Keystore formats: JKS and PEM cheatsheet

Version 4

    General commands


    1. create JKS keystore

    keytool -genkey -alias localhostkey -keystore localhost.keystore -storepass password \

    -keypass password -dname "CN=localhost,OU=QE,,L=Brno,C=CZ"


    2. convert localhost.keystore to pkcs12

    keytool -importkeystore -srckeystore localhost.keystore -destkeystore localhost.p12 \

    -srcstoretype jks -deststoretype pkcs12 -srcstorepass password -deststorepass password


    3. convert keystore to PEM

    openssl pkcs12 -in localhost.p12 -out localhost.pem


    4. just private key

    openssl pkcs12 -in localhost.p12 -out localhost-privkey.pem -nocerts -nodes


    5. pem file with just certificate

    openssl pkcs12 -in localhost.p12 -out localhost-cert.pem -clcerts -nokeys


    Creating a CA authority certificate and adding it into keystore


    openssl.cnf file:


    # OpenSSL configuration file.
    # Establish working directory.
    dir                 = .
    [ ca ]
    default_ca              = CA_default
    [ CA_default ]
    serial                  = $dir/serial
    database                = $dir/certindex.txt
    new_certs_dir           = $dir/
    certificate             = $dir/wfkqeca.crt
    private_key             = $dir/wfkqeca.pem
    default_days            = 3650
    default_md              = md5
    preserve                = no
    email_in_dn             = no
    nameopt                 = default_ca
    certopt                 = default_ca
    policy                  = policy_match
    [ policy_match ]
    countryName             = match
    stateOrProvinceName     = match
    organizationName        = match
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
    [ policy_anything ]
    countryName = optional
    stateOrProvinceName= optional
    localityName= optional
    # organizationName = optional
    organizationName = match
    organizationalUnitName = optional
    commonName= supplied
    emailAddress= optional
    [ req ]
    default_bits            = 1024          # Size of keys
    default_keyfile         = key.pem       # name of generated keys
    default_md              = md5           # message digest algorithm
    string_mask             = nombstr       # permitted characters
    distinguished_name      = req_distinguished_name
    req_extensions          = v3_req
    [ req_distinguished_name ]
    # Variable name             Prompt string
    #-------------------------    ----------------------------------
    0.organizationName          = Organization Name (company)
    organizationalUnitName      = Organizational Unit Name (department, division)
    emailAddress                = Email Address
    emailAddress_max            = 40
    localityName                = Locality Name (city, district)
    stateOrProvinceName         = State or Province Name (full name)
    countryName             = Country Name (2 letter code)
    countryName_min             = 2
    countryName_max             = 2
    commonName              = Common Name (hostname, IP, or your name)
    commonName_max              = 64
    # Default values for the above, for consistency and less typing.
    # Variable name             Value
    #------------------------     ------------------------------
    0.organizationName_default      = JBoss QE
    localityName_default            = Brno
    stateOrProvinceName_default     = Jihomoravsky kraj
    organizationalUnitName_default  = WFK QE
    countryName_default         = CZ
    emailAddress_default        =
    commonName_default          = WFK QE CA
    [ v3_ca ]
    basicConstraints            = CA:TRUE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always,issuer:always
    [ v3_req ]
    basicConstraints            = CA:FALSE
    subjectKeyIdentifier        = hash
    subjectAltName              = @alt_names
    [ server_eku ]
    basicConstraints            = CA:FALSE
    subjectKeyIdentifier        = hash
    extendedKeyUsage = serverAuth
    subjectAltName              = @alt_names
    [ client_eku ]
    basicConstraints            = CA:FALSE
    subjectKeyIdentifier        = hash
    extendedKeyUsage = clientAuth
    subjectAltName              = @alt_names
    [ alt_names ] 
    DNS.1 = localhost
    IP.1 =


    To create a CA key pair:


    openssl req -new -x509 -config openssl.cnf -extensions v3_ca -keyout wfkqeca.pem -out wfkqeca.crt -days 3650


    To import in into a keystore:


    keytool -importcert -alias wfkqaca -file wfkqeca.crt -keypass password -trustcacerts -storetype jks -keystore wfkqe.jks -storepass password


    Creating a multiple hosts (SAN) private key, signing it with CA and storing in keystore/truststore

    (Note JDK7 keytool is required to handle extension syntax):


    Creating a key pair:


    keytool -genkeypair -alias wfkqe -keystore wfkqe.jks -storetype jks -storepass password -keypass password -dname "CN=localhost,OU=WFK QE,O=JBoss QE,L=Brno,C=CZ" -ext "SAN=DNS:localhost,IP:" -validity 3650


    Creating a certification request:


    keytool -certreq -ext "SAN=DNS:localhost,IP:" -alias wfkqe -file wfkqereq.cer -keypass password -storetype jks -keystore wfkqe.jks -storepass password


    Sign it:


    openssl ca -policy policy_anything -config openssl.cnf -extensions server_eku -out wfkqe.crt -days 3650 -infiles wfkqereq.cer


    Import it into keystore:


    openssl x509 -in wfkqe.crt -out wfkqex509.crt
    keytool -importcert -alias wfkqe -file wfkqex509.crt -keypass password -storetype jks -keystore wfkqe.jks -storepass password


    Creating a signed X509 certificate for usage in browsers

    Create a certificate request:


    openssl req -new -nodes -config openssl.cnf -extensions client_eku -out rodreq.cer -keyout rod.pem -days 3650


    Sign it:


    openssl ca -policy policy_anything -config openssl.cnf -extensions client_eku -out rod.crt -days 3650 -infiles rodreq.cer


    Create X509 in PKCS12 format:


    openssl pkcs12 -export -in rod.crt -inkey rod.pem -certfile wfkqeca.crt -clcerts -name "rod" -out rod.p12