MyJavaCode.com

Tutorial and How to Guide on Java Programming. Topics covered include Java Programming Language - Core Java, Spring, Webservices, REST, Hibernate, Maven and Microservices.

How to Extract Private Key from Java Keystore (.JKS) or .P12 File

By

Extracting a private key from a Java Keystore (.JKS) or a .P12 (PKCS12) file can be necessary when you need to migrate certificates, configure TLS for applications, or integrate with third-party systems. However, Java’s keytool does not support exporting private keys directly. In this guide, we will explore different methods to extract the private key safely using Java KeyStore APIs and OpenSSL.

What is a Java Keystore (.JKS) and .P12 File?

A Java Keystore (.JKS) is a repository that contains private keys, certificates, and CA chains. It is commonly used in Java applications, particularly for SSL/TLS configurations.

A .P12 (PKCS12) file is a more flexible, portable keystore format that can store both private keys and certificates in a single file. It is widely supported outside of Java environments.

Why Can’t We Use keytool to Extract Private Keys?

Java’s keytool does not support exporting private keys directly from keystore files due to security concerns. The only way to extract a private key using keytool is by first converting the .JKS file to .P12 format and then using OpenSSL or Java APIs.

Method 1: Extract Private Key Using OpenSSL (Recommended)

This method requires OpenSSL, which is a widely used command-line tool for handling SSL/TLS certificates.

Step 1: Convert .JKS to .P12 (PKCS12 Format)

First, convert the Java Keystore (.JKS) to a .P12 (PKCS12) file:

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass changeit
  • keystore.jks → Source Java Keystore.
  • keystore.p12 → Destination PKCS12 file.
  • changeit → The password for the new keystore.

Step 2: Extract the Private Key from .P12 Using OpenSSL

Once the .p12 file is created, extract the private key using OpenSSL:

openssl pkcs12 -in keystore.p12 -nocerts -nodes -out private-key.pem
  • -in keystore.p12 → Input .p12 file.
  • -nocerts → Extract only the private key, excluding certificates.
  • -nodes → Ensures that the extracted private key is not encrypted.
  • -out private-key.pem → The extracted private key.

Step 3: Convert the Private Key to RSA Format (Optional)

If you need the key in RSA format, use:

openssl rsa -in private-key.pem -out private-key-rsa.pem

Method 2: Extract Private Key Using Java Code

If OpenSSL is not available on your system, you can use Java’s KeyStore API to extract the private key.

Java Program to Extract Private Key from .P12

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.util.Base64;

public class ExtractPrivateKey {
    public static void main(String[] args) throws Exception {
        String keystoreFile = "keystore.p12";
        String keystorePassword = "changeit";
        String alias = "myalias";

        KeyStore keystore = KeyStore.getInstance("PKCS12");
        keystore.load(new FileInputStream(keystoreFile), keystorePassword.toCharArray());

        Key key = keystore.getKey(alias, keystorePassword.toCharArray());
        if (key == null) {
            System.out.println("Private key not found for alias: " + alias);
            return;
        }

        String privateKeyPEM = "-----BEGIN PRIVATE KEY-----\n" +
                Base64.getMimeEncoder().encodeToString(key.getEncoded()) +
                "\n-----END PRIVATE KEY-----";

        try (FileOutputStream fos = new FileOutputStream("private-key.pem")) {
            fos.write(privateKeyPEM.getBytes());
        }

        System.out.println("Private key extracted successfully: private-key.pem");
    }
}

This will create a file private-key.pem containing the extracted private key in PEM format.

Verifying the Extracted Private Key

Once the private key is extracted, you can verify it using OpenSSL:

openssl rsa -in private-key.pem -check

This will confirm that the key is valid and correctly extracted.

Conclusion

  • If OpenSSL is available, use the OpenSSL method for the fastest and most reliable extraction.
  • If OpenSSL is not available, the Java KeyStore API can extract the private key using a Java program.
  • Always ensure that private keys are handled securely and not exposed in public repositories or logs.

By following these steps, you can successfully extract the private key from a Java Keystore (.JKS) or .P12 file and use it for SSL/TLS configurations or other security-related tasks.

email

About Prasanna Manjunatha

Prasanna is a Toronto based Java Consultant with more than 15 years of Software Development experience. His areas of expertise include Core Java, Spring boot, REST, Microservices, Hibernate, NoSQL, Docker, Kubernetes and AWS.