Bootstrap FreeKB - Java - Export a certificate from a keystore or truststore using the Java keytool command
Java - Export a certificate from a keystore or truststore using the Java keytool command

Updated:   |  Java articles

If you are not familiar with the Java keytool command, check out our Getting Started article.

Before exporting a certificate from a keystore file, you will want to determine the keystore type, which is typically JKS or PKCS12. The Java keytool command with the -list option can be used to determine the keystore type.

keytool -list -keystore "/path/to/keystore"

 

Which should return something like this. In this example, the keystore type is PKCS12.

Keystore type: PKCS12

 

You will also want to determine if the entry being exported is a trustedCertEntry or a PrivateKeyEntry.

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

foo.example.com, Aug 21, 2019, trustedCertEntry, 
Certificate fingerprint (SHA1): 1E:0C:EB:DC:CA:E3:DC:16:76:77:EE:BE:91:9B:43:3D:9D:10:15:8E
bar.example.com, Oct 14, 2019, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 8A:7B:10:43:A1:BE:78:D0:CF:12:9F:02:8C:99:F2:3D:1A:69:81:1D

 

 


trustedCertEntry

Here is how you would export a trustedCertEntry.

  • trustedCertEntry typically contains only the root certificate authority (CA) certificate but may contain the public certificates that make up the certificate chain (the root certificate authority (CA) certificate, the intermediate certificate authority (CA) certifiate, and the server certificate). A trustedCertEntry does not contain a private key.
keytool -export -keystore "/path/to/keystore" -storetype pkcs12 -storepass "keystore_password" -alias "alias name" -file "example.crt"

 

If the export is successful, the following should be displayed.

Certificate stored in file <example.crt>

 

OpenSSL can be used to view the certificate data.

openssl x509 -in example.crt -text -noout 

 


PrivateKeyEntry

If the entry you want to export is a PrivateKeyEntry, and the source file is in the JKS format, you will first need to export the PrivateKeyEntry into a PKCS12 file.

  • PrivateKeyEntry contains a private key and typically the public certificates that make up the certificate chain (the root certificate authority (CA) certificate, the intermediate certificate authority (CA) certifiate, and the server certificate).
keytool
-importkeystore
-srckeystore "foo.certificates"
-srcalias "foo.example.com"
-destkeystore "foo.certificates.p12"
-deststoretype PKCS12 
-deststorepass itsasecret
-destkeypass itsasecret

 

Then OpenSSL can be used to convert the exported .p12 file into a .pem file. The -nodes option is used so that the private key is not encrypted.

openssl pkcs12 -in foo.certificates.p12 -out foo.certificate.pem -nodes

 


Binary vs. Text (base64)

Sometimes, when you export a certificate, the exported file will contain binary. Using the cat command (on Linux) to view the content of a files that contains binary will  probably return mumbo jumbo, something like this.

~]# cat foo.file
h++-://c_+.+h_i+e++.c-+/ce_+e+_-+

 

The -rfc flag can be used to ensure the file is exported as text.

keytool -export -keystore "/path/to/keystore" -storetype pkcs12 -storepass "keystore_password" -alias "alias name" -file "example.crt" -rfc

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 39ae5f in the box below so that we can be sure you are a human.