Using the keytool utility, it is easy to extract the public key of an already created “public-private” key pair, which is stored in a keystore.

Here are the steps:

Step 1: Creating the “public-private” key-pair.

keytool -genkey -alias certificatekey -keyalg RSA -validity 7 -keystore keystore.jks


Step 2: Validate the “public-private” key pair, which was created under the Step 1.

keytool -list -v -keystore keystore.jks

The output would be like this.

crishantha@crishantha-laptop$ keytool -list -v -keystore keystore.jks
Enter keystore password:  password

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: certificatekey
Creation date: Aug 23, 2011
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Crishantha Nanayakkara, OU=Technical, O=ICTA, L=Colombo, ST=Western, C=SL
Issuer: CN=Crishantha Nanayakkara, OU=Technical, O=ICTA, L=Colombo, ST=Western, C=SL
Serial number: 4e531ddf
Valid from: Tue Aug 23 08:56:23 IST 2011 until: Tue Aug 30 08:56:23 IST 2011
Certificate fingerprints:
	 MD5:  4A:40:DB:0B:50:AF:A5:A7:DC:FD:D0:18:1D:5E:DC:BB
	 SHA1: 0A:BF:07:1A:4B:D2:A8:4B:35:3E:4B:B9:60:D7:E9:22:02:F0:04:FF

*******************************************
*******************************************

Step 3: Extract the “public key” from the “public-private” key pair that you creates under the Step 1.

keytool -export -alias certificatekey -keystore keystore.jks -rfc -file public.cert

Step 4: Check the extracted public key (public.cert)

cat public.cert

The output would be like this.

-----BEGIN CERTIFICATE-----
MIICXDCCAcUCBE5THd8wDQYJKoZIhvcNAQEEBQAwdTELMAkGA1UEBhMCU0wxEDAOBgNVBAgTB1dl
c3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTALBgNVBAoTBElDVEExEjAQBgNVBAsTCVRlY2huaWNh
bDEfMB0GA1UEAxMWQ3Jpc2hhbnRoYSBOYW5heWFra2FyYTAeFw0xMTA4MjMwMzI2MjNaFw0xMTA4
MzAwMzI2MjNaMHUxCzAJBgNVBAYTAlNMMRAwDgYDVQQIEwdXZXN0ZXJuMRAwDgYDVQQHEwdDb2xv
bWJvMQ0wCwYDVQQKEwRJQ1RBMRIwEAYDVQQLEwlUZWNobmljYWwxHzAdBgNVBAMTFkNyaXNoYW50
aGEgTmFuYXlha2thcmEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIX7GylhsLdXUZyUFStm
djMUA6L8O6/ykXkbU+c9v6O8/l3HTNtLDmfi5+tbKP1QLCxv1D1b4MlbBol00a4TjpNWqLcni2H9
NUW6sZowRpLusiRUfy0gOwZpAkkNfjnkz41A4sgoM4p4qCV+mreeD1lwHEdBvfUpkKc+sVOn5kD9
AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAY76IASMj3wjtoqW6MAbIWAmwFM18ANupvbH6k2vMui+O
7O0UXd/1NTuCkP4gowYmbvqW07zt7IAbjrXN841AGlEdEWktwOhZuz6+XknOG1AvGXz57DTdSDo/
OTSz1eDSiBQ0qWjVCsbeM/4jBge6QCWoeoum/L+AIQyHzJ+vUUU=
-----END CERTIFICATE-----

Step 5: Now it is the time to create the truststore using the public key, which was extracted at Step 3.

keytool -import -alias certificatekey -file public.cert -keystore server.truststore

Step 6: Congratulations! You have now created a self-signed certificate using the keytool. Now you can validate the contents using the keytool.

keytool -list -v -keystore server.truststore

The output would be like this.

crishantha@crishantha-laptop:~$ keytool -list -v -keystore server.truststore
Enter keystore password:  password

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: certificatekey
Creation date: Aug 28, 2011
Entry type: trustedCertEntry

Owner: CN=Crishantha Nanayakkara, OU=Technical, O=ICTA, L=Colombo, ST=Western, C=SL
Issuer: CN=Crishantha Nanayakkara, OU=Technical, O=ICTA, L=Colombo, ST=Western, C=SL
Serial number: 4e531ddf
Valid from: Tue Aug 23 08:56:23 IST 2011 until: Tue Aug 30 08:56:23 IST 2011
Certificate fingerprints:
	 MD5:  4A:40:DB:0B:50:AF:A5:A7:DC:FD:D0:18:1D:5E:DC:BB
	 SHA1: 0A:BF:07:1A:4B:D2:A8:4B:35:3E:4B:B9:60:D7:E9:22:02:F0:04:FF

*******************************************
*******************************************

Now if you really notice, while you are listing out the keystore in step 2, the certificate indicate as “keyEntry”. However in Step 6, it is listed as “trustedCertEntry”. The difference is the former had the private key with it and the later did not.

Sometimes, you might need the private key also from the keystore. However, it is not that straight forward as you wish. Unlike exporting the certificate out of the key-pair, you are required to save the private key in the PKCS#12 format and secondly you can convert that to a text file. So, here are the steps:

Step 1:

keytool -v -importkeystore -srckeystore keystore.jks -srcalias certificatekey -destkeystore myp12file.p12 -deststoretype PKCS12

Step 2:

openssl pkcs12 -in myp12file.p12 -out private.pem
VN:F [1.9.22_1171]
Rating: 9.0/10 (160 votes cast)
VN:F [1.9.22_1171]
Rating: +53 (from 67 votes)
Extracting public and private keys from a Java Key Store (JKS), 9.0 out of 10 based on 160 ratings