{{parent page="CoreJava"}}

===Java keystore===
==To list all keys and certificates==
%%
keytool -keystore xxx.jks -list
%%
Tomcat's keystore has a default password of "changeit"

==Extracting private key==
There is no way to do that with keytool. use the following hava program:

%%(java;DumpPrivateKey.java)
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.Key;

public class DumpPrivateKey {
static public void main(String[] args) {
try {
KeyStore ks = KeyStore.getInstance("jks");
ks.load(new FileInputStream(args[0]),
args[2].toCharArray());
Key key = ks.getKey(args[1],
args[2].toCharArray());
System.out.write(key.getEncoded());
} catch (Exception e) {
e.printStackTrace();
System.out.println("Usage: java DumpPrivateKey file alias password");
}
}
}

%%

Then use it in combination with openssl:
%%
echo "-----BEGIN PRIVATE KEY-----" > tomcat.key
java DumpPrivateKey tomcat.keystore tomcat changeit | openssl enc -a >> tomcat.key
echo "-----END PRIVATE KEY-----" >> tomcat.key
%%

There you go, you just exported the jks private key to a PEM file.