How to read X509 Certificate from Java KeyStore

In the NEW IT age with lots of data comes great responsibility to protect it against all malicious attacks. Using secure communications  or HTTPS is one of the way to protect the data while it travel the web. Now when we talk about https, we use different certificates. In this article we will see how we can generate a self signed X509 certificate. We will generate it using Java Keytool and then we will write a utility to read the private key and X509 certificate from keystore.


X509 defines the format of public key certificates. The certificates are used in many internet protocols like TLS, SSL. Apart from this, the certificates are used to implement PKI authentication for many offline applications as well as web applications. An X509 certificate contains a public key and an identity (a hostname, or an organization, or an individual). A certificate authority can sign your certificate or you can self sign it. The users can then use this certificate to establish secure communication with different party. The user can also use to validate the digitally signed documents or communications using the private key he has.

First we will see how we can use Java Keytool to generate a key store which will have our self signed X509 certificate and its corresponding private key.

Here I am assuming that you have latest Java installed on your machine and the keytool utility is available on your command prompt.

In the above command, I have given all the options in one go so that you don’t have to respond to the prompts the keytool gives you. The command will create a JKS file named “opencodez.jks” and it will have a X509 certificate for CN or Common Name “”. You can find more details about the various keytool options on its official link. You can list and check your JKS as belowx509 certificate

If you need, you can export the certificate using below command and check. You need to provide the password when prompted.

Once exported you can double click the certificate file “opencodez.cer” and you will see the details like below

As the certificate is self signed you will see the issued to and issued by same.

Read X509 Certificate in Java

Now we will see how we can read this from our Java Program. As we have seen the java key store has two parts, one is private key and other is public x509 certificate associated with the key. We will have a small class, that will hold these 2 together for better handling. The Java Security has pre- defined classes for key and certificate.

After this, we will write a simple utility, that will give is an object of above class with key and certificate filled in. The Java KeyStore class can load your JKS file, when its supplied with the JKS file path and password as character array. The program loads the keystore file and iterates through all the aliases we have added in our JKS file. The program checks if any alias is associated with key, if it is, then it will break and read corresponding key and certificate.

The usage is simple as shown here

Once you run this, you can see the string representation of key and x509 certificate on console as below. Please note that, I have not captured complete console output.


I hope, the readers have gained some insights about X509 certificates. More importantly, you have learned how you can read the certificate in java. Now you can use it in any of your security projects and provide more secure projects, applications.

Happy Sharing!!!

  1. Vlad
    April 25, 2019 | Reply
    • Shilpa
      April 26, 2019 | Reply
  2. lion
    March 28, 2019 | Reply
  3. Siya Ntombela
    November 9, 2018 | Reply
  4. Sneha
    September 6, 2018 | Reply
    • Pavan
      September 10, 2018 | Reply

Add a Comment

Your email address will not be published. Required fields are marked *