Exporting Private Key from Java Keytool Keystore: A Guide

The following tasks can be accomplished using the given tools: creating a self-signed certificate and keystore, creating a CSR certificate, deleting a certificate from keystore, adding a signed primary certificate to keystore, changing keystore password, listing keystore, and creating a private key. By using keytool, openssl, and PKCS#12 format as an intermediary stage, it is possible to convert an entire JKS into PEM format successfully.

Solution 1:

Use Java keytool to convert from JKS to P12…

Convert data from the exclusive format of


(known as “JKS”) to the commonly used PKCS #12 format.

keytool -importkeystore 
    -srckeystore keystore.jks 
    -destkeystore keystore.p12 
    -deststoretype PKCS12 

…then use openssl to export from P12 to PEM



to generate and obtain the certification for exporting.

openssl pkcs12 -in keystore.p12  -nokeys -out cert.pem

Export unencrypted private key:

openssl pkcs12 -in keystore.p12  -nodes -nocerts -out key.pem

Solution 2:

Starting from Java 6, it is possible to utilize


to import/export private keys into PKCS#12 (


) files. It should be noted that this feature was not available in previous versions and requires the option


to be enabled.

For example:

keytool -importkeystore -srckeystore existing-store.jks -destkeystore new-store.p12 -deststoretype PKCS12

The default Oracle/Sun security provider also recognizes the


keystore type as a standard keystore type.

Solution 3:

Try “Keystore Explorer”

I share Bruno’s view that Keytool is an excellent tool for managing Java keystores. However, there exists another free tool, Keystore explorer, which is both sophisticated and powerful.

I frequently use it and have never required an alternative.

Frequently Asked Questions

Posted in Uncategorized