The following tasks can be accomplished using the given tools: creating a self-signed certificate and keystore, creating a CSR certificate, deleting a certificate from keystore, adding a signed primary certificate to keystore, changing keystore password, listing keystore, and creating a private key. By using keytool, openssl, and PKCS#12 format as an intermediary stage, it is possible to convert an entire JKS into PEM format successfully.
Use Java keytool to convert from JKS to P12…
Convert data from the exclusive format of
(known as “JKS”) to the commonly used PKCS #12 format.
…then use openssl to export from P12 to PEM
to generate and obtain the certification for exporting.
openssl pkcs12 -in keystore.p12 -nokeys -out cert.pem
Export unencrypted private key:
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
Starting from Java 6, it is possible to utilize
to import/export private keys into PKCS#12 (
) files. It should be noted that this feature was not available in previous versions and requires the option
to be enabled.
keytool -importkeystore -srckeystore existing-store.jks -destkeystore new-store.p12 -deststoretype PKCS12
The default Oracle/Sun security provider also recognizes the
keystore type as a standard keystore type.
Try “Keystore Explorer”
I share Bruno’s view that Keytool is an excellent tool for managing Java keystores. However, there exists another free tool, Keystore explorer, which is both sophisticated and powerful.
I frequently use it and have never required an alternative.