Keystore formats: JKS and PEM cheatsheet

General commands


1. create JKS keystore

keytool -genkey -alias localhostkey -keystore localhost.keystore -storepass password \

-keypass password -dname "CN=localhost,OU=QE,,L=Brno,C=CZ"


2. convert localhost.keystore to pkcs12

keytool -importkeystore -srckeystore localhost.keystore -destkeystore localhost.p12 \

-srcstoretype jks -deststoretype pkcs12 -srcstorepass password -deststorepass password


3. convert keystore to PEM

openssl pkcs12 -in localhost.p12 -out localhost.pem


4. just private key

openssl pkcs12 -in localhost.p12 -out localhost-privkey.pem -nocerts -nodes


5. pem file with just certificate

openssl pkcs12 -in localhost.p12 -out localhost-cert.pem -clcerts -nokeys


Creating a CA authority certificate and adding it into keystore


openssl.cnf file:


# OpenSSL configuration file.

# Establish working directory.

dir                 = .

[ ca ]
default_ca              = CA_default

[ CA_default ]
serial                  = $dir/serial
database                = $dir/certindex.txt
new_certs_dir           = $dir/
certificate             = $dir/wfkqeca.crt
private_key             = $dir/wfkqeca.pem
default_days            = 3650
default_md              = md5
preserve                = no
email_in_dn             = no
nameopt                 = default_ca
certopt                 = default_ca
policy                  = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_anything ]
countryName = optional
stateOrProvinceName= optional
localityName= optional
# organizationName = optional
organizationName = match
organizationalUnitName = optional
commonName= supplied
emailAddress= optional

[ req ]
default_bits            = 1024          # Size of keys
default_keyfile         = key.pem       # name of generated keys
default_md              = md5           # message digest algorithm
string_mask             = nombstr       # permitted characters
distinguished_name      = req_distinguished_name
req_extensions          = v3_req

[ req_distinguished_name ]
# Variable name             Prompt string
#-------------------------    ----------------------------------
0.organizationName          = Organization Name (company)
organizationalUnitName      = Organizational Unit Name (department, division)
emailAddress                = Email Address
emailAddress_max            = 40
localityName                = Locality Name (city, district)
stateOrProvinceName         = State or Province Name (full name)
countryName             = Country Name (2 letter code)
countryName_min             = 2
countryName_max             = 2
commonName              = Common Name (hostname, IP, or your name)
commonName_max              = 64

# Default values for the above, for consistency and less typing.
# Variable name             Value
#------------------------     ------------------------------
0.organizationName_default      = JBoss QE
localityName_default            = Brno
stateOrProvinceName_default     = Jihomoravsky kraj
organizationalUnitName_default  = WFK QE
countryName_default         = CZ
emailAddress_default        =
commonName_default          = WFK QE CA

[ v3_ca ]
basicConstraints            = CA:TRUE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always,issuer:always

[ v3_req ]
basicConstraints            = CA:FALSE
subjectKeyIdentifier        = hash
subjectAltName              = @alt_names

[ server_eku ]
basicConstraints            = CA:FALSE
subjectKeyIdentifier        = hash
extendedKeyUsage = serverAuth
subjectAltName              = @alt_names

[ client_eku ]
basicConstraints            = CA:FALSE
subjectKeyIdentifier        = hash
extendedKeyUsage = clientAuth
subjectAltName              = @alt_names

[ alt_names ] 
DNS.1 = localhost
IP.1 =


To create a CA key pair:


openssl req -new -x509 -config openssl.cnf -extensions v3_ca -keyout wfkqeca.pem -out wfkqeca.crt -days 3650


To import in into a keystore:


keytool -importcert -alias wfkqaca -file wfkqeca.crt -keypass password -trustcacerts -storetype jks -keystore wfkqe.jks -storepass password


Creating a multiple hosts (SAN) private key, signing it with CA and storing in keystore/truststore

(Note JDK7 keytool is required to handle extension syntax):


Creating a key pair:


keytool -genkeypair -alias wfkqe -keystore wfkqe.jks -storetype jks -storepass password -keypass password -dname "CN=localhost,OU=WFK QE,O=JBoss QE,L=Brno,C=CZ" -ext "SAN=DNS:localhost,IP:" -validity 3650


Creating a certification request:


keytool -certreq -ext "SAN=DNS:localhost,IP:" -alias wfkqe -file wfkqereq.cer -keypass password -storetype jks -keystore wfkqe.jks -storepass password


Sign it:


openssl ca -policy policy_anything -config openssl.cnf -extensions server_eku -out wfkqe.crt -days 3650 -infiles wfkqereq.cer


Import it into keystore:


openssl x509 -in wfkqe.crt -out wfkqex509.crt
keytool -importcert -alias wfkqe -file wfkqex509.crt -keypass password -storetype jks -keystore wfkqe.jks -storepass password


Creating a signed X509 certificate for usage in browsers

Create a certificate request:


openssl req -new -nodes -config openssl.cnf -extensions client_eku -out rodreq.cer -keyout rod.pem -days 3650


Sign it:


openssl ca -policy policy_anything -config openssl.cnf -extensions client_eku -out rod.crt -days 3650 -infiles rodreq.cer


Create X509 in PKCS12 format:


openssl pkcs12 -export -in rod.crt -inkey rod.pem -certfile wfkqeca.crt -clcerts -name "rod" -out rod.p12