Pages

Thursday, January 28, 2016

Convert JKS into PEM using Keytool


Below are the steps to convert the JKS keystore file into CRT / PEM files(certs/keys)

  1. Generate PKCS12 file format with the Keystore jks file
    keytool -importkeystore -srckeystore <keystore.jks> -destkeystore <keystore.p12> -deststoretype PKCS12 -srcalias <aliasName> -deststorepass <password> -destkeypass <password>In above keystore.jks is input Keystore file
             keystore.p12 is the output PKCS12 file.
             aliasName was the entry name in keystore file.
             password is the password for the output file.
    Example:
    >keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias selfsigned -deststorepass password -destkeypass password
    Enter source keystore password:
  2. Now convert the PKCS12 format into PEM format:
    1. Generate certificate in pem format without private keys:
      >openssl pkcs12 -in <keystore.p12>  -nokeys -out <cert.pem>
      in above keystore.p12 is the input file in PKCS12 format
                     cert.pem is the output file in PEM format.
      example:
      >openssl pkcs12 -in keystore.p12  -nokeys -out cert.pem
      Enter Import Password:
      MAC verified OK
    2. Generate private key in pem format without certificate:
      >openssl pkcs12 -in keystore.p12  -nodes -nocerts -out key.pem
      Enter Import Password:
      MAC verified OK
  3. Additionally convert the keystore jks file into CRT format:
    keytool -exportcert -file <keystore.crt> -keystore <keystore.jks> -alias <aliasName>
    in above keystore.jks is the input Keystore jks file
                 aliasName is the entry name in the keystore file
                 keystore.crt is the output CRT file.
    >keytool -exportcert -file keystore.crt -keystore keystore.jks -alias selfsigned
    Enter keystore password:
    Certificate stored in file <keystore.crt>