Converting a Java Keystore into PEM Format

java

key-management

keystore

pem-format

byNikita Barsukov·Feb 3, 2025

Here's a quick and dirty way to convert a Java Keystore to PEM. You need two tools: keytool and openssl.

# Extract certificate as PEM, not your PEM project, this is cooler!
keytool -export -alias my_boring_alias -keystore boring_keystore.jks -rfc -file not_boring_cert.pem

Need to get your hands on the private key as well, in PEM format?

# Extract key pair to PKCS12, a little vacation for the key pair
keytool -importkeystore -srckeystore boring_keystore.jks -destkeystore not_boring_pkcs.p12 -deststoretype PKCS12 -srcalias my_boring_alias -destalias not_boring_alias -deststorepass your_semi_red_hot_chili_peppers_password -srcstorepass same_chili_pass_as_above 

# Convert from PKCS12 to PEM format (both cert and key) and have fun!
openssl pkcs12 -in not_boring_pkcs.p12 -out partyin_pem.pem -nodes

Remember to replace my_boring_alias, boring_keystore.jks, your_semi_red_hot_chili_peppers_password, and same_chili_pass_as_above with your actual alias, keystore filename, and corresponding passwords.

Step-by-step guide and use cases

Transmuting a Java Keystore to PEM format is no dark art. It calls for extracting certificates and keys, followed by a magical spell that alters their metaphysical readability for those apps and services demanding PEM files.

Variations in key extraction

The alias is the keystore's guardian. Pick the right one while extracting entries from your keystore, unless you prefer to dump the whole lot. Specific scenarios might require extraction and conversion of a lone knight rather than the entire army. Choose your warrior correctly in your battle commands.

The direct route

Direct extraction of the certificate in PEM format can be made reverently easy with the -rfc flag, offering a transcendent path, eliminating the need for intermediate vessel of conversion.

Keystone of security

It's a cold cruel world out there, protect your journey through the conversion process by securing it with strong and unique passwords for each leg of the journey. Touch the divine regularly by validating the converted sacred scripts to bring peace and order to their new reality.

Troubleshooting common speed bumps

Life is but a dream with an obstinate alarm clock named troubleshooting. So, check your keystore access permissions regularly as they pose a significant influence over your divine journey and the consequential security. Should clouds of doubt hover over you, seek enlightenment from online communities.

Navigating the mystical path

In this astral journey, every stone is different. Distinct entrances require unique attunement for key and certificate management. While the sacred Java laws forbid the direct exportation of the private key in its chosen form, PEM, a bardic tale whispers of a path involving the creation of a PKCS#8 format through divine Java scriptures, to be later transformed into the chosen format of PEM, using the blessing of openssl.

Post-transmutation key differentiation

After the incantation, the PEM file may contain both, the holy relic and the sacred manifestation, the certificate and the private key. However, your divine mission may require you to separate these two into unique scriptures, each for its purpose in your grand design. Fear not, for you possess the divine tool of openssl, that bestows you with the power to create new realities out of the old.

explain-codes / Java / Converting a Java Keystore into PEM Format

Linked

Import PEM into Java Key Store



Java HTTPS Client Certificate Authentication



Trusting all certificates using HttpClient over HTTPS



How can I use different certificates on specific connections?



How to import an existing X.509 certificate and private key in Java keystore to use in SSL?

