A Java KeyStore is a container of security certificates that we can use when writing Java code. Java KeyStores hold one or more certificates with their matching private keys and are created using keytool which comes with the JDK.
In this tutorial, we'll convert a Java KeyStore into PEM (Privacy-Enhanced Mail) format using a combination of keytool and openssl. The steps will include using keytool to convert the JKS into a PKCS#12 KeyStore, and then openssl to transform the PKCS#12 KeyStore into a PEM file.
keytool is available with the JDK, and we can download openssl from the OpenSSL website.
2. File Formats
Java KeyStores are stored in the JKS file format. It's a proprietary format that is specifically for use in Java programs. PKCS#12 KeyStores are non-proprietary and are increasing in popularity — from Java 9 onward, PKCS#12 is used as the default KeyStore format over JKS.
PEM files are also certificate containers — they encode binary data using Base64, which allows the content to be transmitted more easily through different systems. A PEM file may contain multiple instances, with each instance adhering to two rules:
- A one-line header of
- A one-line footer of
<label> specifies the type of the encoded message, common values being CERTIFICATE and PRIVATE KEY.
3. Converting an Entire JKS Into PEM Format
Let's now go through the steps for converting all the certificates and private keys from a JKS into PEM format.
3.1. Creating the Java KeyStore
We'll start by creating a JKS with a single RSA key pair:
keytool -genkey -keyalg RSA -v -keystore keystore.jks -alias first-key-pair
We'll enter a KeyStore password at the prompt and enter information about the key pair.
For this example, we'll create a second key pair as well:
keytool -genkey -keyalg RSA -v -keystore keystore.jks -alias second-key-pair
3.2. JKS to PKCS#12
The first step in the conversion process is to convert the JKS into PKCS#12 using keytool:
keytool -importkeystore -srckeystore keystore.jks \ -destkeystore keystore.p12 \ -srcstoretype jks \ -deststoretype pkcs12
Again, we'll answer the password prompts — one will ask for the password of the original JKS, and the other will ask us to create a password for the resulting PKCS#12 KeyStore.
Let's check the output of running that command:
Entry for alias first-key-pair successfully imported. Entry for alias second-key-pair successfully imported. Import command completed: 2 entries successfully imported, 0 entries failed or cancelled
The result is a keystore.p12 KeyStore stored in PKCS#12 format.
3.3. PKCS#12 to PEM
From here, we'll use openssl to encode keystore.p12 into a PEM file:
openssl pkcs12 -in keystore.p12 -out keystore.pem
The tool will prompt us for the PKCS#12 KeyStore password and a PEM passphrase for each alias. The PEM passphrase is used to encrypt the resulting private key.
If we don't want to encrypt the resulting private key, we should instead use:
openssl pkcs12 -nodes -in keystore.p12 -out keystore.pem
keystore.pem will contain all of the keys and certificates from the KeyStore. For this example, it contains a private key and a certificate for both the first-key-pair and second-key-pair aliases.
4. Converting a Single Certificate From a JKS Into PEM
We can export a single public key certificate out of a JKS and into PEM format using keytool alone:
keytool -exportcert -alias first-key-pair -keystore keystore.jks -rfc -file first-key-pair-cert.pem
After entering the JKS password at the prompt, we'll see the output of that command:
Certificate stored in file <first-key-pair-cert.pem>
We've successfully converted an entire JKS into PEM format using keytool, openssl, and the intermediary stage of the PKCS#12 format. We've also covered converting a single public key certificate using keytool alone.