What is Java keytool?
The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to export a cert from a keystore. In many respects, the java keytool is a competing utility with openssl for keystore, key, and certificate management.
Use case to export a cert from a keystore.
On occasion, you may want to move a cert around, into another keystore, or a third party may need your public key. In that case, if you haven’t stored the cert outside of the keystore, it will be necessary to export the certificate from the keystore. You do not want to share the keystore if it contains a private key, but rather the certificate containing the public key.
What keytool command do I use to export a cert from a keystore?
Use this command to export a cert from a keystore using the java keytool. The result will be the X.509 certificate in PEM format. If the -rfc option is left off, the result will be in binary format.
keytool -exportcert \ -rfc \ -alias example \ -file cert.pem \ -keystore example.p12 \ -storepass changeit \ -storetype PKCS12 \ -v
Java keytool options:
-rfc – Will output in PEM format as defined by RFC 1421.
-alias – The alias of the entry encapsulated in the keystore. The chosen value should enhance the readability of the keystore entries, especially when the keystore contains multiple entries.
-file – The file to contain the exported X.509 certificate.
-keystore – The filename of the keystore.
-storepass – The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.
-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.
-v – Verbose output.
Here are the official keytool docs to dive further into how to export a certificate from a keystore. https://docs.oracle.com/javase/10/tools/keytool.htm#GUID-5990A2E4-78E3-47B7-AE75-6D1826259549__EXPORTDATA-507D3175