Exporting Private Key from Java Keytool Keystore: A Guide

The following tasks can be accomplished using the given tools: creating a self-signed certificate and keystore, creating a CSR certificate, deleting a certificate from keystore, adding a signed primary certificate to keystore, changing keystore password, listing keystore, and creating a private key. By using keytool, openssl, and PKCS#12 format as an intermediary stage, it is possible to convert an entire JKS into PEM format successfully.


Solution 1:

Use Java keytool to convert from JKS to P12…

Convert data from the exclusive format of

keytool

(known as “JKS”) to the commonly used PKCS #12 format.

keytool -importkeystore 
    -srckeystore keystore.jks 
    -destkeystore keystore.p12 
    -deststoretype PKCS12 
    -srcalias  
    -deststorepass  
    -destkeypass 

…then use openssl to export from P12 to PEM

Utilize

openssl

to generate and obtain the certification for exporting.

openssl pkcs12 -in keystore.p12  -nokeys -out cert.pem

Export unencrypted private key:

openssl pkcs12 -in keystore.p12  -nodes -nocerts -out key.pem


Solution 2:


Starting from Java 6, it is possible to utilize

keytool

to import/export private keys into PKCS#12 (

.p12

) files. It should be noted that this feature was not available in previous versions and requires the option

-importkeystore

to be enabled.

For example:

keytool -importkeystore -srckeystore existing-store.jks -destkeystore new-store.p12 -deststoretype PKCS12

The default Oracle/Sun security provider also recognizes the

PKCS12

keystore type as a standard keystore type.


Solution 3:

Try “Keystore Explorer”


I share Bruno’s view that Keytool is an excellent tool for managing Java keystores. However, there exists another free tool, Keystore explorer, which is both sophisticated and powerful.

I frequently use it and have never required an alternative.

Frequently Asked Questions

Posted in Uncategorized