Wednesday, March 31, 2010

Java Keytool Export Private Key, PKCS#12 or .p12 export or conversion from java keystore

So, I had to create a PKCS#12 type or .p12 extension certificate from a java keystore which was created using java keytool. FYI, I have jdk 1.4.2. I came to know that using keytool you cannot export the private key.

I tried various options available in keytool i.e. create a keystore of type PKCS#12 to begin with instead of the default JKS (java keystore). -storetype PKCS12.

All this didnt work and on further search on google, I came across 2 free products which can help you a lot in terms of handling the keystore, generate keystore, export private key and so on.

You can download these free products from here.

The tools are portecle-1.5

KeyTool IUI – GUI

For my needs, i.e. generate a PKCS#12 certificate from an existing java keystore, portecle-1.5 worked just fine and it was very easy to use.

I also tried the KeyTool IUI – GUI just for testing the tool and it helped me to export the private key of my RSA key pair. The reason I wanted my private key in a seperate file is to use this online site which allows conversion of certificate types online. The url is

Hope this helps someone. :-)

Helpful Links/Tutorial for keytool, PKCS#12 :

Cryptography Tutorials - Herong's Tutorial Notes

Keytool to OpenSSL Conversion tips

Exporting the Private Key from a JKS keystore

Exporting keystore private key with WSAS

Exporting Private Keys

Good Luck. :-)


Jety said...

Thank you AjasHadi, it helped me to generate pkcs12 with portecle after I failed to do it with keystore.

Humberto Dib said...

Hi, Great blog!
I invite you to join the Babel Project II, just a way of keeping in touch.
Cheers from Argentina.

Asim said...

Neat entry. Thanks.

Noah said...

Thank you! I've been fighting with trying to convert a DER to PKCS12 for the last day, and I think Portecle did the trick! Awesome.

Sadiq said...

Life saving article....Thanks a lot dude....... said...

I've just been using Portecle which seems a great product. I was able to extract the private key no problem.

Do you know of a way to test the encryption level of a CSR file ... apparently after Oct 2013 you have to submit 2048bit requests. said...

Using this tool you can inspect a range of properties in a csr file ... unfortunatly it seems Portecle is only creating 1024bit files.

Addvantum Innovative Technologies said...

At Addvantum, we believe in driving this change for you. We provide you the platform to ‘grow’ as well as ‘know’. We assist you to grow and hone your skills and competencies; as well as help you ‘know’ yourself as a professional. We firmly believe in addressing the career aspirations of our associates and have aligned various HR processes to facilitate optimum career progression.