Read X509 Certificate from Java KeyStore – Example With Code

In the NEW IT age with lots of data comes great responsibility to protect it against all malicious attacks. Using secure communications or HTTPS is one of the ways to protect the data while it travels the web. Now when we talk about https, we use different certificates.

In this article, we will see how we can generate a self-signed X509 certificate. We will generate it using Java Keytool and then we will write a utility to read the private key and X509 certificate from Keystore.

X509 Certificate:

X509 defines the format of public-key certificates. The certificates are used in many internet protocols like TLS, SSL. Apart from this, the certificates are used to implement PKI authentication for many offline applications as well as web applications. An X509 certificate contains a public key and an identity (a hostname, or an organization, or an individual).

A certificate authority can sign your certificate or you can self sign it. The users can then use this certificate to establish secure communication with different parties. The user can also use to validate the digitally signed documents or communications using the private key he has.

First, we will see how we can use Java Keytool to generate a key store that will have our self signed X509 certificate and its corresponding private key.

Here I am assuming that you have the latest Java installed on your machine and the keytool utility is available on your command prompt.

In the above command, I have given all the options in one go so that you don’t have to respond to the prompts the keytool gives you. The command will create a JKS file named “opencodez.jks” and it will have a X509 certificate for CN or Common Name “”. You can find more details about the various keytool options on its official link. You can list and check your JKS as belowx509 certificate

If you need, you can export the certificate using the below command and check. You need to provide the password when prompted.

Once exported you can double click the certificate file “opencodez.cer” and you will see the details like below

As the certificate is self-signed you will see the issued to and issued by the same.

Read X509 Certificate in Java

Now we will see how we can read this from our Java Program. As we have seen the java key store has two parts, one is the private key and the other is a public x509 certificate associated with the key. We will have a small class, that will hold these 2 together for better handling. The Java Security has pre-defined classes for key and certificate.

After this, we will write a simple utility, that will give is an object of the above class with key and certificate filled in. The Java KeyStore class can load your JKS file, when its supplied with the JKS file path and password as a character array.

The program loads the Keystore file and iterates through all the aliases we have added in our JKS file. The program checks if any alias is associated with a key, if it is, then it will break and read the corresponding key and certificate.

The usage is simple as shown here

Once you run this, you can see the string representation of key and x509 certificate on console as below. Please note that, I have not captured complete console output.


I hope, the readers have gained some insights about X509 certificates. More importantly, you have learned how you can read the certificate in java. Now you can use it in any of your security projects and provide more secure projects, applications.

Happy Sharing!!!

  1. Vlad
    April 25, 2019 | Reply
    • Shilpa
      April 26, 2019 | Reply
  2. lion
    March 28, 2019 | Reply
  3. Siya Ntombela
    November 9, 2018 | Reply
  4. Sneha
    September 6, 2018 | Reply
    • Pavan
      September 10, 2018 | Reply

Add a Comment

Your email address will not be published. Required fields are marked *