Wednesday, March 31, 2010

Java Keytool Export Private Key, PKCS#12 or .p12 export or conversion from java keystore

So, I had to create a PKCS#12 type or .p12 extension certificate from a java keystore which was created using java keytool. FYI, I have jdk 1.4.2. I came to know that using keytool you cannot export the private key.

I tried various options available in keytool i.e. create a keystore of type PKCS#12 to begin with instead of the default JKS (java keystore). -storetype PKCS12.

All this didnt work and on further search on google, I came across 2 free products which can help you a lot in terms of handling the keystore, generate keystore, export private key and so on.

You can download these free products from here.

The tools are portecle-1.5 http://sourceforge.net/projects/portecle/

KeyTool IUI – GUI http://www.icewalkers.com/download/KeyTool-IUI/3073/adl/

For my needs, i.e. generate a PKCS#12 certificate from an existing java keystore, portecle-1.5 worked just fine and it was very easy to use.

I also tried the KeyTool IUI – GUI just for testing the tool and it helped me to export the private key of my RSA key pair. The reason I wanted my private key in a seperate file is to use this online site which allows conversion of certificate types online. The url is https://www.sslshopper.com/ssl-converter.html.

Hope this helps someone. :-)

Helpful Links/Tutorial for keytool, PKCS#12 :

Cryptography Tutorials - Herong's Tutorial Notes

Keytool to OpenSSL Conversion tips

Exporting the Private Key from a JKS keystore

Exporting keystore private key with WSAS

Exporting Private Keys

Good Luck. :-)

7 comments:

Jety said...

Thank you AjasHadi, it helped me to generate pkcs12 with portecle after I failed to do it with keystore.

Humberto Dib said...

Hi, Great blog!
I invite you to join the Babel Project II, just a way of keeping in touch.
Cheers from Argentina.
Humberto.

www.humbertodib.blogspot.com

Asim said...

Neat entry. Thanks.

Noah said...

Thank you! I've been fighting with trying to convert a DER to PKCS12 for the last day, and I think Portecle did the trick! Awesome.

Sadiq said...

Life saving article....Thanks a lot dude.......

ghdhair.com said...

I've just been using Portecle which seems a great product. I was able to extract the private key no problem.

Do you know of a way to test the encryption level of a CSR file ... apparently after Oct 2013 you have to submit 2048bit requests.

ghdhair.com said...

Using this tool https://secure.comodo.net/utilities/decodeCSR.html you can inspect a range of properties in a csr file ... unfortunatly it seems Portecle is only creating 1024bit files.