Core Java

List Private Keys From a JKS Keystore

A Keystore is a repository that contains security certificates and their corresponding private keys. Listing private keys from a keystore is an essential task for managing and verifying the contents of the keystore. Let us delve into understanding how to list private keys from a jks keystore using command-line tools and Java.

1. Introduction

A Keystore is a repository that contains security certificates and their corresponding private keys. It is widely used in Java applications for handling cryptographic keys and certificates needed for SSL/TLS, code signing, and other security-related functions. Keystores ensure that keys and certificates are stored securely and can be accessed only by authorized entities.

Keystores can store several types of entries, including

  • PrivateKeyEntry: Contains a private key and its associated certificate chain.
  • TrustedCertificateEntry: Contains only a certificate.
  • SecretKeyEntry: Contains a symmetric key.

There are different types of keystores, such as JKS (Java KeyStore), PKCS12, and others. Each type has its format and characteristics. For more detailed information on keystores, you can refer to the official Oracle documentation: Oracle Keytool Documentation.

2. Using Command-Line Tools

The keytool command-line utility is used for managing keystores and certificates. Here’s how you can list the private keys in a keystore:

2.1 Step-by-Step Example

  • Ensure keytool is installed and available in your PATH. It usually comes with the JDK.
  • Open your terminal or command prompt.
  • Use the following command to list the entries in the keystore:
keytool -list -v -keystore path/to/your/keystore.jks -storepass your_keystore_password

This command lists all the entries in the keystore, but it does not explicitly indicate which ones are private keys. To identify private keys, you typically look for entries with the type PrivateKeyEntry.

3. Using Java Code

Java provides the KeyStore class which allows you to load and interact with keystores programmatically. Here’s a detailed example:

import java.util.Enumeration;

public class ListPrivateKeys {

  public static void main(String[] args) {
    try {
      // Load the keystore
      FileInputStream is = new FileInputStream("path/to/your/keystore.jks");
      KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
      keystore.load(is, "your_keystore_password".toCharArray());

      // Iterate over all aliases in the keystore
      Enumeration  aliases = keystore.aliases();
      while (aliases.hasMoreElements()) {
        String alias = aliases.nextElement();
        if (keystore.isKeyEntry(alias)) {
          KeyStore.Entry entry = keystore.getEntry(alias, new KeyStore.PasswordProtection("your_key_password".toCharArray()));
          if (entry instanceof KeyStore.PrivateKeyEntry) {
            KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry) entry;
            PrivateKey privateKey = pkEntry.getPrivateKey();
            Certificate[] chain = pkEntry.getCertificateChain();

            System.out.println("Alias: " + alias);
            System.out.println("Private Key: " + privateKey.toString());
            System.out.println("Certificate Chain: ");
            for (Certificate cert: chain) {
    } catch (Exception e) {

In this Java example:

  • The keystore is loaded from a file using FileInputStream.
  • The keystore password is provided to load the keystore.
  • We iterate over all aliases in the keystore using keystore.aliases().
  • For each alias, we check if it is a key entry using keystore.isKeyEntry(alias).
  • If it is a PrivateKeyEntry, we retrieve the private key and certificate chain and print their details.

4. Conclusion

Listing private keys from a keystore can be done using command-line tools like keytool or programmatically with Java. The command-line approach is quick and straightforward for basic listings, while the Java approach offers more flexibility and detail, allowing for further manipulation and processing of keystore entries. Both methods are crucial for effective keystore management.

Yatin Batra

An experience full-stack engineer well versed with Core Java, Spring/Springboot, MVC, Security, AOP, Frontend (Angular & React), and cloud technologies (such as AWS, GCP, Jenkins, Docker, K8).
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Back to top button