Use my OpenDJ keystore for an Apache web site

Put more precisely: how do I export the TLS key and cert from my OpenDJ directory to x509 format so it can be used by an Apache server with the same host name.

It turns out this isn’t nearly as hard to do as you’d think.

First of all, you’ll need to make sure you’re OpenDJ instance isn’t still using the default cert generated during installation. See my article on replacing that default OpenDJ cert here.

Exporting the key and certificate from OpenDJ’s keystore into their x509 counterparts is a two step process.

In this example we’ll image that $DSHOME is /usr/local/opendj, and the server name is (which may in fact be just a CNAME for the actual host).

1. Convert the keystore from JKS to PKCS#12 format. Keytool can’t export to x509 format. It can export to PKCS#12, which can then be converted to x509 using the openssl utility.

keytool -importkeystore \
-srckeystore $DSHOME/config/keystore \
-destkeystore ~/keystore.p12 \
-deststoretype PKCS12

Keytool will ask first for a password to assign to the new keystore, then for the existing keystore’s password (If you haven’t changed things from the Java default the password for the existing keystore will be “changeit”). The result of this command will be a new file called “keystore.p12”.

2. Extract the certificate and key from the PKCS#12 keystore into separate x509 formatted files. First the certificate:

openssl pkcs12 -in keystore.p12  -nokeys -out

Then the key:

openssl pkcs12 -in keystore.p12  -nodes -nocerts -out

Now you can take the resulting files ( and, and copy them into the directory where your Apache keys and certs are kept (on Red Hat systems this should be the common PKI directories, /etc/pki/tls/certs and /etc/pki/tls/private, respectively). Then simply point your Apache configuration at them (again, on Red Hat systems this should be in /etc/httpd/conf.d/ssl.conf alongside the SSLCertificateFile and SSLCertificateKeyFile directives).


Whenever possible I store my certs and keys in the common PKI directory for the system. This makes it easier to find them during recovery operations, maintenance or an audit.

After many years of using different conventions, I’ve finally settled on using the fully qualified host name for certificates and keys — rather than ldap.crt — because it leads to less confusion later on.

Many examples (including my own) will use the .pem file extension for x509 files, I’ve now adopted the .crt and .key extensions as simply more descriptive of the file’s function, and to be doubly sure they are immediately identifiable. Anyone who can’t figure out that a file beginning with the text “—–BEGIN PRIVATE KEY—–” is an x509 ASCII-Armored key file has bigger problems than having a format specific file name extension will solve.

This entry was posted in System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).