PKI Tutorials - Herong's Tutorial Examples
Dr. Herong Yang, Version 2.00

Exporting a Private Key from a KeyStore File

This section provides a tutorial example on how to export a private key from a JDK KeyStore file by converting the KeyStore file to a PKCS12 file, then exporting the private key using the OpenSSL 'pkcs12' command.

I am ready to perform the last step now.

Step 4 - Herong, as the CA administrator, issues or sign the personal certificate to Amy.

To sign a personal certificate, I need to use the OpenSSL "x509" command, which requires my private key stored in a PEM key file.

Remember that my private-public key was created by JDK "keytool" command and stored in the KeyStore file, herong.jks. The simplest way to export my private key from herong.jks is to use a two-step process:

1. Transfering my private-public key pair from a KeyStore file to a PKCS12 file:

C:\herong>\local\jdk\bin\keytool -importkeystore 
   -srckeystore herong.jks -srcstoretype jks -srcstorepass HerongJKS
   -srcalias herongyang.com -srckeypass HerongJKS
   -destkeystore herong.p12 -deststoretype pkcs12 
   -deststorepass HerongP12
   -destalias 1 -destkeypass HerongP12

C:\herong>\local\jdk\bin\keytool -list -keystore herong.p12 
   -storetype pkcs12 -storepass HerongP12

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

1, Mar, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 1F:BA:FC:DE:25:4A:E6:27:A4:92:9D:82...

2. Export my private key from the PKCS12 file to PEM key file:

C:\herong>\local\gnuwin32\bin\openssl pkcs12 -in herong.p12 
   -passin pass:HerongP12 -nocerts -out herong_key.pem -des 
   -passout pass:HerongKey

MAC verified OK

C:\herong>type herong_key.pem

Bag Attributes
    friendlyName: 1
    localKeyID: 54 69 6D 65 20 31 32 39 39 33 33 36 32 30 34 34 30 36 
Key Attributes: <No Attributes>
-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,70621722F97A4922

JVM1ukkEmKz+gRGHfEcyEYJYwHDdoym2PXRKNzHhr3N0U1JrDxtBJ4It/CfhW01q
...
W5A/CET6RSRRclkloObItSpdmlwm31i0
-----END DSA PRIVATE KEY-----

See the next section on how to sign Amy's certificate.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with IE (Internet Explorer) 8

 Using HTTPS with Firefox 3

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 Certificate Stores and Certificate Console

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

PKI CA Administration - Issuing Certificates

 Root CA and Intermediate CA

 Requesting and Signing Personal Certificate

 Generating a Private-Public Key Pair for Amy

 Generating a CSR (Certificate Signing Request)

 Verifying Requester's Email Address

Exporting a Private Key from a KeyStore File

 Signing a CSR into a Certificate

 Importing Certificate Reply Back to KeyStore

 "bad decrypt:./crypto/evp/evp_enc.c:461" Error

 Requesting and Signing Server Certificate

 Digital Signature - Microsoft Word 2007

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 References

 Printable Copy - PDF Version

Dr. Herong Yang, updated in 2011
Exporting a Private Key from a KeyStore File