Converting a Java Keystore into PEM Format
It's pretty straightforward, using jdk6 at least...
bash$ keytool -keystore foo.jks -genkeypair -alias foo \ -dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU'Enter keystore password: Re-enter new password: Enter key password for (RETURN if same as keystore password): bash$ keytool -keystore foo.jks -exportcert -alias foo | \ openssl x509 -inform der -textEnter keystore password: asdasdCertificate: Data: Version: 3 (0x2) Serial Number: 1237334757 (0x49c03ae5) Signature Algorithm: dsaWithSHA1 Issuer: C=AU, ST=Victoria, L=Melbourne, CN=foo.example.com Validity Not Before: Mar 18 00:05:57 2009 GMT Not After : Jun 16 00:05:57 2009 GMT Subject: C=AU, ST=Victoria, L=Melbourne, CN=foo.example.com Subject Public Key Info: Public Key Algorithm: dsaEncryption DSA Public Key: pub: 00:e2:66:5c:e0:2e:da:e0:6b:a6:aa:97:64:59:14: 7e:a6:2e:5a:45:f9:2f:b5:2d:f4:34:27:e6:53:c7: bash$ keytool -importkeystore -srckeystore foo.jks \ -destkeystore foo.p12 \ -srcstoretype jks \ -deststoretype pkcs12Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias foo successfully imported.Import command completed: 1 entries successfully imported, 0 entries failed or cancelledbash$ openssl pkcs12 -in foo.p12 -out foo.pemEnter Import Password:MAC verified OKEnter PEM pass phrase:Verifying - Enter PEM pass phrase:bash$ openssl x509 -text -in foo.pemCertificate: Data: Version: 3 (0x2) Serial Number: 1237334757 (0x49c03ae5) Signature Algorithm: dsaWithSHA1 Issuer: C=AU, ST=Victoria, L=Melbourne, CN=foo.example.com Validity Not Before: Mar 18 00:05:57 2009 GMT Not After : Jun 16 00:05:57 2009 GMT Subject: C=AU, ST=Victoria, L=Melbourne, CN=foo.example.com Subject Public Key Info: Public Key Algorithm: dsaEncryption DSA Public Key: pub: 00:e2:66:5c:e0:2e:da:e0:6b:a6:aa:97:64:59:14: 7e:a6:2e:5a:45:f9:2f:b5:2d:f4:34:27:e6:53:c7: bash$ openssl dsa -text -in foo.pemread DSA keyEnter PEM pass phrase:Private-Key: (1024 bit)priv: 00:8f:b1:af:55:63:92:7c:d2:0f:e6:f3:a2:f5:ff: 1a:7a:fe:8c:39:ddpub: 00:e2:66:5c:e0:2e:da:e0:6b:a6:aa:97:64:59:14: 7e:a6:2e:5a:45:f9:2f:b5:2d:f4:34:27:e6:53:c7:
You end up with:
- foo.jks - keystore in java format.
- foo.p12 - keystore in PKCS#12 format.
- foo.pem - all keys and certs from keystore, in PEM format.
(This last file can be split up into keys and certificates if you like.)
Command summary - to create JKS keystore:
keytool -keystore foo.jks -genkeypair -alias foo \ -dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU'
Command summary - to convert JKS keystore into PKCS#12 keystore, then into PEM file:
keytool -importkeystore -srckeystore foo.jks \ -destkeystore foo.p12 \ -srcstoretype jks \ -deststoretype pkcs12openssl pkcs12 -in foo.p12 -out foo.pem
if you have more than one certificate in your JKS keystore, and you want to only export the certificate and key associated with one of the aliases, you can use the following variation:
keytool -importkeystore -srckeystore foo.jks \ -destkeystore foo.p12 \ -srcalias foo \ -srcstoretype jks \ -deststoretype pkcs12openssl pkcs12 -in foo.p12 -out foo.pem
Command summary - to compare JKS keystore to PEM file:
keytool -keystore foo.jks -exportcert -alias foo | \ openssl x509 -inform der -textopenssl x509 -text -in foo.pemopenssl dsa -text -in foo.pem
I kept getting errors from openssl
when using StoBor's command:
MAC verified OKError outputting keys and certificates139940235364168:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:535:139940235364168:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:97:139940235364168:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:123:
For some reason, only this style of command would work for my JKS file
keytool -importkeystore -srckeystore foo.jks \ -destkeystore foo.p12 \ -srcstoretype jks \ -srcalias mykey \ -deststoretype pkcs12 \ -destkeypass DUMMY123
The key was setting destkeypass
, the value of the argument did not matter.
Direct conversion from jks to pem file using the keytool
keytool -exportcert -alias selfsigned -keypass password -keystore test-user.jks -rfc -file test-user.pem