Convert JKS and P12 to Crt and Key files with OpenSSL

PKCS#12 is a successor to Microsoft’s PFX format. It defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X509 certificate or to bundle all the members of a chain of trusted certificates, starting from the root certificate authority. The files PFX (.pfx) and PKCS#12 (.p12), including terms, are somewhat used interchangeably and refer to same standard.

PKCS#12 are normally generated using OpenSSL, which is an open-source tool. We can use the same tool to convert JKS, which is Java keystore and PKCS#12 certs to crt and key files.

We can use following command to convert an JKS file to P12:

keytool -importkeystore -srckeystore my_cert.jks -destkeystore my_cert.p12 -deststoretype PKCS12

Thereafter, we can convert it to Certificate (.crt) file using below set of commands:

# output only client certificate
openssl pkcs12 -in my_cert.p12 -clcerts -nokeys -out my_cert.crt

# output full chain of trusted certificates 
openssl pkcs12 -in my_cert.p12 -nokeys -out my_cert_full.crt

We can extract Key (.key) file using below set of commands:

# generates key file with private key encrypted
openssl pkcs12 -in my_cert.p12 -nocerts -out my_cert.key

# generates key file without private key encrypted
openssl pkcs12 -in my_cert.p12 -nocerts -nodes -out my_cert.key

Refer this post for more details on working with certificates and conversions using OpenSSL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s