Ruben Laguna's blog

Jun 29, 2007 - 2 minute read - ethereal https inspect java jks key rsa sniffer sniffing ssl tomcat wireshark

Inspecting Tomcat HTTPS connection with Wireshark

Wireshark allows you to inspect SSL connection as long as you have the corresponding private key of the server side. You can read the details here. But if you are using java and tomcat you’ll probably have the certificate and private key stored in a JKS keystore so how can you extract the key in the right format for WireShark?

First of all, keytool doesn’t allow you to extract the private key from a keystore. So you need external help. I use the which is a modified version on the DumpPrivateKey found in this forum post.


import sun.misc.BASE64Encoder;

* This is an utility program that reads the keystore file specified in the
* parameter and dumps to the standard output the private key encoded in Base64
public class DumpPrivateKey {
* Main method. Invoked from command line. This method open the jks file
* specified in the parameter to get the private key, transforms it in
* Base64 format and write it to the standard output. `Usage`:
* java DumpPrivateKey keystore.jks alias storepassword keypassword
* @param args
* List of strings containing the input parameters.
static public void main(String[] args) {
try {
if (args.length != 4) {
.println("Usage java DumpPrivateKey keystore.jks alias storepassword keypassword");
KeyStore ks = KeyStore.getInstance("jks");
String keystore = args[0];
String alias = args[1];
String storepass = args[2];
String keypass = args[3];

ks.load(new FileInputStream(keystore), storepass.toCharArray());
Key key = ks.getKey(alias, keypass.toCharArray());
if (key == null) {
System.err.println("No key found for alias:" + alias
+ " and keypass:" + keypass);

BASE64Encoder myB64 = new BASE64Encoder();
String b64 = myB64.encode(key.getEncoded());

System.out.println("----~~BEGIN PRIVATE KEY----~~");
System.out.println("----~~END PRIVATE KEY----~~");
} catch (Exception e) {

The code is also available as a gist

Issuing the command

The command java -cp . DumpPrivateKey wwwserver.jks tomcat changeit changeit >server.key will export the private key to server.key but you need to convert this key format to the format supported by wireshark. You can do that with openssl pkcs8 -inform PEM -nocrypt -in server.key -out server.rsa.key

Then you can use the server.rsa.key in WireShark Edit>Preferences~~Protocol~~>SSL rsa key file list>,443,http,c:\server.rsa.key.

Hope it works for you!