Convert JKS file to pem file+ Convert a Java Keystore Into PEM Format+convert keystore to pk12 file+convert JKS to pk12 file


Please briefly explain why you feel this question should be reported .


Creating a JKS file with a single RSA key pair value:
keytool -genkey -keyalg RSA -v -keystore xxx_keystore.jks -alias xxx_key-pair

It will ask to enter the KeyStore password and enter details/information about the key pair.
keytool -genkey -keyalg RSA -v -keystore xxx_keystore.jks -alias yyy-key-pair The first step in the conversion process: – convert the JKS into PKCS#12 using keytool:
keytool -importkeystore -srckeystore xxx_keystore.jks -destkeystore keystore.p12 -deststoretype pkcs12
Again, it will ask the password prompts — first will ask for the password of the original JKS or certificate, and the other will ask us to create a password for the resulting/new file PKCS#12 KeyStore.

And, following output will be displayed in command line or terminal:
Entry for alias first-key-pair successfully imported.
Entry for alias second-key-pair successfully imported.
Import command completed: 2 entries successfully imported, 0 entries failed or cancelled

Some commands to play:
keytool -importkeystore -srckeystore mycert.jks -destkeystore keystore.p12 -deststoretype PKCS12
For apache ssl certificate file you need certificate only:
openssl pkcs12 -in keystore.p12 -nokeys -out my_key_store.crt
For ssl key file you need only keys:
openssl pkcs12 -in keystore.p12 -nocerts -nodes -out my_store.key
keytool -importkeystore -srckeystore x509_integration_client_keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12

JKS to Pem
keytool -genkey -keyalg RSA -v -keystore keystore_x509_integration.jks -alias first-key-pair

keytool -genkey -keyalg RSA -v -keystore keystore_x509_integration.jksalias second-key-pair

keytool -importkeystore -srckeystore keystore_x509_integration.jks -destkeystore keystore_x509_integration.jks -deststoretype pkcs12

openssl pkcs12 –in keystore_x509_integration.jks -out keystore_x509_integration.pem


  • This will prompt us for the PKCS#12 KeyStore password and a PEM passphrase for each alias. The PEM passphrase is used to encrypt the resulting private key.



  • If we don’t want to encrypt the resulting private key, we should instead use:



  • openssl pkcs12 -nodes -in keystore.p12 -out keystore.pem



openssl pkcs12 -in keystore_x509_integration.jks -nokeys -out keystore_x509_integration.crt

openssl pkcs12 -in keystore_x509_integration.jks -nocerts -nodes -out keystore_x509_integration.key

Manimaran Samuthirapandi 1 year 2021-09-15T13:50:39+02:00 0 Answers 39 views 0

Leave an answer

Captcha Click on image to update the captcha .