How do I list export private keys from a keystore

Question

How do I list and export a private key from a keystore

User · Accepted Answer

A portion of code originally from Example Depot for listing all of the aliases in a key store:

    // Load input stream into keystore
    keystore.load(is, password.toCharArray());

    // List the aliases
    Enumeration aliases = keystore.aliases();
    for (; aliases.hasMoreElements(); ) {
        String alias = (String)aliases.nextElement();

        // Does alias refer to a private key?
        boolean b = keystore.isKeyEntry(alias);

        // Does alias refer to a trusted certificate?
        b = keystore.isCertificateEntry(alias);
    }

The exporting of private keys came up on the Sun forums a couple of months ago, and u:turingcompleter came up with a DumpPrivateKey class to stitch into your app.

import java.io.FileInputStream;
import java.security.Key;
import java.security.KeyStore;
import sun.misc.BASE64Encoder;

public class DumpPrivateKey {
     /**
     * Provides the missing functionality of keytool
     * that Apache needs for SSLCertificateKeyFile.
     *
     * @param args  <ul>
     *              <li> [0] Keystore filename.
     *              <li> [1] Keystore password.
     *              <li> [2] alias
     *              </ul>
     */
    static public void main(String[] args)
    throws Exception {
        if(args.length < 3) {
          throw new IllegalArgumentException("expected args: Keystore filename, Keystore password, alias, <key password: default same tha
n keystore");
        }
        final String keystoreName = args[0];
        final String keystorePassword = args[1];
        final String alias = args[2];
        final String keyPassword = getKeyPassword(args,keystorePassword);
        KeyStore ks = KeyStore.getInstance("jks");
        ks.load(new FileInputStream(keystoreName), keystorePassword.toCharArray());
        Key key = ks.getKey(alias, keyPassword.toCharArray());
        String b64 = new BASE64Encoder().encode(key.getEncoded());
        System.out.println("-----BEGIN PRIVATE KEY-----");
        System.out.println(b64);
        System.out.println("-----END PRIVATE KEY-----");
    }
    private static String getKeyPassword(final String[] args, final String keystorePassword)
    {
       String keyPassword = keystorePassword; // default case
       if(args.length == 4) {
         keyPassword = args[3];
       }
       return keyPassword;
    }
}

Note: this use Sun package, which is a "bad thing".
If you can download apache commons code, here is a version which will compile without warning:

javac -classpath .:commons-codec-1.4/commons-codec-1.4.jar DumpPrivateKey.java

and will give the same result:

import java.io.FileInputStream;
import java.security.Key;
import java.security.KeyStore;
//import sun.misc.BASE64Encoder;
import org.apache.commons.codec.binary.Base64;

public class DumpPrivateKey {
     /**
     * Provides the missing functionality of keytool
     * that Apache needs for SSLCertificateKeyFile.
     *
     * @param args  <ul>
     *              <li> [0] Keystore filename.
     *              <li> [1] Keystore password.
     *              <li> [2] alias
     *              </ul>
     */
    static public void main(String[] args)
    throws Exception {
        if(args.length < 3) {
          throw new IllegalArgumentException("expected args: Keystore filename, Keystore password, alias, <key password: default same tha
n keystore");
        }
        final String keystoreName = args[0];
        final String keystorePassword = args[1];
        final String alias = args[2];
        final String keyPassword = getKeyPassword(args,keystorePassword);
        KeyStore ks = KeyStore.getInstance("jks");
        ks.load(new FileInputStream(keystoreName), keystorePassword.toCharArray());
        Key key = ks.getKey(alias, keyPassword.toCharArray());
        //String b64 = new BASE64Encoder().encode(key.getEncoded());
        String b64 = new String(Base64.encodeBase64(key.getEncoded(),true));
        System.out.println("-----BEGIN PRIVATE KEY-----");
        System.out.println(b64);
        System.out.println("-----END PRIVATE KEY-----");
    }
    private static String getKeyPassword(final String[] args, final String keystorePassword)
    {
       String keyPassword = keystorePassword; // default case
       if(args.length == 4) {
         keyPassword = args[3];
       }
       return keyPassword;
    }
}

You can use it like so:

java -classpath .:commons-codec-1.4/commons-codec-1.4.jar DumpPrivateKey $HOME/.keystore changeit tomcat

User · Answer

This question came up on stackexchange security  one of the suggestions was to use Keystore explorer   https   security stackexchange com questions 3779 how-can-i-export-my-private-key-from-a-java-keytool-keystore  Having just tried it  it works really well and I strongly recommend it

User · Answer

Another great tool is KeyStore Explorer  http   keystore-explorer sourceforge net

User · Answer

If you don t need to do it programatically  but just want to manage your keys  then I ve used IBM s free KeyMan tool for a long time now   Very nice for exporting a private key to a PFX file  then you can easily use OpenSSL to manipulate it  extract it  change pwds  etc    https   www ibm com developerworks mydeveloperworks groups service html communityview communityUuid 6fb00498-f6ea-4f65-bf0c-adc5bd0c5fcc  Select your keystore  select the private key entry  then File- Save to a pkcs12 file    pfx  typically    You can then view the contents with      openssl pkcs12 -in mykeyfile pfx -info

User · Answer

Here is a shorter version of the above code  in Groovy  Also has built-in base64 encoding   import java security Key import java security KeyStore  if  args length  lt  3          throw new IllegalArgumentException  Expected args   lt Keystore file gt   lt Keystore format gt   lt Keystore password gt   lt alias gt   lt key password gt     def keystoreName   args 0  def keystoreFormat   args 1  def keystorePassword   args 2  def alias   args 3  def keyPassword   args 4   def keystore   KeyStore getInstance keystoreFormat  keystore load new FileInputStream keystoreName   keystorePassword toCharArray    def key   keystore getKey alias  keyPassword toCharArray     println  -----BEGIN PRIVATE KEY-----  println key getEncoded   encodeBase64   println  -----END PRIVATE KEY-----

User · Answer

First of all  be careful  All of your security depends on the hellip  er hellip  privacy of your private keys  Keytool doesn t have key export built in to avoid accidental disclosure of this sensitive material  so you might want to consider some extra safeguards that could be put in place to protect your exported keys   Here is some simple code that gives you unencrypted PKCS  8 PrivateKeyInfo that can be used by OpenSSL  see the -nocrypt option of its pkcs8 utility    KeyStore keys       char   password       Enumeration lt String gt  aliases   keys aliases    while  aliases hasMoreElements        String alias   aliases nextElement      if   keys isKeyEntry alias       continue    Key key   keys getKey alias  password     if   key instanceof PrivateKey   amp  amp   PKCS 8  equals key getFormat              Most PrivateKeys use this format  but check for safety         try  FileOutputStream os   new FileOutputStream alias     key            os write key getEncoded           os flush                  If you need other formats  you can use a KeyFactory to get a transparent key specification for different types of keys  Then you can get  for example  the private exponent of an RSA private key and output it in your desired format  That would make a good topic for a follow-up question

User · Answer

You can extract a private key from a keystore with Java6 and OpenSSL   This all depends on the fact that both Java and OpenSSL support PKCS 12-formatted keystores  To do the extraction  you first use keytool to convert to the standard format  Make sure you use the same password for both files  private key password  not the keystore password  or you will get odd failures later on in the second step   keytool -importkeystore -srckeystore keystore jks       -destkeystore intermediate p12 -deststoretype PKCS12   Next  use OpenSSL to do the extraction to PEM   openssl pkcs12 -in intermediate p12 -out extracted pem -nodes   You should be able to handle that PEM file easily enough  it s plain text with an encoded unencrypted private key and certificate s  inside it  in a pretty obvious format    When you do this  take care to keep the files created secure  They contain secret credentials  Nothing will warn you if you fail to secure them correctly  The easiest method for securing them is to do all of this in a directory which doesn t have any access rights for anyone other than the user  And never put your password on the command line or in environment variables  it s too easy for other users to grab

User · Answer

For android development  to convert keystore created in eclipse ADT into public key and private key used in SignApk jar   export private key   keytool exe -importkeystore -srcstoretype JKS -srckeystore my-release-key keystore -deststoretype PKCS12 -destkeystore keys pk12 der openssl exe pkcs12 -in keys pk12 der -nodes -out private rsa pem   edit private rsa pem and leave  -----BEGIN PRIVATE KEY-----  to  -----END PRIVATE KEY-----  paragraph  then   openssl exe base64 -d -in private rsa pem -out private rsa der   export public key   keytool exe -exportcert -keystore my-release-key keystore -storepass  lt KEYSTORE PASSWORD gt  -alias alias name -file public x509 der   sign apk   java -jar SignApk jar public x509 der private rsa der input apk output apk

User · Answer

Another less-conventional but arguably easier way of doing this is with JXplorer  Although this tool is designed to browse LDAP directories  it has an easy-to-use GUI for manipulating keystores  One such function on the GUI can export private keys from a JKS keystore

[java] How do I list / export private keys from a keystore?

Examples related to java

Examples related to ssl

Examples related to keystore