Need help converting P12 certificate into JKS

security ssl openssl pkcs#12 jks
Adam Doyle picture Adam Doyle · Apr 26, 2013 · Viewed 50.5k times · Source

I need some help converting my .P12 certificate file into a JKS keystore. I've followed the standard commands using Java's keytool utility. However, when I try and use the resulting JKS file to access the WS endpoint via SOAPUI, I get a 403.7 error - Forbidden: SSL certificate is required. Using the P12 file with SOAPUI against the same endpoint produces a successful response. Here is the standard command for importing a P12 keystore into a JKS keystore - 

keytool -importkeystore -srckeystore src.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore target.jks

I also tried using openssl to convert the P12 -> PEM -> DER -> JKS:

openssl pkcs12 -in src.p12 -out src.pem -clcerts

(Edit src.pem into its two composite parts called src.key and src.cer)

openssl pkcs8 -topk8 -nocrypt -in src.key -out key.der -inform PEM -outform DER
openssl x509 -in src.cer -inform PEM -out cert.der -outform DER

(I ran a utility to combine the two keys into keystore.ImportKey )

keytool -importkeystore -srckeystore keystore.ImportKey -destkeystore target.JKS

and similiarly no dice.

Is there something I'm missing?

Answer

deeps picture deeps · Feb 5, 2017

If you do have Keytool application and your PKCS#12 file, launch the one-line command:

keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12
 -srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]
 -deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]

You'll need to modify these parameters:

  • MY_FILE.p12: indicate the path to the PKCS#12 file (.p12 or .pfx extension) to be converted.
  • MY_KEYSTORE.jks: path to the keystore in which you want to store your certificate. If it does not exist it will be created automatically.
  • PASSWORD_JKS: password that will be requested at the keystore opening.
  • ALIAS_SRC: name matching your certificate entry in the PKCS#12 file, "tomcat" for example.

In case you would export your certificate from a Windows server generating a .PFX file, you'll have to retrieve the "alias" name created by Windows. To do so, you can execute the following command: 

keytool -v -list -storetype pkcs12 -keystore FILE_PFX

There, the "alias name" field indicates the storage name of your certificate you need to use in the command line.

  • ALIAS_DEST: name that will match your certificate entry in the JKS keystore, "tomcat" for example.

Related questions

SSL Error: unable to get local issuer certificate

I'm having trouble configuring SSL on a Debian 6.0 32bit server. I'm relatively new with SSL so please bear with me. I'm including as much information as I can. Note: The true domain name has been changed to protect the identity …

Read More
How to upgrade OpenSSL in CentOS 6.5 / Linux / Unix from source?

How do I upgrade OpenSSL in CentOS 6.5? I have used these commands, but nothings happens: cd /usr/src wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz tar -zxf openssl-1.0.1g.tar.gz cd openssl-1.0.1g ./config make make …

Read More
Does .pem file contain both private and public keys?

I am wondering if PEM-files contain both private and public keys? What does "PEM" stand for?

Read More