Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

Migrating Keys from 'keytool' to 'OpenSSL'

Part:   1  2  3  4 

(Continued from previous part...) - Dumping Private Keys Out of "keystore"

Since "keytool" can not be used to export the private and public key pair out of the keystore file, I wrote the following Java program,, to do this job:

 * Copyright (c) 2007 by Dr. Herong Yang,
public class DumpKey {
   static public void main(String[] a) {
      if (a.length<5) {
            "java DumpKey jks storepass alias keypass out");
      String jksFile = a[0];
      char[] jksPass = a[1].toCharArray();
      String keyName = a[2];
      char[] keyPass = a[3].toCharArray();
      String outFile = a[4];

      try {
         KeyStore jks = KeyStore.getInstance("jks");
         jks.load(new FileInputStream(jksFile), jksPass);
         Key key = jks.getKey(keyName, keyPass);
         System.out.println("Key algorithm: "+key.getAlgorithm());
         System.out.println("Key format: "+key.getFormat());
         System.out.println("Writing key in binary form to "

         FileOutputStream out = new FileOutputStream(outFile);
      } catch (Exception e) {

Notes on

  • The first step is to load the keystore file into "jks". I am assuming that the keystore type is "jks", which is the default type used by "keytool". Another type is "pkcs12".
  • The second step is to obtain the key from the specified key entry name. I am assuming that the specified entry is a PrivateKeyEntry, which contains two components: the key and the self-signed certificate.
  • The last step is to dump the key in the default encoding format. Note that the encoding format is still in a binary form.
  • Converting the output in Base64 encoding is not done, because JDK does not offer any Base64 classes.

I tried my program with my key pair stored in herong.jks as show below:


>java DumpKey herong.jks jkspass herong_key keypass herong_bin.key
Key algorithm: DSA
Key format: PKCS#8
Writing key in binary form to herong_bin.key

Excellent. I got my key pair dumped out of the keystore file into a binary PKCS#8 format.

Now I am ready to test my private and public key pair with "OpenSSL" as shown in the next section.

"OpenSSL" Converting Keys from Binary to PEM

Using my program, I managed to get a private and public key pair dumped out of the "keytool" keystore file into herong_bin.key. My program told me that this is a DSA key pair stored in binary PKCS# format.

I tried to view herong_bin.key as is with the "openssl dsa" command:

>openssl dsa -in herong_bin.key -text

read DSA key
unable to load Key
2228:error:0906D06C:PEM routines:PEM_read_bio:no start line:
pem_lib.c:632:Expecting: ANY PRIVATE KEY

Looks like "openssl dsa" command only understand PEM format which requires the key to be encoded in Base64 format. This can be done in two steps. First, use "openssl enc" command as shown below:

>openssl enc -in herong_bin.key -out herong.key -a

>type herong.key

Notes on what I did:

  • "openssl enc" command does various encryptions and encodings.
  • "-a" option applies Base64 encoding.
  • "-in herong_bin.key" option specifies the key in binary form.
  • "-out herong.key" option specifies encoded output file.
  • "type herong.key" command confirms that the key file is Base64 encoded.

(Continued on next part...)

Part:   1  2  3  4 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - Migrating Keys from 'keytool' to 'OpenSSL'