Tag: keytool

  • Extracting SSL certificate from the Java Keystore (JKS)

    To extract SSL certificate and private key from Keystore (JKS) file, run

    keytool -importkeystore \
    -srckeystore keystore.jks \
    -destkeystore keystore.p12 \
    -deststoretype PKCS12

    It will ask for the new Keystore password and current Keystore password. Once you enter the password, JKS file gets converted to P12 format.

    This will include all certificates in the keystone. If you only need a specific certificate, then use

    -srcalias NAME_HERE

    To see all certificates in a JKS file, see List contents of jks keystore file

    To extract SSL certificate (Apache format), run

    openssl pkcs12 -in keystore.p12  -nokeys -out cert.pem

    To extract Private key, run

    openssl pkcs12 -in keystore.p12  -nodes -nocerts -out key.pem

    Back to keytool

  • List contents of jks keystore file

    List contents of jks keystore file

    To list the content of jks keystore file used by tomcat web server, run command

    keytool -list -keystore FILE.jks

    It will ask Keystore password. Once you enter the password, it will list the contents of the file.

    keytool list certificates

    In the above keystore, there are 5 certificates with names inter, root1, root2, ssl_tomcat2, and tomcat.

    To get detailed information on the certificates, use the command

    keytool -list -v -keystore FILE.jks

    See keytool

  • keytool

    The keytool command is a key and certificate management utility. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where a user authenticates themselves to other users and services) or data integrity and authentication services, by using digital signatures. The keytool command also enables users to cache the public keys (in the form of certificates) of their communicating peers.

    A certificate is a digitally signed statement from one entity (person, company, and so on), which says that the public key (and some other information) of some other entity has a particular value. When data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data hasn’t been modified or tampered with, and authenticity means that the data comes from the individual who claims to have created and signed it.

    The keytool command also enables users to administer secret keys and passphrases used in symmetric encryption and decryption (Data Encryption Standard). It can also display other security-related information.

    The keytool command stores the keys and certificates in a keystone.

    List contents of jks keystore file
    Extracting SSL certificate from the Java Keystore (JKS)