Extracting public certificates for truststore files

Use this procedure to extract a public certificate, which includes its public key, from a keystore file. If a target truststore file already contains the signer certificate of the certificate authority (CA) that signed the certificate, you do not need to extract and add the certificate to the target truststore file. However, in general, you need to complete this procedure for a self-signed certificate.


Before you begin

Extracting a certificate from one keystore file and adding it to a truststore file is not the same as exporting the certificate and then importing it. Exporting a certificate copies all the certificate information, including its private key, and is normally only used if you want to copy a personal certificate into another keystore file as a personal certificate.

If a certificate is self-signed, extract the certificate and its public key from the keystore file and add it to the target truststore file.

If a certificate is CA-signed, verify that the CA certificate used to sign the certificate is listed as a signer certificate in the target truststore file. The keystore file must already exist and contain the certificate to be extracted.

Read the http://www.ibm.com/developerworks/java/jdk/security/iKeymanDocs.zip file for further information about how to extract a public certificate from a key database file.



  1. Start the key management utility (iKeyman), if it is not already running.

  2. Open the keystore file from which the public certificate will be extracted.

  3. Select Personal Certificates.

  4. Click Extract Certificate.

  5. Click Base64-encoded ASCII data under Data type.

  6. Enter the Certificate File Name and Location.

  7. Click OK to export the public certificate into the specified file.



A certificate file that contains the public key of the signed personal certificate is now available for the target truststore file.


What to do next

Prepare truststore files for distributing the public keys to support the secure WebSphere domain using SSL. Once the keystore and truststore files are ready, make them accessible by specifying them in your client and server configurations.


Related Tasks

Configuring Secure Sockets Layer
Creating a Secure Sockets Layer repertoire configuration entry




WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.