I have a Java SSL server to which I want my Java SSL client and C++ SSL client to be able to connect. The Java client connects without issues. Now I want to have my C++ SSL client to be able to connect. So for this purpose ,I imagined, that I want to export the serverpub.jks to an .pem file so that my C++ client can load it into its ssl context. But this is not working.

我有一个 Java SSL 服务器，我希望我的 Java SSL 客户端和 C++ SSL 客户端能够连接到它。Java 客户端连接没有问题。现在我想让我的 C++ SSL 客户端能够连接。因此，出于这个目的，我想我想将 serverpub.jks 导出到 .pem 文件，以便我的 C++ 客户端可以将其加载到其 ssl 上下文中。但这是行不通的。

Below is a description of how I created the jks keystores for Java client and server and then how I am trying to export the serverpub.jks to .pem file.

下面描述了我如何为 Java 客户端和服务器创建 jks 密钥库，以及我如何尝试将 serverpub.jks 导出到 .pem 文件。

step 1: Generate the Client and Server Keystores

步骤 1：生成客户端和服务器密钥库

c:\keytool -genkeypair -alias myserverkeys -keyalg RSA -dname "CN=my Server,OU=kl2217,O=kl2217org,L=NYC,ST=NY,C=US" -keypass password -keystore server.jks -storepass password
c:\keytool -genkeypair -alias myclientkeys -keyalg RSA -dname "CN=my Client,OU=kl2217,O=kl2217org,L=NYC,ST=NY,C=US" -keypass password -keystore myclient.jks -storepass password

step 2: Export the server public certificate and create a seperate keystore

第 2 步：导出服务器公共证书并创建单独的密钥库

c:\keytool -exportcert -alias myserverkeys -file serverpub.cer -keystore myserver.jks -storepass spacex
c:\keytool -importcert -keystore serverpub.jks -alias serverpub -file serverpub.cer -storepass password

step 3: Export the client public certificate and create a seperate keystore

第 3 步：导出客户端公共证书并创建单独的密钥库

c:\keytool -exportcert -alias myclientkeys -file clientpub.cer -keystore myclient.jks -storepass spacey
c:\keytool -importcert -keystore clientpub.jks -alias clientpub -file clientpub.cer -storepass password

So far so good.

到现在为止还挺好。

Now here is where I run into problems.

现在这是我遇到问题的地方。

step 4: Convert serverpub.jks to .pem format

第 4 步：将 serverpub.jks 转换为 .pem 格式

c:\keytool -importkeystore -srckeystore serverpub.jks -destkeystore serverpub.p12 -srcstoretype jks -deststoretype pkcs12

And the reply

和回复

Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Problem importing entry for alias serverpub: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias serverpub not imported.
Do you want to quit the import process? [no]:

What does this mean? What am I doing wrong?

这是什么意思？我究竟做错了什么？

step 5: Would have been

第 5 步：本来是

c:\openssl pkcs12 -in serverpub.p12 -out serverpub.pem

But as you can see I couldn't get that far.

但正如你所看到的，我不能走那么远。

I would really appreciate some help understanding how to do this right.

我真的很感激一些帮助理解如何正确地做到这一点。

Thanks

谢谢