Export private key from Salesforce in Java Keystore format and convert to PEM format

Today I needed to use the JWT flow to get an access token from Salesforce to use the Salesforce API in a server to server scenario. To do that you need a private key (usually in PEM format) for the client and the corresponding public key in a keystore on the Salesforce side. Being lazy I simply generated a public / private key pair in Salesforce with an exportable private key and exported the keystore.

Since Salesforce exports the keystore in Java Keystore Format (JKS) I need to work with the Java keytool and openssl to export the private key. Below are the steps. The landing_site_pk alias below is the same of the private key entry in the keystore and the API name of the keystore in Salesforce and Passw0rd is the password specified when exporting the keystore. Adjust as needed.

$ keytool -importkeystore -srckeystore ./00D090000046d3F.jks -srcstorepass Passw0rd -srcalias landing_site_pk -destalias landing_site_pk -destkeystore ./00D090000046d3F.p12 -deststoretype PKCS12 -deststorepass Passw0rd -destkeypass Passw0rd
Importing keystore ./00D090000046d3F.jks to ./00D090000046d3F.p12...

$ openssl pkcs12 -in ./00D090000046d3F.p12 -nodes -nocerts -out 00D090000046d3F.pem
Enter Import Password:
MAC verified OK

$ cat 00D090000046d3F.pem
Bag Attributes
friendlyName: landing_site_pk
localKeyID: 54 69 6D 65 20 31 36 30 36 33 39 30 30 35 36 38 30 38
Key Attributes:

Creating a keystore for plugin signing the easy way

Previously when creating keystores for plugin signing I’ve used a lot of dark magic, crying at the moon and a custom tool I wrote called KeystoreUtil to convert between different formats. The other day I was doing a consulting gig on plugin signing and came up with an easier way just using iKeyman and the Java tooling. I created a presentation with the various commands and screenshots and put it on Slideshare.

Hope it will help someone.

BAT-files (yup – you heard right!) to sign an entire update site

Digitally signing an Eclipse update after the fact (i.e. it’s not part of the build) can be tedious and time consuming. To make the process easier I wrote two small BAT-files that does the recursive signing of all plugin and feature JAR-files for you. Just stick the two BAT-files (signall.bat and dosign.bat) in the root Eclipse update site directory (together with site.xml) and invoke signall.bat.

signall.bat <keystore path> <keystore password> <certificate alias from keystore>

signall.bat mykeystore changeit signer_key


@echo off
set jdkhome=%JAVA_HOME%
for /f %%a IN ('dir /b /s *.jar') do call dosign.bat %1 %2 %3 %%a
set jdkhome=


@echo off
echo Signing: %4
%jdkhome%binjarsigner.exe -keystore %1 -storepass %2 %4 %3