Tuesday 7 February 2023

Quick guide to Java keystore file

Keystore is a file which acts as a storage to store the keys, certificates. Following are the popular keystore file formats.

a.   JKS

b.   JCEKS

c.    PKCS#12

d.   DKS

e.   PCKCS#11

 

File format

Store public, private keys

Store certificates

Store secret keys

JKS

Yes

Yes

No

JCEKS

Yes

Yes

Yes

PKCS#12

Yes

Yes

No

 

All the keystores (JKS, JCEKS, PKCS#12) are protected by a password. To provide further security, each private key or secret key that you are going to store in a keystore is protected by another individual password.

 

Generate a jks keystore file using keytool command

Java provide a command line tool ‘keytool’ to work with keystores. Using keytool command,

a.   You can create a new key store file

b.   Export the certificates, keys from the keystore

c.    Import the certificates, keys to the keystore.

 

In this tutorial series, you are going to learn

a.   Create a new empty keystore "myKeystore.jks" with a dummy certificate.

b.    Print all the entries in a keystore file

c.    Export the public key to a file

d.   Print the content of public key using keytool command

e.   Generate public and private key pair and a self-signed certificate to existing keystore file, export public and private keys

f.     Import the existing certificate to a keystore file

g.   Export the certificate

i. Print the content of jceks file

 

Create a new empty keystore "myKeystore.jks" with a dummy certificate.

keytool -genkey -keyalg RSA -keystore myKeystore.jks -keysize 2048

$keytool -genkey -keyalg RSA -keystore myKeystore.jks -keysize 2048
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  krishna
What is the name of your organizational unit?
  [Unknown]:  sample.com
What is the name of your organization?
  [Unknown]:  self learning java
What is the name of your City or Locality?
  [Unknown]:  Bangalore
What is the name of your State or Province?
  [Unknown]:  Karnataka
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=krishna, OU=sample.com, O=self learning java, L=Bangalore, ST=Karnataka, C=IN correct?
  [no]:  y

Enter key password for <mykey>
	(RETURN if same as keystore password):  
Re-enter new password: 

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore myKeystore.jks -destkeystore myKeystore.jks -deststoretype pkcs12".

 

Note

test123 is the keystore password

test456 is the password for mykey

 

Print all the entries in a keystore file

keytool -list -keystore myKeystore.jks
$keytool -list -keystore myKeystore.jks 
Enter keystore password:  
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

mykey, 7 Feb, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 2D:78:CF:F5:62:E7:5D:7F:6B:36:4E:D8:63:55:72:1E:DB:C7:07:34:C9:76:7B:E5:A0:CF:E9:D6:20:3C:43:16

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore myKeystore.jks -destkeystore myKeystore.jks -deststoretype pkcs12".

 

Using -storepass option, you can pass the keystore password while executing the command itself.

$keytool -list -keystore myKeystore.jks -storepass test123
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

mykey, 7 Feb, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 2D:78:CF:F5:62:E7:5D:7F:6B:36:4E:D8:63:55:72:1E:DB:C7:07:34:C9:76:7B:E5:A0:CF:E9:D6:20:3C:43:16

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore myKeystore.jks -destkeystore myKeystore.jks -deststoretype pkcs12".

 

Export the public key to a file

keytool -exportcert -alias mykey -keypass test456 -keystore myKeystore.jks -storepass test123 -file demo.crt -rfc

$keytool -exportcert -alias mykey -keypass test456 -keystore myKeystore.jks -storepass test123 -file demo.crt -rfc
Certificate stored in file <demo.crt>

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore myKeystore.jks -destkeystore myKeystore.jks -deststoretype pkcs12".

 

Upon successful execution of the command, you can see a demo.crt file.

$ls
demo.crt	myKeystore.jks

Execute the command ‘cat demo.crt’ to see the contents of the file.

$cat demo.crt 
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIEFcvN7zANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJJ
TjESMBAGA1UECBMJS2FybmF0YWthMRIwEAYDVQQHEwlCYW5nYWxvcmUxGzAZBgNV
BAoTEnNlbGYgbGVhcm5pbmcgamF2YTETMBEGA1UECxMKc2FtcGxlLmNvbTEQMA4G
A1UEAxMHa3Jpc2huYTAeFw0yMzAyMDcwNDQwMzlaFw0yMzA1MDgwNDQwMzlaMHkx
CzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdh
bG9yZTEbMBkGA1UEChMSc2VsZiBsZWFybmluZyBqYXZhMRMwEQYDVQQLEwpzYW1w
bGUuY29tMRAwDgYDVQQDEwdrcmlzaG5hMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAwWH2de1im6fulGL0cPjAfIpgXjCO3bd2xKIkWjWFpM0D+fJPfKyC
aBkVT+SRC9xiihwQvnc87YwHiPAKV6eEAiSthcOdRfP7UgQLDVHKJbVR6epNXs9Y
dDGffj/H6TYLCq5rm1vaIYrGXn4HncxUrfCX9I9aCsn2vxPxYuM8pZVMhN+UrbRJ
uFJDHhW4jmSqTQbU56kzOBl7wgRXvfGDCYemyf09YSs4AsBWueC91SYI9RpkwnHr
acevS7RyM4fvS8yz42ZBe/t8cR/xRMB11aLhc+HP3yExq7rFfI4ifG/yTeckuG7f
somLoPm1l89u89AiMZjnrZXeQiJ3CaClZQIDAQABoyEwHzAdBgNVHQ4EFgQUfPjl
hPTvkoRWlmpR0WZ6RURR5n8wDQYJKoZIhvcNAQELBQADggEBAHT/Qiz0t+zpIBtm
AAZULbC2mhzc6Qi1pXRkB0MJR6EUJQKxltk8d42117nDxnP6coU5dxEs7SKugcxE
ptto4sAomA6ps3F21t0wD7QNIuUQJVr4wbBGhWuVNvk6YaWZBDAVRMOnD8v39fY5
0OCe1fi1HSRkUF2tXDKxrlWV4+IdQKe+K7jHAn7Zx41e3QHFNEcFfKyu2eoH8p0K
bVtxrcXXan1ZsoGRRpJ3BCCASLrjsY8sU3CV5edg/eC6/Y/FffhTAr1Et/cyUo50
xbBCQI2g9DlIMUkuIqIN0Y6hrCJ9VmuKdd54goc0af9yCzZxYe31mLkhkOfdmLAq
JEUCu0o=
-----END CERTIFICATE-----

 

Print the content of public key

 

keytool -list -rfc -keystore myKeystore.jks -alias mykey -storepass test123

$keytool -list -rfc -keystore myKeystore.jks -alias mykey -storepass test123
Alias name: mykey
Creation date: 7 Feb, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIEFcvN7zANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJJ
TjESMBAGA1UECBMJS2FybmF0YWthMRIwEAYDVQQHEwlCYW5nYWxvcmUxGzAZBgNV
BAoTEnNlbGYgbGVhcm5pbmcgamF2YTETMBEGA1UECxMKc2FtcGxlLmNvbTEQMA4G
A1UEAxMHa3Jpc2huYTAeFw0yMzAyMDcwNDQwMzlaFw0yMzA1MDgwNDQwMzlaMHkx
CzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdh
bG9yZTEbMBkGA1UEChMSc2VsZiBsZWFybmluZyBqYXZhMRMwEQYDVQQLEwpzYW1w
bGUuY29tMRAwDgYDVQQDEwdrcmlzaG5hMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAwWH2de1im6fulGL0cPjAfIpgXjCO3bd2xKIkWjWFpM0D+fJPfKyC
aBkVT+SRC9xiihwQvnc87YwHiPAKV6eEAiSthcOdRfP7UgQLDVHKJbVR6epNXs9Y
dDGffj/H6TYLCq5rm1vaIYrGXn4HncxUrfCX9I9aCsn2vxPxYuM8pZVMhN+UrbRJ
uFJDHhW4jmSqTQbU56kzOBl7wgRXvfGDCYemyf09YSs4AsBWueC91SYI9RpkwnHr
acevS7RyM4fvS8yz42ZBe/t8cR/xRMB11aLhc+HP3yExq7rFfI4ifG/yTeckuG7f
somLoPm1l89u89AiMZjnrZXeQiJ3CaClZQIDAQABoyEwHzAdBgNVHQ4EFgQUfPjl
hPTvkoRWlmpR0WZ6RURR5n8wDQYJKoZIhvcNAQELBQADggEBAHT/Qiz0t+zpIBtm
AAZULbC2mhzc6Qi1pXRkB0MJR6EUJQKxltk8d42117nDxnP6coU5dxEs7SKugcxE
ptto4sAomA6ps3F21t0wD7QNIuUQJVr4wbBGhWuVNvk6YaWZBDAVRMOnD8v39fY5
0OCe1fi1HSRkUF2tXDKxrlWV4+IdQKe+K7jHAn7Zx41e3QHFNEcFfKyu2eoH8p0K
bVtxrcXXan1ZsoGRRpJ3BCCASLrjsY8sU3CV5edg/eC6/Y/FffhTAr1Et/cyUo50
xbBCQI2g9DlIMUkuIqIN0Y6hrCJ9VmuKdd54goc0af9yCzZxYe31mLkhkOfdmLAq
JEUCu0o=
-----END CERTIFICATE-----

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore myKeystore.jks -destkeystore myKeystore.jks -deststoretype pkcs12".

 

Generate public and private key pair and a self-signed certificate

keytool -genkeypair -alias myServerKey -dname cn=demo.app.com -keystore myKeystore.jks

$keytool -genkeypair -alias myServerKey -dname cn=demo.app.com -keystore myKeystore.jks
Enter keystore password:  
Enter key password for <myServerKey>
	(RETURN if same as keystore password):  
Re-enter new password: 

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore myKeystore.jks -destkeystore myKeystore.jks -deststoretype pkcs12".

Let’s print the content of myKeystore.jks file.

$keytool -list -keystore myKeystore.jks
Enter keystore password:  
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

myserverkey, 7 Feb, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 87:80:F2:94:89:5C:A7:7C:8A:DE:4E:DF:6D:C4:2C:1C:42:1B:45:0E:9A:6F:0B:3E:FC:3A:F5:3A:32:0A:1F:0F
mykey, 7 Feb, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 2D:78:CF:F5:62:E7:5D:7F:6B:36:4E:D8:63:55:72:1E:DB:C7:07:34:C9:76:7B:E5:A0:CF:E9:D6:20:3C:43:16

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore myKeystore.jks -destkeystore myKeystore.jks -deststoretype pkcs12".

 

Now, you can see there are two keys exists in the keystore file.

 

a.   myserverkey :

b.   mykey

 

Export public and private keys from the keystore

 

Export public key from a keystore

keytool -export -alias myserverkey -keystore myKeystore.jks -rfc -file public.cert

$keytool -export -alias myserverkey -keystore myKeystore.jks -rfc -file public.cert
Enter keystore password:  
Certificate stored in file <public.cert>

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore myKeystore.jks -destkeystore myKeystore.jks -deststoretype pkcs12".
$
$
$
$ls
myKeystore.jks	public.cert
$
$
$
$cat public.cert 
-----BEGIN CERTIFICATE-----
MIIEKTCCA9WgAwIBAgIEK3L74TANBglghkgBZQMEAwIFADAXMRUwEwYDVQQDEwxk
ZW1vLmFwcC5jb20wHhcNMjMwMjA3MDUwMzE5WhcNMjMwNTA4MDUwMzE5WjAXMRUw
EwYDVQQDEwxkZW1vLmFwcC5jb20wggNCMIICNQYHKoZIzjgEATCCAigCggEBAI95
Ndm5qum/q+2Ies9JUbbzLsWeO683GOjqxJYfPv02BudDUanEGDM5uAnnwq4cU5un
R1uF0BGtuLR5h3VJhGlcrA6PFLM2CCiiL/onEQo9YqmTRTQJoP5pbEZY+EvdIIGc
NwmgEFexla3NACM9ulSEtikfnWSO+INEhneXnOwEtDSmrC516Zhd4j2wKS/BEYyf
+p2BgeczjbeStzDXueNJWS9oCZhyFTkV6j1ri0ZTxjNFj4A7MqTC4PJykCVuTj+K
Owg4ocRQ5OGMGimjfd9eoUPeS2b/BJA+1c8WI+FY1IfGCOl/IRzYHcojy244B2X4
IuNCvkhMBXY5OWAc1mcCHQC69pamhXj3397n+mfJd8eF7zKyM7rlgMC81WldAoIB
ABamXFggSFBwTnUCo5dXBA002jo0eMFU1OSlwC0kLuBPluYeS9CQSr2sjzfuseCf
MYLSPJBDy2QviABBYO35ygmzIHannDKmJ/JHPpGHm6LE50S9IIFUTLVbgCw2jR+o
PtSJ6U4PoGiOMkKKXHjEeMaNBSe3HJo6uwsL4SxEaJY559POdNsQGmWqK4f2TGgm
2z7HL0tVmYNLtO2wL3yQ6aSW06VdU1vr/EXU9hn2Pz3tu4c5JcLyJOB3MSltqIfs
HkdI+H77X963VIQxayIy3uVT3a8CESsNHwLaMJcyJP4nrtqLnUspItm6i+Oe2eED
pjxSgQvGiLfi7UMW4e8X294DggEFAAKCAQAYZQW9O2nlyXETSZXe7K0+n+EsTGgp
CTbMNQQzQlMhrHGQlRB9FIfMq/IkbNo9trSD2RfE1KmkhB171+6so6T6XMdQTomw
4ixb1uXK0YASPK8426cLyHp1pcWYBNCR+vQJHx3GPY006o33bzS9qjD3Th/hAP1U
siyiqROg57iiZokXafrS6hK/D8elYTN46Pd7UZPMPT+m0E+t/811sjqM4+TkPzla
7MjKJ0fOSLQ6dbWCcGnfTUyvDomlNgNByc4C1m3/0e1zXK4UNPfEIbvtDWpTxZVW
R7YAhPIdpDsCkEnWFnyO2Psm25FcMkN7x6kQ+I23CKE1BNXwMcCu4/cHoyEwHzAd
BgNVHQ4EFgQUF779YK3Nl/JDujvaZgVmEOjyPWIwDQYJYIZIAWUDBAMCBQADPwAw
PAIcSEynTKaanKtCHg26FuWZwvkCk59XzwK42Mz6EAIcW2X+Z+JW1eszAH8WPZVs
mQeC2EOeq8YEEih9Sg==
-----END CERTIFICATE-----

 

Export private key from the jks file

Exporting the private key is not straight forward.

 

It is a two-step process

a.   Convert JKS to the PKCS12 format:

b.   Exporting the private key from the PKCS12 format keystore

 

Convert JKS to the PKCS12 format:


keytool -importkeystore -srckeystore myKeystore.jks -srcstorepass test123 -srckeypass test456 -srcalias myserverkey -destalias myserverkey -destkeystore myKeystore.p12 -deststoretype PKCS12 -deststorepass test123 -destkeypass test456

$keytool -importkeystore -srckeystore myKeystore.jks -srcstorepass test123 -srckeypass test456 -srcalias myserverkey -destalias myserverkey -destkeystore myKeystore.p12 -deststoretype PKCS12 -deststorepass test123 -destkeypass test456
Importing keystore myKeystore.jks to myKeystore.p12...
Warning:  Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -destkeypass value.
$
$ls
myKeystore.jks	myKeystore.p12

 

Export the private key from PKCS12 file

$openssl pkcs12 -in myKeystore.p12 -nodes -nocerts -out private_key.pem
Enter Import Password:
MAC verified OK

 

Enter the store password as test123.

 

You can print the content if private_key.pem file using cat command.

$cat private_key.pem 
Bag Attributes
    friendlyName: myserverkey
    localKeyID: 54 69 6D 65 20 31 36 37 35 37 34 37 34 35 39 32 30 31 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIICXQIBADCCAjUGByqGSM44BAEwggIoAoIBAQCPeTXZuarpv6vtiHrPSVG28y7F
njuvNxjo6sSWHz79NgbnQ1GpxBgzObgJ58KuHFObp0dbhdARrbi0eYd1SYRpXKwO
jxSzNggooi/6JxEKPWKpk0U0CaD+aWxGWPhL3SCBnDcJoBBXsZWtzQAjPbpUhLYp
H51kjviDRIZ3l5zsBLQ0pqwudemYXeI9sCkvwRGMn/qdgYHnM423krcw17njSVkv
aAmYchU5Feo9a4tGU8YzRY+AOzKkwuDycpAlbk4/ijsIOKHEUOThjBopo33fXqFD
3ktm/wSQPtXPFiPhWNSHxgjpfyEc2B3KI8tuOAdl+CLjQr5ITAV2OTlgHNZnAh0A
uvaWpoV499/e5/pnyXfHhe8ysjO65YDAvNVpXQKCAQAWplxYIEhQcE51AqOXVwQN
NNo6NHjBVNTkpcAtJC7gT5bmHkvQkEq9rI837rHgnzGC0jyQQ8tkL4gAQWDt+coJ
syB2p5wypifyRz6Rh5uixOdEvSCBVEy1W4AsNo0fqD7UielOD6BojjJCilx4xHjG
jQUntxyaOrsLC+EsRGiWOefTznTbEBplqiuH9kxoJts+xy9LVZmDS7TtsC98kOmk
ltOlXVNb6/xF1PYZ9j897buHOSXC8iTgdzEpbaiH7B5HSPh++1/et1SEMWsiMt7l
U92vAhErDR8C2jCXMiT+J67ai51LKSLZuovjntnhA6Y8UoELxoi34u1DFuHvF9ve
BB8CHQCgSYiA41+risOLVQzg+qTMyByPjNLsjZev7S/g
-----END PRIVATE KEY-----

 

Import the certificate to a keystore

I download the certificate of the server ‘https://self-learning-java-tutorial.blogspot.com/2014/02/blog-post.html’. Certificate is download in .pem format.

 

Convert the .pem file to .der


openssl x509 -outform der -in certificate.pem -out certificate.der

$openssl x509 -outform der -in certificate.pem -out certificate.der
$ls
certificate.der	certificate.pem	myKeystore.jks
$

 

Import .der file to the keystore myKeystore.jks

keytool -import -alias java-blogspot -keystore myKeystore.jks -file certificate.der

  

Password for the keystore is test123.

 

You can print all the keys/certificates using -list option.

keytool -list -keystore myKeystore.jks

$keytool -list -keystore myKeystore.jks
Enter keystore password:  
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

java-blogspot, 7 Feb, 2023, trustedCertEntry, 
Certificate fingerprint (SHA-256): B7:B9:77:66:EA:0B:0F:EB:1C:09:EE:BD:5D:D4:D1:93:9D:37:B6:9D:F6:0B:31:A8:AF:64:1F:E5:3C:F5:07:01
myserverkey, 7 Feb, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 87:80:F2:94:89:5C:A7:7C:8A:DE:4E:DF:6D:C4:2C:1C:42:1B:45:0E:9A:6F:0B:3E:FC:3A:F5:3A:32:0A:1F:0F
mykey, 7 Feb, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 2D:78:CF:F5:62:E7:5D:7F:6B:36:4E:D8:63:55:72:1E:DB:C7:07:34:C9:76:7B:E5:A0:CF:E9:D6:20:3C:43:16

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore myKeystore.jks -destkeystore myKeystore.jks -deststoretype pkcs12".

 

Export the certificate

keytool -exportcert -alias java-blogspot -keystore myKeystore.jks -storepass test123 -file root.der

$keytool -exportcert -alias java-blogspot -keystore myKeystore.jks -storepass test123 -file root.der
Certificate stored in file <root.der>

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore myKeystore.jks -destkeystore myKeystore.jks -deststoretype pkcs12".

 

Read the .der file content

openssl x509 -inform der -in root.der -noout -text

Print the content of jceks file

keytool -list -storetype jceks -keystore demo.jceks

 

 


 

Previous                                                 Next                                                 Home
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)