keystore : Java Glossary


In Java version 1.2 or later, the .keystore file contains your public and private keys. The peculiar leading dot makes the file hidden in Unix.
By default, .keystore has no password, though you normally assign it one with keytool.exe. Don’t lose the password. There is no way to recover it. You would have to start over and create a new empty .keystore with keytool.exe.

.keystore is stored in a binary jks format JKS (Java Key Store) similar to PKCS #12 containing both public and private keys, protected by a passphrase. The first four signature bytes of a Sun .keystore file in hex are FEEDFEED.


Since Java does not automatically create .keystore, The sysadmin might put it wherever he pleases. Likely places to look include: It is supposed to be in: Where user.home and deployment.user.home are system properties. C:\Program Files (x86)\Java\jre6\lib\security\.

Make sure you back up your .keystore files especially when upgrading your OS (Operating System) or Java. Otherwise you will lose your code signing certificates.

Usually the .keystore file is stored in Sun JKS format, but keytool.exe is capable of dealing with other formats as well. Here is how to find out what other formats

Browser Keystores

It is possible for Java to get at the keystores of the various Mozilla family brewers using a tool called JSS (Network Security Services for Java). Java automatically accesses the Windows/Internet Explorer keystores when validating code-signing certificates for Applets and Java Web Start.

Learning More

Oracle’s Technote Guide on Browser keystores : available:
Oracle’s Javadoc on KeyStore class : available:
keyman: a more user-friendly .keystore manipulator
KeyTool IUI: third party GUI version of keytool
RSA cipher: sample code to extract cert from .keystore

This page is posted
on the web at:

Optional Replicator mirror
on local hard disk J:

Canadian Mind Products
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number