This article will demonstrate how to in Java read private key from file. Let us assume that you have a pem encoded RSA private key in a file that you want to load into the Java PrivateKey
object.
The first two steps are for generating a private key and storing it in a file. Skip to step 3 if you already have a pem encoded private key.
- generate an RSA private key using the Java keytool.
- Extract the private key from the keystore using OpenSSL. See this post for more details.
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
- Create a Java class to read the pem encoded private key and store in a
PrivateKey
object.
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
public class PrivateKeyReader {
public static void main(String args[]) throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
byte[] key = Files.readAllBytes(Paths.get("key.pem"));
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(key);
PrivateKey finalKey = keyFactory.generatePrivate(keySpec);
System.out.println(finalKey.getAlgorithm());
}
}
- Load the key file into an array of bytes.
- Create a Java
KeyFactory
object of RSA. - Create a PKCS8EncodedKeySpec object containing the loaded key.
- Create the Java
PrivateKey
object. - Print out the key algorithm to verify it was successfully created.
Note that if you receiving the following error, you will need to convert your private key to be PKCS8 formatted. To convert the pem encoded private key to pkcs8 format run the following command:
openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem -out key2.pem -nocrypt
Exception in thread "main" java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key format
at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:251)
at java.base/java.security.KeyFactory.generatePrivate(KeyFactory.java:390)
at PrivateKeyReader.main(PrivateKeyReader.java:17)
Caused by: java.security.InvalidKeyException: invalid key format
at java.base/sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:330)
at java.base/sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:355)
at java.base/sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:130)
at java.base/sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:80)
at java.base/sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:356)
at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:247)
... 2 more
Debug Java Private Key
Using your favorite IDE (Integrated Development Environment) you may also debug and inspect the generated Java private key. Our recommended IDE is IntelliJ.

Conclusion – Java read private key from file
In conclusion, this article has demonstrated how to read a private key from a file and convert to a Java PrivateKey
object. Let us know in the comments if you have any questions or would like to see additional examples.
Leave a Reply