Extracting SSL certificate from the Java Keystore (JKS)

To extract SSL certificate and private key from Keystore (JKS) file, run

keytool -importkeystore \
    -srckeystore keystore.jks \
    -destkeystore keystore.p12 \
    -deststoretype PKCS12

keytool -importkeystore \

-srckeystore keystore.jks \

-destkeystore keystore.p12 \

-deststoretype PKCS12

It will ask for the new Keystore password and current Keystore password. Once you enter the password, JKS file gets converted to P12 format.

This will include all certificates in the keystone. If you only need a specific certificate, then use

-srcalias NAME_HERE

1	-srcalias NAME_HERE

To see all certificates in a JKS file, see List contents of jks keystore file

To extract SSL certificate (Apache format), run

openssl pkcs12 -in keystore.p12  -nokeys -out cert.pem

1	openssl pkcs12 -in keystore.p12 -nokeys -out cert.pem

To extract Private key, run

openssl pkcs12 -in keystore.p12  -nodes -nocerts -out key.pem

1	openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem

Back to keytool