How can I export my private key from a Java Keytool keystore?

  • I would like to export my private key from a Java Keytool keystore, so I can use it with openssl. How can I do that?

  • Use Java keytool to convert from JKS to P12...

    Export from keytool's proprietary format (called "JKS") to standardized format PKCS #12:

    keytool -importkeystore \
        -srckeystore keystore.jks \
        -destkeystore keystore.p12 \
        -deststoretype PKCS12 \
        -srcalias <jkskeyalias> \
        -deststorepass <password> \
        -destkeypass <password>

    ...then use openssl to export from P12 to PEM

    Export certificate using openssl:

    openssl pkcs12 -in keystore.p12  -nokeys -out cert.pem

    Export unencrypted private key:

    openssl pkcs12 -in keystore.p12  -nodes -nocerts -out key.pem

    What does `-nodes` means?

    "No DES", i.e. to not encrypt the private key that will be saved to `key.pem`.

    I did as described in this answer, but somehow my exported private key is just an empty file? What gives?

    Just take a look at the output of `openssl pkcs12 -in keystore.p12`, what is present in that output?

    `key.pem` starts with `Bag Attributes...`, which my appliances didn't like. I had to add an extra command at the end: `openssl rsa -in -key.pem -out key2.pem`, so that the key would be in the PEM format my appliance required.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM