# GetKeyPairFromKeystore()

Extracts a key pair and certificate from a Java keystore (ACF compatible).

**Requires Extension:** [Crypto Extension](https://download.lucee.org/#17AB52DE-B300-A94B-E058FC978BE4542D)

```
GetKeyPairFromKeystore( keystore=string, keystorePassword=string, keypairPassword=string, keystoreAlias=string, keystoreType=string );
```

**Returns:** struct

# Arguments

| Argument | Type | Required | Description | Default |
|----------|------|----------|-------------|---------|
| keystore | string | Yes | Path to keystore file |  |
| keystorePassword | string | Yes | Password for the keystore |  |
| keypairPassword | string | No | Password for the key entry (defaults to keystorePassword) |  |
| keystoreAlias | string | Yes | Alias of the key entry |  |
| keystoreType | string | No | Keystore type (JKS, PKCS12). Auto-detected if omitted. |  |

# Examples

```cfml
// Extract a key pair and its certificate from a PKCS#12 keystore
// Arguments: keystorePath, keystorePassword, keyPassword, alias
result = GetKeyPairFromKeystore(
	"/path/to/keystore.p12",
	"keystorePassword",
	"keyPassword",
	"mykey"
);

// result is a struct with three PEM-encoded strings:
result.private;     // "-----BEGIN PRIVATE KEY-----\n..."
result.public;      // "-----BEGIN PUBLIC KEY-----\n..."
result.certificate; // "-----BEGIN CERTIFICATE-----\n..."

// If the key password is the same as the keystore password,
// you can pass an empty string and it will default
result = GetKeyPairFromKeystore(
	"/path/to/keystore.p12",
	"keystorePassword",
	"",       // defaults to keystorePassword
	"mykey"
);

// Use the extracted keys for signing, JWT creation, etc.
token = JwtSign(
	claims = { sub: "user123" },
	key = result.private,
	algorithm = "RS256"
);
```







# Categories

[Cryptography](../../categories/crypto.md)

# See Also

[GenerateKeystore()](generatekeystore.md), [KeystoreList()](keystorelist.md)