Saturday, May 28, 2011

How to export a private key to be used with ssldump

I used a keystore which is generated using java keytool, where my private key is stored; in order to be used in SSL communication that took place between a service hosted in Apache Tomcat and a sample client.

You can find a step by step guide for creating a keystore using java keytool from here.

Today I had the requirement of viewing the messages passed over SSL, using the ssldump.
Once again you can find a guide on ssl debugging with ssldump from here.

In one of the steps there, you will need to provide the server's private key in order for ssldump to decrypt the symmetric key exchanged between client and server and use it for decrypting the ssl traffic.

As I got to know, java keytool doesn't provide an easy way to export private key out of the keystore.
Out of the several ways I tried, keytool-iui helped me to achieve my requirement in a matter of seconds.

Hence, here I will keep a note on the steps I followed:

Step 1: Download the tool from here.

Step 2: Extract it and execute following command being at the 'ktl241sta' folder. (You can find it in readme file also)
java -jar rc15ktl.jar

Step 3: Then select and provide necessary information as shown in the image below:

  • Select Export -> Keystore's Entry->Private Key from left hand panel.
  • Under 'Source', provide the keystore file and password and the format, in this case, keystore is of jks file format.
  • Provide the relevant file locations where the private key and the certificate to be exported, under 'Target'. And the format required by ssldump is PEM.
That's it!. Now you can use this private key with ssldump to view ssl traffic.

On a side note, I also tried openssl to achieve the same, as I read in several places. But failed with the following error.
Error decrypting key
28838:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:759:

If you have any idea about the reason and if you have successfully achieve this with opensssl, please share with us as well...

Related post: