nginx,SSL各种格式证书的转换(JKS to PEM, KEY, CRT)

1.使用keytool导出成PKCS12格式：

keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -srcstoretype jks -deststoretype pkcs12

输入目标密钥库口令:

再次输入新口令:

输入源密钥库口令:

已成功导入别名 ca_root 的条目。

已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消

2.生成pem证书(包含了key，server证书和ca证书)：

生成key 加密的pem证书

$ openssl pkcs12 -in server.p12 -out server.pem

Enter Import Password:

MAC verified OK

Enter PEM pass phrase:Verifying -

Enter PEM pass phrase:

生成key 非加密的pem证书

$ openssl pkcs12 -nodes -in server.p12 -out server.pem

Enter Import Password:

MAC verified OK

单独导出key：

生成加密的key

$ openssl pkcs12 -in server.p12 -nocerts -out server.key

Enter Import Password:

MAC verified OK

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

生成非加密的key

$ openssl pkcs12 -in server.p12 -nocerts -nodes -out server.key

Enter Import Password:

MAC verified OK

单独导出server证书：

$ openssl pkcs12 -in server.p12 -nokeys -clcerts -out server.crt

Enter Import Password:

MAC verified OK

单独导出ca证书：

$ openssl pkcs12 -in server.p12 -nokeys -cacerts -out ca.crt

Enter Import Password:

MAC verified OK

Nginx服务器配置

server {

listen 443 ssl;

server_name www.yourdomain.net;

access_log /path_to_log/access.log;

error_log /path_to_log/error.log;

ssl_certificate      /path_to_certificate/server.crt;

ssl_certificate_key  /path_to_key/new/server.key;

ssl_session_timeout 1m;

ssl_protocols SSLv2 SSLv3 TLSv1.2;

#ssl_ciphers  HIGH:!aNULL:!MD5;

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;

ssl_prefer_server_ciphers  on;

***

}