Extracting Private Key from Java KeyStore (JKS)

I’ve been working with the AS2 Protocol and the AdroitLogic AS2Gateway for quite some time now and hence playing with JKS has been a must. One of the tricks which were required from time to time was extracting the private key and public key (certificate) from Java KeyStores. In this blog post, we’ll go through a couple of simple commands to do that.

What is a Java KeyStore (JKS)?

A JKS is an encrypted security file used to store a set of cryptographic keys or certificates in the binary format and it requires a password to be opened. JKS files are used for a variety of security purposes. They can be used to identify the author of an Android app during a build and when publishing to Android Market in Google Play or in SSL encryption.

Are there any other keystore types?

Yes. There are other keystore types. PKCS12 is one such type.

What are the tools used to manipulate keystores?

For JKS we can use the Java keytool utility which comes inbuilt with the JDK and for PKCS12 we can use openssl utility.

Let’s get to work!

Exporting the public key from a JSK is quite straightforward with keytool utility, but exporting private key is not allowed. Therefore we need to get the support of the openssl utility for that. Additionally you can write some custom Java code to get the private key extracted as well.

Let’s create a keystore to begin with.

keytool -genkeypair -alias notebook -keyalg RSA -dname "CN=rajind,OU=dev,O=bft,L=mt,C=Srilanka" -keystore identity.jks -keypass keypassword -storepass storepassword

Extracting private key with openssl and keytool

1. Convert JKS to PKCS12 format

keytool -importkeystore -srckeystore identity.jks -srcstorepass storepassword -srckeypass keypassword -srcalias notebook -destalias notebook -destkeystore identity.p12 -deststoretype PKCS12 -deststorepass password -destkeypass password

Note that we have given destkeypass and deststore pass the same value. This is a requirement of PKCS12 as it does not support different passwords for key store and key. If you try to give different passwords, you’ll get a warning as follows as the destkeypass will be ignored.

Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -destkeypass value.

The final result of this step would be a identity.p12 file.

2. Exporting the private key from the PKCS12 format keystore

openssl pkcs12 -in identity.p12 -nodes -nocerts -out private_key.pem

Once you enter this command, you will be prompted for the password and once the password (in this case ‘password’) is given, the private key will be saved to a file by the named private_key.pem.

Note that in this command, nodes means ‘don’t encrypt private keys’ and nocerts means ‘don’t output certificates’ which are the public keys.

Use the following help commands to get more details on them.

keytool -importkeystore –help
openssl pkcs12 –help

Exporting the public key

openssl pkcs12 -in identity.p12 -nokeys -out cert.pem

Happy extracting 😀

~ Rajind Ruparathna