Wednesday, February 4, 2009

Import private key and certificate in Java keystore

It is not possible to import an existing private key for which an certificate is already made. But with the description on this website it is possible to do this.

An summary of the contents:

Convert key and certificate to PEM with openssl

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

With an java program ImportKey it is possible to create an new keystore with the private key in it. (java 1.5):

Set the classpath to the directory where ImportKey is placed.

java ImportKey key.der cert.der
Using keystore-file : /home/user/keystore.ImportKey
One certificate, no chain.
Key and certificate stored.
Alias:importkey Password:importkey

This program creates an keystore named: /home/user/keystore.ImportKey. Now everything can be changed using the keytool:

1. Rename keystore: with an mv or an cp
2. Change password keystore:

keytool -keystore –storepasswd
Enter keystore password:
New keystore password:
Re-enter new keystore password:

3. Change password certificate:

keytool -keypasswd -keypass importkey -new -alias importkey -keystore

4. Change alias importkey

keytool -keystore -keyclone -alias importkey -dest
Enter keystore password:
Enter key password for
(RETURN if same as for )

5. Delete old alias:

keytool -keystore -delete -alias importkey

Java code ImportKey program:

import java.util.Collection;
import java.util.Iterator;


This class imports a key and a certificate into a keystore
* ($home/keystore.ImportKey). If the keystore is
* already present, it is simply deleted. Both the key and the
* certificate file must be in DER-format. The key must be
* encoded with PKCS#8-format. The certificate must be
* encoded in X.509-format.


Key format:


openssl pkcs8 -topk8 -nocrypt -in YOUR.KEY -out YOUR.KEY.der
* -outform der


Format of the certificate:


openssl x509 -in YOUR.CERT -out YOUR.CERT.der -outform
* der


Import key and certificate:


java comu.ImportKey YOUR.KEY.der YOUR.CERT.der


Caution: the old keystore.ImportKey-file is
* deleted and replaced with a keystore only containing YOUR.KEY
* and YOUR.CERT. The keystore and the key has no password;
* they can be set by the keytool -keypasswd-command for setting
* the key password, and the keytool -storepasswd-command to set
* the keystore password.

The key and the certificate is stored under the alias
* importkey; to change this, use keytool -keyclone.
* Created: Fri Apr 13 18:15:07 2001
* Updated: Fri Apr 19 11:03:00 2002
* @author Joachim Karrer, Jens Carlberg
* @version 1.1
public class ImportKey {


Creates an InputStream from a file, and fills it with the complete
* file. Thus, available() on the returned InputStream will return the
* full number of bytes the file contains

* @param fname The filename
* @return The filled InputStream
* @exception IOException, if the Streams couldn't be created.
private static InputStream fullStream ( String fname ) throws IOException {
FileInputStream fis = new FileInputStream(fname);
DataInputStream dis = new DataInputStream(fis);
byte[] bytes = new byte[dis.available()];
ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
return bais;


Takes two file names for a key and the certificate for the key,
* and imports those into a keystore. Optionally it takes an alias
* for the key.

The first argument is the filename for the key. The key should be
* in PKCS8-format.

The second argument is the filename for the certificate for the key.

If a third argument is given it is used as the alias. If missing,
* the key is imported with the alias importkey

The name of the keystore file can be controlled by setting
* the keystore property (java -Dkeystore=mykeystore). If no name
* is given, the file is named keystore.ImportKey
* and placed in your home directory.
* @param args [0] Name of the key file, [1] Name of the certificate file
* [2] Alias for the key.
public static void main ( String args[]) {

// change this if you want another password by default
String keypass = "importkey";

// change this if you want another alias by default
String defaultalias = "importkey";

// change this if you want another keystorefile by default
String keystorename = System.getProperty("keystore");

if (keystorename == null)
keystorename = System.getProperty("user.home")+
"keystore.ImportKey"; // especially this ;-)

// parsing command line input
String keyfile = "";
String certfile = "";
if (args.length < 2 || args.length>3) {
System.out.println("Usage: java comu.ImportKey keyfile certfile [alias]");
} else {
keyfile = args[0];
certfile = args[1];
if (args.length>2)
defaultalias = args[2];

try {
// initializing and clearing keystore
KeyStore ks = KeyStore.getInstance("JKS", "SUN");
ks.load( null , keypass.toCharArray());
System.out.println("Using keystore-file : "+keystorename); FileOutputStream ( keystorename ),
ks.load(new FileInputStream ( keystorename ),

// loading Key
InputStream fl = fullStream (keyfile);
byte[] key = new byte[fl.available()];
KeyFactory kf = KeyFactory.getInstance("RSA"); ( key, 0, fl.available() );
PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );
PrivateKey ff = kf.generatePrivate (keysp);

// loading CertificateChain
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream certstream = fullStream (certfile);

Collection c = cf.generateCertificates(certstream) ;
Certificate[] certs = new Certificate[c.toArray().length];

if (c.size() == 1) {
certstream = fullStream (certfile);
System.out.println("One certificate, no chain.");
Certificate cert = cf.generateCertificate(certstream) ;
certs[0] = cert;
} else {
System.out.println("Certificate chain length: "+c.size());
certs = (Certificate[])c.toArray();

// storing keystore
ks.setKeyEntry(defaultalias, ff,
certs );
System.out.println ("Key and certificate stored.");
System.out.println ("Alias:"+defaultalias+" Password:"+keypass); FileOutputStream ( keystorename ),
} catch (Exception ex) {

}// KeyStore


  1. Great information , thanks.
    Small correction: PEM with openssl...
    probably has to be:
    ....from PEM to DER with openssl....

  2. I dont understand why people blog such stuff. When it make you happy.. OK

  3. Thanks for sharing the information Many people think that It is not possible to import an existing private key for which an certificate is already made.This will help them to achieve this.Good work keep it up

  4. Really helped me greatly

  5. With this I can create a pfx file from cert and public key ?

  6. Thanks! Helped me out a lot.

  7. Thanx a lot for this info...:)
    Could u please tell how to export key and cert from keystore.importkey created after this process..

  8. The purpose of converting a FileInputStream to a ByteArrayInputStream escapes me. InpputStream.available() does not return the length of the stream, and there is a specific warning in the Javadoc against using it exactly the way you are here. It isn't necessary to write any code to accomplish this objective: it can all be done with the OpenSSL command and the keytool. Key passwords should be avoided in Java unless you provide a custom KeyManager that knows about them: the default one doesn't, and can't be told.

  9. 2ejp: that's for poor guys with java 1.5 or below where keytool doesn't have "importkeystore" option.

    2arjan: thanks a lot!

  10. Hi,

    I wanted to do a soap api call integration in my application.Can you pl let me know the steps for passing the certificates,generating keystores stuff.