1. Introduction

A Java KeyStore is a container of security certificates that we can use when writing Java code. Java KeyStores hold one or more certificates with their matching private keys and are created using keytool which comes with the JDK.

In this tutorial, we’ll convert a Java KeyStore into PEM (Privacy-Enhanced Mail) format using a combination of keytool and openssl. The steps will include using keytool to convert the JKS into a PKCS#12 KeyStore, and then openssl to transform the PKCS#12 KeyStore into a PEM file.

keytool is available with the JDK, and we can download openssl from the OpenSSL website.

2. File Formats

Java KeyStores are stored in the JKS file format. It’s a proprietary format that is specifically for use in Java programs. PKCS#12 KeyStores are non-proprietary and are increasing in popularity — from Java 9 onward, PKCS#12 is used as the default KeyStore format over JKS.

PEM files are also certificate containers — they encode binary data using Base64, which allows the content to be transmitted more easily through different systems. A PEM file may contain multiple instances, with each instance adhering to two rules:

  • A one-line header of -----BEGIN <label>-----
  • A one-line footer of -----END <label>-----

<label> specifies the type of the encoded message, common values being CERTIFICATE and PRIVATE KEY.

3. Converting an Entire JKS Into PEM Format

Let’s now go through the steps for converting all the certificates and private keys from a JKS into PEM format.

3.1. Creating the Java KeyStore

We’ll start by creating a JKS with a single RSA key pair:

keytool -genkey -keyalg RSA -v -keystore keystore.jks -alias first-key-pair

We’ll enter a KeyStore password at the prompt and enter information about the key pair.

For this example, we’ll create a second key pair as well:

keytool -genkey -keyalg RSA -v -keystore keystore.jks -alias second-key-pair

3.2. JKS to PKCS#12

The first step in the conversion process is to convert the JKS into PKCS#12 using keytool:

keytool -importkeystore -srckeystore keystore.jks \
   -destkeystore keystore.p12 \
   -srcstoretype jks \
   -deststoretype pkcs12

Again, we’ll answer the password prompts — one will ask for the password of the original JKS, and the other will ask us to create a password for the resulting PKCS#12 KeyStore.

Let’s check the output of running that command:

Entry for alias first-key-pair successfully imported.
Entry for alias second-key-pair successfully imported.
Import command completed:  2 entries successfully imported, 0 entries failed or cancelled

The result is a keystore.p12 KeyStore stored in PKCS#12 format.

3.3. PKCS#12 to PEM

From here, we’ll use openssl to encode keystore.p12 into a PEM file:

openssl pkcs12 -in keystore.p12 -out keystore.pem

The tool will prompt us for the PKCS#12 KeyStore password and a PEM passphrase for each alias. The PEM passphrase is used to encrypt the resulting private key.

If we don’t want to encrypt the resulting private key, we should instead use:

openssl pkcs12 -nodes -in keystore.p12 -out keystore.pem

keystore.pem will contain all of the keys and certificates from the KeyStore. For this example, it contains a private key and a certificate for both the first-key-pair and second-key-pair aliases.

4. Converting a Single Certificate From a JKS Into PEM

We can export a single public key certificate out of a JKS and into PEM format using keytool alone:

keytool -exportcert -alias first-key-pair -keystore keystore.jks -rfc -file first-key-pair-cert.pem

After entering the JKS password at the prompt, we’ll see the output of that command:

Certificate stored in file <first-key-pair-cert.pem>

5. Conclusion

We’ve successfully converted an entire JKS into PEM format using keytool, openssl, and the intermediary stage of the PKCS#12 format. We’ve also covered converting a single public key certificate using keytool alone.

Course – LSS (cat=Security/Spring Security)

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

Course – LS (cat=Java)

Get started with Spring and Spring Boot, through the Learn Spring course:

res – Security (video) (cat=Security/Spring Security)
Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.