How to Convert Certificate Encodings (DER, JKS, PEM) for TLS/SSL Clients and Services

Client and server processes require specific certificate and keystore file formats. For example, when configured for TLS Level 2, Cloudera Manager Server requires a Java KeyStore (JKS) formatted truststore and certificate to present to requesting Cloudera Manager Agent hosts. The Hue client also connects to Cloudera Manager Server, but Hue requires a PEM-formatted certificate.

Certificates issued by a CA in one format (encoding) can be used to create certificates in a different format using Java Keytool and OpenSSL as detailed below.

Converting DER Encoded Certificates to PEM

This process uses OpenSSL to convert a DER-encoded certificate to an ASCII (Base64) encoded certificate. Typically, DER-encoded certificates use .CRT or .CER for the file extension, but regardless of the extension, a DER encoded certificate is one that is not readable as plain text (unlike PEM encoded certificate).

A PEM-encoded certificate may also use .CRT or CER as the extension for the file name, in which case, you can simply copy the file to a new name using the .PEM extension:

$ cp hostname.cer hostname.pem
To convert a DER-encoded certificate to PEM encoding, the OpenSSL command is as follows:
$ openssl x509 -inform der -in hostname.cer -out hostname.pem
For example:
$ openssl x509 -inform der -in /opt/cloudera/security/pki/hostname.cer -out /tmp/hostname.pem

Converting JKS Key and Certificate to PEM

This process uses both Java Keytool and OpenSSL (keytool and openssl, respectively, in the commands below) to export the composite private key and certificate from a Java keystore and then extract each element into its own file.

The PKCS12 file created below is an interim file used to obtain the individual key and certificate files.

Replace hostname-keystore, cmhost, hostname, and password with values from your system.

  1. Export the private key and certificate command line:
    $ keytool -importkeystore -srckeystore /opt/cloudera/security/jks/hostname-keystore.jks \
    -srcstorepass password -srckeypass password -destkeystore /tmp/hostname-keystore.p12 \
    -deststoretype PKCS12 -srcalias hostname -deststorepass password -destkeypass password
  2. Extract the certificate file from the resulting PKCS12 file:
    $ openssl pkcs12 -in /tmp/hostname-keystore.p12 -passin pass:password  -nokeys \
    -out /opt/cloudera/security/pki/hostname.pem
    This extracted certificate can be used, as is.

Extracting the Private Key from PKCS Keystore

Use OpenSSL to extract the private key from the PKCS keystore when needed. This statement extracts the key and saves it to a keystore, giving it the password you provide:
   $ openssl pkcs12 -in /tmp/hostname-keystore.p12 -passin pass:password \
   -nocerts -out /opt/cloudera/security/pki/hostname.key -passout pass:password
To generate a key without a password, use this version of the command:
  $ openssl rsa -in /tmp/hostname-keystore.p12 -passin pass:password \
   -nocerts -out /opt/cloudera/security/pki/hostname.pem

Converting PEM Key and Certificate to JKS

Replace hostname in the commands below with the FQDN of the host whose certificate is being imported.

  1. Convert the openssl private key and certificate files into a PKCS12 file.
    $ openssl pkcs12 -export -in /opt/cloudera/security/pki/hostname.pem \
    -inkey /opt/cloudera/security/pki/hostname.key -out /tmp/hostname.p12 \
    -name hostname -passin pass:password -passout pass:password
  2. Import the PKCS12 file into the Java keystore.
    $ keytool -importkeystore -srckeystore /tmp/hostname.p12 -srcstoretype PKCS12 \
    -srcstorepass password -alias hostname -deststorepass password \
    -destkeypass password -destkeystore /opt/cloudera/security/jks/hostname-keystore.jks