Wednesday, March 31, 2010

Java Keytool Export Private Key, PKCS#12 or .p12 export or conversion from java keystore

So, I had to create a PKCS#12 type or .p12 extension certificate from a java keystore which was created using java keytool. FYI, I have jdk 1.4.2. I came to know that using keytool you cannot export the private key.

I tried various options available in keytool i.e. create a keystore of type PKCS#12 to begin with instead of the default JKS (java keystore). -storetype PKCS12.

All this didnt work and on further search on google, I came across 2 free products which can help you a lot in terms of handling the keystore, generate keystore, export private key and so on.

You can download these free products from here.

The tools are portecle-1.5

KeyTool IUI – GUI

For my needs, i.e. generate a PKCS#12 certificate from an existing java keystore, portecle-1.5 worked just fine and it was very easy to use.

I also tried the KeyTool IUI – GUI just for testing the tool and it helped me to export the private key of my RSA key pair. The reason I wanted my private key in a seperate file is to use this online site which allows conversion of certificate types online. The url is

Hope this helps someone. :-)

Helpful Links/Tutorial for keytool, PKCS#12 :

Cryptography Tutorials - Herong's Tutorial Notes

Keytool to OpenSSL Conversion tips

Exporting the Private Key from a JKS keystore

Exporting keystore private key with WSAS

Exporting Private Keys

Good Luck. :-)


Jety said...

Thank you AjasHadi, it helped me to generate pkcs12 with portecle after I failed to do it with keystore.

Humberto Dib said...

Hi, Great blog!
I invite you to join the Babel Project II, just a way of keeping in touch.
Cheers from Argentina.

Asim said...

Neat entry. Thanks.

Noah said...

Thank you! I've been fighting with trying to convert a DER to PKCS12 for the last day, and I think Portecle did the trick! Awesome.

Sadiq said...

Life saving article....Thanks a lot dude....... said...

I've just been using Portecle which seems a great product. I was able to extract the private key no problem.

Do you know of a way to test the encryption level of a CSR file ... apparently after Oct 2013 you have to submit 2048bit requests. said...

Using this tool you can inspect a range of properties in a csr file ... unfortunatly it seems Portecle is only creating 1024bit files.