In the following, I will give a brief overview on basic certificate types and on few conversion possibilities.
Types and Formats
From JKS to PEM
Export the key to PKCS#12 (we need to perform this step since we cannot convert JKS directly to PEM):
keytool -importkeystore -srckeystore rsa.jks -destkeystore rsa.p12 -srcstoretype jks -deststoretype pkcs12
Export to PEM:
openssl pkcs12 -in rsa.p12 -out rsa.pem -nodes
The nodes parameter ensures we export both the certificate and the private key (you can verify this by opening the PEM file in your text editor). If we want to export only one of them, we can use (for certificate):
or (for a key):
If we want to remove the password from the PEM file, we can simply use the rsa command and import/export the key again (Do NOT do this for real servers). This is useful if we need to start the test server again and again, so we do not need to provide the password:
openssl rsa -in rsakey.pem -out rsakey.pem
I experienced some compatibility problems when parsing such keys without passwords. In particular, the Botan library does not like these keys and complains about BER encoding. If you experience the same problems, consider to use the genpkey command (see below).
In case you wanted to use an elliptic curve key pair, it is also very easy. In the first step, you just need to generate a key using an ec algorithm:
Afterwards, you proceed as in the previous steps.
From PEM to JKS
cat rsa.key rsa.crt > rsa.pem
Afterwards, we need to convert these files into a PKCS#12 format: