Backup and restore certificates in a java keystore

A java keystore is a single binary file, as a precaution individual certificates contained inside can be backed up as plain text RSA certificates and keys then restored by into a new keystore at a later date. The process below would be repeated for each certificate in the keystore that you wish to backup.

Listing the keystore

First we find out what certificates are in our keystore:

keytool -keystore android_app.keystore -list
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

myname, Mar 27, 2015, PrivateKeyEntry, 
Certificate fingerprint (MD5): BE:C6:92:98:B0:D1:01:81:81:BF:20:DA:A9:95:D5:17

The above output shows a single certificate with the alias myname, make a note of this as it will be needed later.

Exporting a certificate from the keystore

The following command will export a chosen certificate in PKCS12 format:

keytool -v -importkeystore -srckeystore android_app.keystore -srcalias myname -destkeystore myp12.p12 -deststoretype PKCS12
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
[Storing myp12.p12]

The resulting PKCS12 file is called myp12.p12.

The contents of this new file can be exported as follows:

openssl pkcs12 -in myp12.p12 -nodes
Enter Import Password:
MAC verified OK
Bag Attributes
    friendlyName: myname
    localKeyID: 54 69 6D 65 20 31 34 32 37 34 39 31 36 37 32 32 39 30 
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA7rTjfBqCdjVR5c/926kGFDXn2bPBRlgfwAey3WejZKw3EB2T
xKNxVRuPsYXNh0tOMFzof7kcQGi8PI4Wb9+JilSTEyx4BZNEvbHGAuXYgA9mPIAd
aGZ0whYuUX6EZ6+lAts753frx0Zck2fxnbo33SDIp18c71mAlDPIcfxiO2qfIV/a
.....snip......
X+4xAoGBANZyC3XbB8Gx5kDM/UBgJga+F83yLFqTOkORv3GNjpsrU01eMGLAYrGP
vcdPYUNyOLaRB6MEeaI1Q6+gh35MdjQaZY0/WfnFooPeH+Kr43EsYpsmqn2kDQU/
hvl4509i9a5MpU/S4yMDU5UN0jueBcmI6aXEl5ZdBcWXvfbYmbxs
-----END RSA PRIVATE KEY-----
Bag Attributes
    friendlyName: CN=Bob Jones,OU=Development,O=The Dumb Terminal,L=Some Town,ST=Some State,C=GB
    localKeyID: 54 69 6D 65 20 31 34 32 37 34 39 31 36 37 32 32 39 30 
subject=/C=GB/ST=Some State/L=Some Town/O=The Dumb Terminal/OU=Development/CN=Bob Jones
issuer=/C=GB/ST=Some State/L=Some Town/O=The Dumb Terminal/OU=Development/CN=Bob Jones
-----BEGIN CERTIFICATE-----
MIIDdDCCAlygAwIBAgIEVRXJ/zANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQGEwJH
QjETMBEGA1UECBMKU29tZSBTdGF0ZTESMBAGA1UEBxMJU29tZSBUb3duMRowGAYD
VQQKExFUaGUgRHVtYiBUZXJtaW5hbDEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxEjAQ
.....snip......
/90nKJuqIAGNAIRt3OKXRhLFSCHGGU2cWEtssQgXLjgPE2jljCAWCkDfQHUXQk9S
hTzz8LIZ5y6eJ/xoHyh/oWsEjSpGhonBc0epH7X1RZl8VdiBF3WUZrGFkxDR+IU4
WuVFyDUCziL0kclhUuvHxoMuKhvgGs1P
-----END CERTIFICATE-----

Copy and paste the key and certificate blocks into two separate files.

Backup these two files, the certificate alias and the keystore password to a safe place.

Importing an RSA certificate and private key into a keystore

In this example private.key is the private key and cert.crt is the RSA certificate, both of which were backed up earlier.

First convert the two files back into a PKCS12 bundle:

openssl pkcs12 -export -in cert.crt -inkey private.key -out bundle.p12
Enter Export Password:
Verifying - Enter Export Password:

Then import the PKCS12 bundle into a new keystore:

keytool -importkeystore -destkeystore new.keystore -srckeystore bundle.p12 -srcstoretype PKCS12
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

This will create a new keystore in the file new.keystore.

To confirm the contents of the new keystore its contents can be listed:

keytool -keystore new.keystore -list
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

1, Mar 28, 2015, PrivateKeyEntry, 
Certificate fingerprint (MD5): BE:C6:92:98:B0:D1:01:81:81:BF:20:DA:A9:95:D5:17

Updating the alias of a certificate in the keystore

The certificate shown above currently has an alias of 1, which will need changing to match the original keystore, as follows:

keytool -changealias -alias "1" -destalias "myname" -keystore new.keystore
Enter keystore password:

List the keystore again to confirm the alias change:

keytool -keystore new.keystore -list
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

myname, Mar 28, 2015, PrivateKeyEntry, 
Certificate fingerprint (MD5): BE:C6:92:98:B0:D1:01:81:81:BF:20:DA:A9:95:D5:17

This new keystore now has the same data as our source keystore.

Last updated: 29/03/2015