How to export .key and .crt from keystore

When I was building android app on development machine, I was required to have SSL certificate for app so I generated a keystore with keytool for Tomcat. I extracted the cert from keystore and put it into .bks for using android, and all went well. Now we have to shift all server-side code to server which required Apache HTTP and Tomcat. Apache HTTP SSL requires .key and .crt files and I cannot find a way to export .key and .crt file from the keystore Can anyone help with this? I found that you can generate .crt from .pem

openssl x509 -outform der -in your-cert.pem -out your-cert.crt

But how can i get .key file? 310k 44 44 gold badges 317 317 silver badges 487 487 bronze badges asked Apr 15, 2014 at 15:01 Dusean Singh Dusean Singh 1,484 2 2 gold badges 15 15 silver badges 20 20 bronze badges

3 Answers 3

Keytool (available in JDK) allows you to export certificates to a file:

keytool -exportcert -keystore [keystore] -alias [alias] -file [cert_file]

To export regular keys you should use -importkeystore command (surprise):

keytool -importkeystore -srckeystore [keystore] -destkeystore [target-keystore] -deststoretype PKCS12

answered Apr 15, 2014 at 15:10 10.1k 4 4 gold badges 45 45 silver badges 54 54 bronze badges This never works, exporting keys does not work this way Commented Aug 21, 2015 at 14:30 Do you mind explaining why it does not work for you? Commented Aug 21, 2015 at 23:25 The question was how to export key file. Converting to PEM is already explained in question itself Commented Aug 24, 2015 at 18:08

Key file is exported in .p12 format but later on it is not clear how to store that to .key file using openSSL

Commented Aug 25, 2015 at 9:33 security.stackexchange.com/a/66865/130215 this is a more complete answer. Commented Jul 27, 2023 at 7:55

Just write a script to streamline the process.

#!/usr/bin/env bash # Extracts the private key and certificate from a Java keystore and saves them # # Ouputs: # .p12: private key and certificate in PKCS12 format # .pem: private key and certificate in PEM format # .crt: certificate only # .key: private key only # Usage: # jks2pem.sh # Example: # jks2pem.sh keystore.jks if [ -z "$1" ]; then echo "Usage: jks2pem.sh .jks" exit 1 fi base_name=$(basename "$1" .jks) temp_password="changeit" keytool -importkeystore -srckeystore "$1" -srcstoretype jks \ -destkeystore "$base_name.p12" -deststoretype PKCS12 \ -deststorepass "$temp_password" # Export the private key and certificate as a PEM file without a password openssl pkcs12 -nodes -in "$base_name.p12" -out "$base_name.pem" -passin pass:"$temp_password" # Export the certificate as a PEM file openssl pkcs12 -nokeys -in "$base_name.p12" -out "$base_name.crt" -passin pass:"$temp_password" # Export the private key as a PEM file openssl pkcs12 -nocerts -nodes -in "$base_name.p12" -out "$base_name.key" -passin pass:"$temp_password"