000021440 - How to convert a JKS store into a PKCS12 store in RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021440
Applies ToRSA ClearTrust 5.5
RSA ClearTrust Agents
Sun JDK 1.4.2
OpenSSL 0.9.7c
IssueHow to convert a JKS store into a PKCS12 store in RSA ClearTrust
CauseRSA ClearTrust C-based Agents do not support JKS stores. To do mutually authenticated SSL between these Agents and a JKS store ClearTrust server, convert the JKS store into a P12 store.

1. Export the certificate from JKS store to a file using the java keytool command located in the ClearTrust jre/bin directory:

    keytool -export -alias test keytool -export -alias test
    Enter keystore password:  12345678
    Certificate stored in file <exported.crt>

    openssl x509 -noout -text -in exported.crt -inform der

2. Convert it to another format - PEM - which is more widely used in applications such as Apache and by OpenSSL to do the PKCS12 conversion:

    openssl x509 -out exported-pem.crt -outform PEM -text -in exported.crt -inform der

3. Extract the private key using this piece of java code:


// How to export the private key from keystore?
// Does keytool not have an option to do so?
// This example use the "testkeys" file that comes with JSSE 1.0.3

import sun.misc.BASE64Encoder;
import java.security.cert.Certificate;
import java.security.*;
import java.io.File;
import java.io.FileInputStream;

class ExportPriv {
    public static void main(String args[]) throws Exception{
 for (int i = 0; i < args.length; i++) {
   System.out.println(i + ": "+ args[i]);
  if (args.length < 2) {
   // (the password is visible to other users via ps
   // this was a quick-n-dirty fix to export from a keystore to pkcs12
   // someday I may fix, but for now it'll have to do.
   System.err.println("Usage: java ExportPriv <keystore> <alias> <password>");
  ExportPriv myep = new ExportPriv();
  myep.doit(args[0], args[1], args[2]);

    public void doit(String fileName, String aliasName, String pass) throws Exception{

 keystore ks = KeyStore.getInstance("JKS");

 char[] passPhrase = pass.toCharArray();
 BASE64Encoder myB64 = new BASE64Encoder();

 File certificateFile = new File(fileName);
 ks.load(new FileInputStream(certificateFile), passPhrase);

 KeyPair kp = getPrivateKey(ks, aliasName, passPhrase);

 PrivateKey privKey = kp.getPrivate();

 String b64 = myB64.encode(privKey.getEncoded());

 System.out.println("-----BEGIN PRIVATE KEY-----");
 System.out.println("-----END PRIVATE KEY-----");


// From http://javaalmanac.com/egs/java.security/GetKeyFromKs.html

   public KeyPair getPrivateKey(keystore keystore, String alias, char[] password) {
        try {
            // Get private key
            Key key = keystore.getKey(alias, password);
            if (key instanceof PrivateKey) {
                // Get certificate of public key
                Certificate cert = keystore.getCertificate(alias);
                // Get public key
                PublicKey publicKey = cert.getPublicKey();
                // Return a key pair
                return new KeyPair(publicKey, (PrivateKey)key);
        } catch (UnrecoverableKeyException e) {
        } catch (NoSuchAlgorithmException e) {
        } catch (KeyStoreException e) {
        return null;



Compile and run the code:

javac ExportPriv
java ExportPriv test.jks test 12345678 > exported.key

4. Package the certificate and private key now into the PKCS12 store

    openssl pkcs12 -export -out exported.pfx -inkey exported.key -in exported-pem.crt

5. Now you can use the PKCS12 file for your keystore

Legacy Article IDa22950