opt/SUNWsgdg/:
Copy keystore
CODE
cp /opt/SUNWsgdg/proxy/etc/keystore.client /tmp/
cp /opt/SUNWsgdg/etc/password /tmp/After update migrate the keystore to the new environment with the new password:
Migrate keystore
CODE
rm /opt/SUNWsgdg/proxy/etc/keystore.client
keytool -importkeystore -srckeystore /tmp/keystore.client -destkeystore /opt/SUNWsgdg/proxy/etc/keystore.client -srcstorepass $(cat /tmp/password) -deststorepass $(cat /opt/SUNWsgdg/etc/password) -deststoretype PKCS12 -destkeypass $(cat /opt/SUNWsgdg/etc/password)