FreeKB - Java Keystore keytool export command (Export a certificate)
Java Keystore - keytool export command (Export a certificate)

If you are not familiar with the Java keytool command, check out our Getting Started article.

Before exporting a certificate from a keystore file, you will want to determine the keystore type, which is typically JKS or PKCS12. The Java keytool command with the -list option can be used to determine the keystore type.

keytool -list -keystore "/path/to/keystore"


Which should return something like this. In this example, the keystore type is PKCS12.

Keystore type: PKCS12


You will also want to determine if the entry being exported is a trustedCertEntry or a PrivateKeyEntry.

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries, Aug 21, 2019, trustedCertEntry, 
Certificate fingerprint (SHA1): 1E:0C:EB:DC:CA:E3:DC:16:76:77:EE:BE:91:9B:43:3D:9D:10:15:8E, Oct 14, 2019, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 8A:7B:10:43:A1:BE:78:D0:CF:12:9F:02:8C:99:F2:3D:1A:69:81:1D




Here is how you would export a trustedCertEntry.

keytool -export -keystore "/path/to/keystore" -storetype pkcs12 -storepass "keystore_password" -alias "alias name" -file "example.crt"


If the export is successful, the following should be displayed.

Certificate stored in file <example.crt>


OpenSSL can be used to view the certificate data.

openssl x509 -in example.crt -text -noout 



If the entry you want to export is a PrivateKeyEntry, and the source file is in the JKS format, you will first need to export the PrivateKeyEntry into a PKCS12 file.

-srckeystore "foo.certificates"
-srcalias ""
-destkeystore "foo.certificates.p12"
-deststoretype PKCS12 
-deststorepass itsasecret
-destkeypass itsasecret


Then OpenSSL can be used to convert the exported .p12 file into a .pem file.

openssl pkcs12 -in foo.certificates.p12 -out foo.certificate.pem


Binary vs. Text (base64)

Sometimes, when you export a certificate, the exported file will contain binary. Using the cat command (on Linux) to view the content of a files that contains binary will  probably return mumbo jumbo, something like this.

~]# cat foo.file


The -rfc flag can be used to ensure the file is exported as text.

keytool -export -keystore "/path/to/keystore" -storetype pkcs12 -storepass "keystore_password" -alias "alias name" -file "example.crt" -rfc


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 9262e in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |