23 Aug 2016, 23:30

Export Certificate and Private key from JKS


I had to migrate web application written in Java to NodesJS,

Java web containers store certificates inside JKS Keystore where NodeJS requires certificate and private key in PEM format.

Exporting certificate directly from JKS is easy by using keytool, but exporting private key is not allowed, To export the private key using Java, we need to interact with the keystore by writing some custom code using the Keystore java API,

the other alternative is simply convert the JKS into a PKCS12 and export the certificate & key using openssl

Convert JKS to PKCS12 format:

keytool -importkeystore -srckeystore mykeystore.jks -destkeystore mykeystore.p12 -deststoretype PKCS12

Note: The -importkeystore parameter is only supported with the keytool that ships with Java ver 1.6+

you can view the content of the pkcs12 keystore by:

openssl pkcs12 -in mykeystore.p12

(Specifically look for the friendlyName that corresponds to the alias property of in JKS)

Export the certificate:

openssl pkcs12 -in mykeystore.p12 -nokeys -out cert.pem

Export the private key (unencrypted)

openssl pkcs12 -in mykeystore.p12  -nodes -nocerts -out key.pem

the -nodes means “No DES”, that is “do not encrypt the private key that will be exported to key.pem”

Make sure you keep the private key safe (recommended: chmod 600 key.pem)

comments powered by Disqus