Java Tool Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 5.10

Exporting and Import Certificates

<< 'keytool' - Public Key Certificate Tool

<< Java Tool Tutorials - Herong's Tutorial Notes

This section provides a tutorial example on how to export certificates from and import certificates into 'keystore' files using 'keytool'.

In the second example, I want to export the certificate stored in the key entry to a certificate file, then import it back into the keystore as certificate entry: 

C:\herong>keytool -export -alias my_home -file my_home.crt 
   -keystore herong.jks -storepass HerongJKS

Certificate stored in file <my_home.crt>

C:\herong>keytool -printcert -file my_home.crt

Owner: CN=Herong Yang, OU=My Unit, O=My Home, L=My City, ST=My Sta...
Issuer: CN=Herong Yang, OU=My Unit, O=My Home, L=My City, ST=My St...
Serial number: 407928a4
Valid from: Sat Jun 1 07:14:44 EDT 2002 until: Sat Aug 31 07:14:44...
Certificate fingerprints:
   MD5:  BE:D2:AF:4E:A7:44:13:08:16:4C:68:3B:D1:99:79:55
   SHA1: AE:67:0C:C5:21:5C:F6:6F:45:33:9E:FB:8E:50:EA:32:32:D1:92:BB

C:\herong>keytool -import -alias my_home_crt -file my_home.crt
   -keystore herong.jks -storepass HerongJKS

Certificate already exists in keystore under alias <my_home>
Do you still want to add it? [no]:  yes
Certificate was added to keystore

C:\herong>keytool -list -keystore herong.jks -storepass HerongJKS

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries:

my_home_crt, Sat Jun 1 12:25:46 EDT 2004, trustedCertEntry,
Certificate fingerprint (MD5): BE:D2:AF:4E:A7:44:13:08:16:4C:68:3B...
my_home, Sat Jun 1 07:15:16 EDT 2002, keyEntry,
Certificate fingerprint (MD5): BE:D2:AF:4E:A7:44:13:08:16:4C:68:3B...

Looking good so far:

  • The "-export" command option exports the self-signed certificate of my public key into a file, my_home.crt.
  • The "-printcert" command option prints out summary information of a certificate stored in a file in X.509 format. As you can see from the print out, I am the issuer and the owner of this certificate.
  • The "-import" command option imports the certificate from the certificate file back into the keystore under different alias, my_home_crt.

Certificates can also be exported in a printable format: based on RFC 1421 specification, using the BASE64 encoding algorithm. 

C:\herong>keytool -export -alias my_home_crt -file my_home.rfc -rfc 
   -keystore herong.jks -storepass HerongJKS

Certificate stored in file <my_home.rfc>

type my_home.rfc
-----BEGIN CERTIFICATE-----
MIIDDTCCAssCBEB5KKQwCwYHKoZIzjgEAwUAMGwxCzAJBgNVBAYTAlVTMREwDwYDVQ...
dGF0ZTEQMA4GA1UEBxMHTXkgQ2l0eTEQMA4GA1UEChMHTXkgSG9tZTEQMA4GA1UECx...
dDEUMBIGA1UEAxMLSGVyb25nIFlhbmcwHhcNMDQwNDExMTExNDQ0WhcNMDQwNzEwMT...
MQswCQYDVQQGEwJVUzERMA8GA1UECBMITXkgU3RhdGUxEDAOBgNVBAcTB015IENpdH...
BAoTB015IEhvbWUxEDAOBgNVBAsTB015IFVuaXQxFDASBgNVBAMTC0hlcm9uZyBZYW...
ASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2US...
WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLCT7up1/63xhv4O1...
+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCou...
gYEA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgL...
FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkI...
BpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAJdQsMlIf1nh4T/HZvVeltsrTGED118CkG...
ygy53OLwrSK+6ptJpXP8tPMn9YFVJ3eigJrMTaZvGyd40WRiYM6Woyj3T4H73LEKLD...
QeNYOAm8cp3l9ZQkNnmIA1P6CRR43EeAmdTUlK8y6RWTsrOiJMdDMAsGByqGSM44BA...
AhQ4zAUOPWe1wdiwye9XDsVPcKS1xwIUWTdok6RIeeCMRIytKwcTOo7/qpM=
-----END CERTIFICATE-----

Sections in This Chapter

Certificates and Certificate Chains

'keystore' - Public Key Certificate Storage File

JDK 1.5 'keytool' - keystore File Management Commands

JDK 1.6 'keytool' - keystore File Management Commands

Generating Key Pairs and Self-Signed Certificates

Exporting and Import Certificates

Cloning Certificates with New Identities

Dr. Herong Yang, updated in 2008
Exporting and Import Certificates