How do I list / export private keys from a keystore?

by

You can extract a private key from a keystore with Java6 and OpenSSL. This all depends on the fact that both Java and OpenSSL support PKCS#12-formatted keystores. To do the extraction, you first use keytool to convert to the standard format. Make sure you use the same password for both files (private key password, not the keystore password) or you will get odd failures later on in the second step.

keytool -importkeystore -srckeystore keystore.jks \
    -destkeystore intermediate.p12 -deststoretype PKCS12

Next, use OpenSSL to do the extraction to PEM:

openssl pkcs12 -in intermediate.p12 -out extracted.pem -nodes

You should be able to handle that PEM file easily enough; it’s plain text with an encoded unencrypted private key and certificate(s) inside it (in a pretty obvious format).

When you do this, take care to keep the files created secure. They contain secret credentials. Nothing will warn you if you fail to secure them correctly. The easiest method for securing them is to do all of this in a directory which doesn’t have any access rights for anyone other than the user. And never put your password on the command line or in environment variables; it’s too easy for other users to grab.

More Related Contents:

  1. How can I use different certificates on specific connections?
  2. Import PEM into Java Key Store
  3. Using a custom truststore in java as well as the default one
  4. Does Java support Let’s Encrypt certificates?
  5. java – path to trustStore – set property doesn’t work?
  6. What is Keystore?
  7. Using SSLContext with just a CA certificate and no keystore
  8. How to build a SSLSocketFactory from PEM certificate and key without converting to keystore?
  9. Java: Loading SSL Keystore via a resource
  10. Setting multiple truststore on the same JVM
  11. Can we load multiple Certificates & Keys in a Key Store?
  12. Https Connection Android
  13. How to handle invalid SSL certificates with Apache HttpClient? [duplicate]
  14. Ignoring SSL certificate in Apache HttpClient 4.3
  15. How to check certificate name and alias in keystore files?
  16. How to create a BKS (BouncyCastle) format Java Keystore that contains a client certificate chain
  17. Registering multiple keystores in JVM [duplicate]
  18. Simple Java HTTPS server
  19. SSLHandshakeException: No subject alternative names present
  20. Disable SSL certificate check in retrofit library
  21. Is it possible to get Java to ignore the “trust store” and just accept whatever SSL certificate it gets?
  22. Is it possible to change plain socket to SSLSocket?
  23. Java: Overriding function to disable SSL certificate check
  24. CertificateException: No name matching ssl.someUrl.de found
  25. Apache HTTPClient SSLPeerUnverifiedException
  26. Keytool Signing Problem: Keystore was tampered with, or password was incorrect
  27. javax.net.ssl.SSLPeerUnverifiedException: Host name does not match the certificate subject provided by the peer
  28. OkHttp javax.net.ssl.SSLPeerUnverifiedException: Hostname domain.com not verified
  29. Java7 Refusing to trust certificate in trust store
  30. How to connect to a secure website using SSL in Java with a pkcs12 file?

Leave a Comment