PKI Certificate Tutorials - Herong's Tutorial Examples - v1.12, by Herong Yang
Export Key Pair using "keytool -importkeystore"
This section provides a tutorial example on how to export a private/public key pair from a KeyStore file using the 'keytool -importkeystore'.
If you use "keytool" to generate a private/public key pair, it will be created with a self-signed certificate. Both the key pair and the certificate will be bundled together as a single "PrivateKeyEntry" in a KeyStore file.
And there is no "keytool" command to directly extract the private/public key pair out of the KeyStore file. You need to use the "keytool -importkeystore" command extract the key-certificate bundle out first. Then using OpenSSL to parse the bundle file.
1. List entries in a KeyStore file.
herong$ keytool -list -keystore herong.jks -storepass HerongJKS Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 6 entries my_copy, Nov 26, 2024, PrivateKeyEntry, Certificate fingerprint (SHA-256): 1B:46:76:08:1B:F3:CA:68:FA:... my_home, Nov 25, 2024, PrivateKeyEntry, Certificate fingerprint (SHA-256): FD:87:5A:8B:A6:61:B6:A4:33:... my_home_2, Nov 26, 2024, trustedCertEntry, Certificate fingerprint (SHA-256): FD:87:5A:8B:A6:61:B6:A4:33:... my_intermediate, Nov 26, 2024, PrivateKeyEntry, Certificate fingerprint (SHA-256): B5:31:F6:73:52:ED:39:9B:80:... my_root, Nov 26, 2024, PrivateKeyEntry, Certificate fingerprint (SHA-256): 9A:90:DA:7F:18:2B:0B:F4:D3:... my_server, Nov 26, 2024, PrivateKeyEntry, Certificate fingerprint (SHA-256): 3A:6C:C7:77:60:25:44:C2:0C:...
2. Extract the "my_home" PrivateKeyEntry out into a new KeyStore file. "-deststoretype PKCS12" option is used that the new KeyStore file is in PKCS12 format.
herong$ keytool -importkeystore -deststoretype PKCS12 \ -srcalias my_root -destalias my_root \ -srckeystore herong.jks -srcstorepass HerongJKS \ -destkeystore root.jks -deststorepass TopSecret
3. Parse out the private/public key pair from the PKCS12 bundle file using the "openssl pkcs12" command.
herong$ openssl pkcs12 -in root.jks -passin pass:TopSecret \ -out root-key.pem -passout pass:TopSecret -nocerts
4. Look at the key pair file.
herong$ more root-key.pem Bag Attributes friendlyName: my_root localKeyID: 54 69 6D 65 20 31 37 33 32 36 37 35 34 33 35 39 32 34 -----BEGIN ENCRYPTED PRIVATE KEY----- MIHDMF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBDHbvAFwAUgWsRo2CbH o4jhAgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQlky+7fYjHk/l0ddX mjYCxgRg2VHTv63YCpKryYZgo1Y/CTwpvu+s6N1F78xNkuhjQ8TCFk1VONSNcE2s 068Gi862o48RTQEJb6D6at46nuVW/Zija611GW6RtcKUKNGjTzk8fhm4f0tBwfdV yn9qwwXo -----END ENCRYPTED PRIVATE KEY-----
4. Parse out the private/public key pair without encryption.
herong$ openssl pkcs12 -in root.jks -passin pass:TopSecret \ -noenc -nocerts Bag Attributes friendlyName: my_root localKeyID: 54 69 6D 65 20 31 37 33 32 36 37 35 34 33 35 39 32 34 -----BEGIN PRIVATE KEY----- ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDD0bIqUrILWeUt5hz27eXON URfQeFT3sfsyeGLob4MUuL5zOSyplWX6T+jQ1nPW+Hk= -----END PRIVATE KEY-----
Note that only newer versions of OpenSSL can parse PKCS12 bundle files created by the "keytool" command.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
►Java "keytool" Commands and KeyStore Files
"keytool" - Key and Certificate Management Tool
"keytool -genkeypair" - Generate Key with Self-Signed Certificate
"keytool -export/import" - Export and Import Certificates
"keytool -keyclone" - Clone Self-Signed Certificate with New Identity
"keytool -certreq" - Generate CSR (Certificate Signing Request)
"keytool -gencert" - Sign CSR with CA certificate
"keytool -gencert -ext" - Sign CSR with X.509 Extensions
►Export Key Pair using "keytool -importkeystore"
PKCS12 Certificate Bundle File