Loading...

2023 cinhtau.de, All Rights Reserved.

By / 09 August 2016 / security / est. 2 min read

Convert private SSL key from JKS to PEM format

:heavy_exclamation_mark: This post is older than a year. Consider some information might not be accurate anymore. :heavy_exclamation_mark:

I faced the situation, that I have to create a CSR.

In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.

Wikipedia, 2016-08-10 To create a CSR you need a private key. My problem was there is an existing key stored in a java keystore (JKS). This post describes the steps how to extract it and store it as PEM format.

The private key itself is password protected, so keep in mind that after every command I needed to enter the password.

Check keystore contents

vinh@omega:~/certs> keytool -list -keystore omega.jks
Enter keystore password:
*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
1, Jul 20, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): 52:F1:B4:B3:85:84:33:28:D7:39:A1:B1:1E:76:18:FD:63:1B:05:8B

Next step is to convert it to pkcs12 format, to convert it into pem format

vinh@omega:~/certs> keytool -importkeystore -srckeystore omega.jks -destkeystore omega.p12 -deststoretype PKCS12
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Use openssl to convert it into pem.

vinh@omega:~/certs> openssl pkcs12 -in omega.p12 -out omega.pem

Et voila:

vinh@omega:~/certs> ll
total 28
-rwxrwxrw- 1 vinh vinh  2296 Jul 23  2015 ca-certs.jks
-rwxrwxrw- 1 vinh vinh  2947 Jul 20  2015 omega.jks
-rw-r--r-- 1 vinh vinh  3562 Aug  9 17:36 omega.p12
-rw-r--r-- 1 vinh vinh  3562 Aug  9 17:37 omega.pem
-rwxrwxrw- 1 vinh vinh 15426 Jan 29  2016 trust.jks

EDIT: Just use the shortcut

vinh@omega:~/certs> keytool -exportcert -rfc -file omega.pem -keystore omega.jks -alias 1
Enter keystore password:
Certificate stored in file <omega.pem>
ssl java

Author

author-portrait
Tan-Vinh Nguyen

The happiest people don't have the best of everything, they just make the best of everything they have.
Birth, Development, in Progress ...

Please remember the terms for blog comments.