Convert PFX Certificate to JKS, P12, CRT
Learn how to convert a PFX certificate for client authentication to a Java keystore (JKS).
Join the DZone community and get the full member experience.
Join For FreeI recently had to use a PFX certificate for client authentication, and for that reason, I had to convert it to a Java keystore (JKS). In this post, we will learn how to create both a truststore and a keystore, because based on your needs, you might need one or the other.
The difference between truststore and keystore, if you are not aware is, according to the JSSE ref guide:
TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.
KeyManager: Determines which authentication credentials to send to the remote host.
Next, all you need is OpenSSL and Java 7+!
First, let's generate a key from the PFX file; this key is later used for p12 keystore.
openssl pkcs12 -in example.pfx -nocerts -out example.key
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:As shown here, you will be asked for the password of the PFX file. Later, you will be asked to enter a PEM passphase. Let's, for example, use 123456 for everything here.
The second command is almost the same, but it is about nokey and a crt this time:
openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.crt
Enter Import Password:
MAC verified OKNow, we have a key and and a crt file. The next step is to create a truststore, like so:
keytool -import -file example.crt -alias exampleCA -keystore truststore.jks
Enter keystore password:
Re-enter new password:
Owner: CN=.....
.......
Trust this certificate? [no]: yes
Certificate was added to keystoreAs you can see here, you just import this crt file into a JKS truststore and set the password. For the question: "Do you trust this certificate?" answer "yes," so it is then added in the truststore.
If you only need a truststore, you can stop here.
The last step is to create a keystore, like so:
openssl pkcs12 -export -in example.crt -inkey example.key -certfile example.crt -name "examplecert" -out keystore.p12
Enter pass phrase for example.key:
Enter Export Password:
Verifying - Enter Export Password:This p12 keystore is enough in many cases. However, if you still need a JKS keystore, you need one additional command:
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
Importing keystore keystore.p12 to keystore.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias examplecert successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".That is all folks! Hope this helps, and please feel free to leave any questions or comments.
ls
example.pfx example.key keystore.p12
example.crt keystore.jks truststore.jksTopics:
java,
JKS,
security,
java keystore,
trust,
truststore,
crt,
p12,
tutorial
Published at DZone with permission of Nayden Gochev. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments