JKS Viewer & KeyStore Manager Online

JKS PKCS12 JCEKS Generate Keys Security Audit Free

View, create, and manage Java KeyStore files online. Upload JKS, PKCS12, or JCEKS files to inspect certificates, run security audits, and track expiry dates with a visual timeline. Create new keystores, generate RSA/EC/DSA key pairs, fetch remote SSL certificates, validate key pairs, and order certificate chains — all from your browser.

KeyStore Manager
🔒
Drop keystore file here or click to browse
.jks, .p12, .pfx, .keystore, .jceks
- JKS 0 entries

Aliases 0

0
Valid
0
Expiring
0
Expired
0
Security
Certificate Expiry Timeline
Valid Expiring (<30d) Expired

Java KeyStore Manager

View, create, and manage keystores with security analysis

📂
Upload Keystore
Open an existing .jks, .p12, or .pfx file to view and manage certificates
🌐
Fetch SSL Certificate
Inspect any website's SSL certificate chain and add certs to a keystore
Create New Keystore
Start with an empty keystore and generate key pairs or import certificates
Remote Certificates

Features

View & Manage

  • View JKS, PKCS12, JCEKS files
  • Auto-detect keystore type
  • View certificate details
  • Delete and rename aliases
  • Export modified keystore
  • Create empty keystores

Import & Export

  • Export certificates to PEM/DER
  • Import PEM certificates
  • Fetch remote SSL certificates
  • Add fetched certs to keystore
  • Generate new key pairs
  • Parse full certificate details

Security & Monitoring

  • Certificate health dashboard
  • Expiry timeline visualization
  • Weak key detection (<2048 bit)
  • SHA-1 signature warnings
  • Self-signed certificate detection
  • Key pair validation

Java Keytool Commands Reference

Generate Keys & Certificates
# Generate a new key pair and self-signed certificate
keytool -genkeypair -alias mydomain -keyalg RSA -keysize 2048 \
  -validity 365 -keystore keystore.jks

# Generate with specific DN
keytool -genkeypair -alias server -keyalg RSA -keysize 2048 \
  -dname "CN=example.com,O=MyOrg,L=City,ST=State,C=US" \
  -keystore keystore.jks

# Generate EC key pair
keytool -genkeypair -alias eckey -keyalg EC -keysize 256 \
  -keystore keystore.jks
View & List
# List all entries in keystore
keytool -list -keystore keystore.jks

# List with verbose details
keytool -list -v -keystore keystore.jks

# List specific alias
keytool -list -v -alias mydomain -keystore keystore.jks

# Print certificate in RFC format
keytool -list -rfc -alias mydomain -keystore keystore.jks
Import Certificates
# Import a trusted CA certificate
keytool -importcert -trustcacerts -alias rootca \
  -file ca-cert.pem -keystore keystore.jks

# Import a certificate chain
keytool -importcert -alias myserver -file server.crt \
  -keystore keystore.jks

# Import PKCS12 into JKS
keytool -importkeystore -srckeystore cert.p12 \
  -srcstoretype PKCS12 -destkeystore keystore.jks
Export Certificates
# Export certificate to file (DER format)
keytool -exportcert -alias mydomain -keystore keystore.jks \
  -file cert.der

# Export certificate in PEM format
keytool -exportcert -alias mydomain -keystore keystore.jks \
  -rfc -file cert.pem

# Convert JKS to PKCS12
keytool -importkeystore -srckeystore keystore.jks \
  -destkeystore keystore.p12 -deststoretype PKCS12
Generate CSR
# Generate Certificate Signing Request
keytool -certreq -alias mydomain -keystore keystore.jks \
  -file mydomain.csr

# Generate CSR with SAN (Subject Alternative Names)
keytool -certreq -alias mydomain -keystore keystore.jks \
  -ext san=dns:www.example.com,dns:example.com \
  -file mydomain.csr
Delete & Modify
# Delete an alias
keytool -delete -alias oldcert -keystore keystore.jks

# Change alias name
keytool -changealias -alias oldname -destalias newname \
  -keystore keystore.jks

# Change keystore password
keytool -storepasswd -keystore keystore.jks

# Change key password
keytool -keypasswd -alias mydomain -keystore keystore.jks

OpenSSL Commands for Keystore Operations

View & Convert
# View PKCS12 contents
openssl pkcs12 -info -in keystore.p12

# Extract certificate from PKCS12
openssl pkcs12 -in keystore.p12 -clcerts -nokeys \
  -out cert.pem

# Extract private key from PKCS12
openssl pkcs12 -in keystore.p12 -nocerts -nodes \
  -out key.pem

# Extract CA certificates
openssl pkcs12 -in keystore.p12 -cacerts -nokeys \
  -out ca-certs.pem
Create PKCS12
# Create PKCS12 from cert and key
openssl pkcs12 -export -in cert.pem -inkey key.pem \
  -out keystore.p12 -name "myalias"

# Include CA chain
openssl pkcs12 -export -in cert.pem -inkey key.pem \
  -certfile ca-chain.pem -out keystore.p12

# Create with legacy encryption (Java compatibility)
openssl pkcs12 -export -in cert.pem -inkey key.pem \
  -out keystore.p12 -legacy
Certificate Operations
# View certificate details
openssl x509 -in cert.pem -text -noout

# Check certificate expiry
openssl x509 -in cert.pem -noout -dates

# Verify certificate chain
openssl verify -CAfile ca-chain.pem cert.pem

# Get certificate from server
openssl s_client -connect example.com:443 \
  -showcerts </dev/null 2>/dev/null | \
  openssl x509 -outform PEM > server.pem
Convert Formats
# DER to PEM
openssl x509 -inform DER -in cert.der \
  -outform PEM -out cert.pem

# PEM to DER
openssl x509 -inform PEM -in cert.pem \
  -outform DER -out cert.der

# Convert PKCS7 to PEM
openssl pkcs7 -print_certs -in cert.p7b \
  -out cert.pem

# Extract public key from certificate
openssl x509 -in cert.pem -pubkey -noout > pubkey.pem

Frequently Asked Questions

What is a Java KeyStore (JKS)?
A Java KeyStore (JKS) is a repository for cryptographic keys and certificates. It's commonly used to store:
  • Private keys - Used for SSL/TLS server authentication
  • Public key certificates - X.509 certificates
  • Trusted CA certificates - For certificate chain validation
JKS files are protected by a password and use proprietary Java format. The default keystore type changed to PKCS12 in Java 9.
What's the difference between JKS, PKCS12, and JCEKS?
FormatExtensionDescription
JKS.jks, .keystoreJava-proprietary format. Uses weak encryption (SHA1). Not recommended for new projects.
PKCS12.p12, .pfxIndustry standard, cross-platform. Supports stronger encryption. Default since Java 9.
JCEKS.jceksJava Cryptography Extension KeyStore. Stronger encryption than JKS, but still Java-proprietary.
Recommendation: Use PKCS12 for new projects for better compatibility and security.
How do I convert JKS to PKCS12?
Use the keytool command to convert: 
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
You'll be prompted for both the source and destination keystore passwords.
How do I view the contents of a keystore?
Using keytool: 
keytool -list -v -keystore keystore.jks
Using this online tool: Simply upload your keystore file and enter the password. The tool will display all aliases, certificates, and their details including expiry dates and security information.
What is a truststore vs keystore?
Both are technically the same file format, but they serve different purposes:
  • Keystore: Contains your private keys and certificates. Used for server authentication (proving your identity).
  • Truststore: Contains trusted CA certificates. Used to verify certificates from others (validating their identity).
In Java, the default truststore is $JAVA_HOME/lib/security/cacerts with default password "changeit".
How do I add a certificate to Java's truststore? 
keytool -importcert -trustcacerts -alias myca \
  -file ca-cert.pem \
  -keystore $JAVA_HOME/lib/security/cacerts \
  -storepass changeit
Note: You may need administrator/root privileges to modify the system cacerts file.
How do I check certificate expiry dates?
Using keytool: 
keytool -list -v -keystore keystore.jks | grep -A2 "Valid from"
Using OpenSSL: 
openssl x509 -in cert.pem -noout -dates
Using this tool: Upload your keystore to see the health dashboard with expiring/expired certificate counts and a visual expiry timeline.
What key size should I use?
Recommended minimum key sizes:
  • RSA: 2048 bits minimum, 4096 bits for high security
  • ECDSA: 256 bits (P-256 curve) or 384 bits (P-384)
  • DSA: 2048 bits (deprecated, prefer RSA or ECDSA)
This tool's security audit will warn you about keys smaller than 2048 bits.
Is it safe to upload my keystore to this tool?
Privacy considerations:
  • Your keystore is read client-side in your browser
  • The keystore data is stored in browser memory, not on our servers
  • All operations happen locally with AJAX calls
  • No keystore data is persisted after you close the page
Best practice: For production keystores containing private keys, consider using offline tools like keytool or OpenSSL.
How do I fetch SSL certificates from a website?
Using this tool: Switch to "Fetch URL" mode, enter the URL (e.g., google.com), and click "Fetch Certificates". You can then copy the PEM or add it directly to your keystore.

Using OpenSSL: 
openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | \
  openssl x509 -outform PEM > cert.pem

About This Tool

This Java KeyStore viewer is maintained by Anish Nath, a security engineer with expertise in cryptography, PKI, and Java security. Building security tools for developers since 2015.

The tool supports viewing and managing JKS, PKCS12, and JCEKS keystores, with security audit capabilities including weak key detection, SHA-1 warnings, and certificate expiry monitoring.

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users
200+ tools
100% private
One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 𝕏 Stay updated Follow @anish2good
Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.

Generate Key Pair

Will generate: RSA 2048-bit key pair with self-signed certificate, valid for 365 days

Import PEM Certificate

Paste the full PEM including BEGIN/END markers. Supports single certificates and certificate chains.