Import PFX file into Existing JKS file (NOT converting from .pfx to .jks)

Himalay Majumdar picture Himalay Majumdar · Nov 7, 2014 · Viewed 34.6k times · Source

I have Java web service and have implemented X.509 using jks files created by Java Keytool.

keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias myservicekey -keypass skpass -storepass sspass -keystore serviceKeystore.jks -dname "cn=localhost"

keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias myclientkey  -keypass ckpass -storepass cspass -keystore clientKeystore.jks -dname "cn=clientuser"

To establish trust between client and server I import the server certs to client and client certs to server.

Import server public key (certs) to client.

keytool -export -rfc -keystore clientKeystore.jks -storepass cspass -alias myclientkey -file MyClient.cer
keytool -import -trustcacerts -keystore serviceKeystore.jks -storepass sspass -alias myclientkey -file MyClient.cer -noprompt

Import client public key(certs) to server

keytool -export -rfc -keystore serviceKeystore.jks -storepass sspass -alias myservicekey -file MyService.cer
keytool -import -trustcacerts -keystore clientKeystore.jks -storepass cspass -alias myservicekey -file MyService.cer -noprompt

Both Service and Client are written in Java and are working fine. Now I have a .NET client and my understanding is that if I give the same jave client certificates to the .NET client i.e clientKeystore.jks it should work, but the .net client is having issues.

The .NET client developer has insisted me to use a .pfx certificate that he generated, how can I import a .pfx certificate into an existing .jks file.

The examples I have seen online require me to create a new .jks file.

Thank you.

Answer

KyleM picture KyleM · Nov 7, 2014

You can treat the file as a Java PKCS12 Keystore. You can use all of the same keytool commands, except you additionally need to specify -storetype PKCS12 since the default is JKS. Example that works in JDK 1.6 and higher:

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 
-destkeystore clientcert.jks -deststoretype JKS

Also see this thread. I think that answers your question, but if you don't mind a suggestion, I would simply output your existing JKS file as a P12 file, then give the P12 file to the .NET client. That would solve your issue if it is truly a format issue. You can do that by following the steps outlined here. If you still have issues, you should post the .NET client's Exception otherwise we cannot help you.