Convert PFX Certificate to JKS, P12, CRT
Learn how to convert a PFX certificate for client authentication to a Java keystore (JKS).
Join the DZone community and get the full member experience.Join For Free
I recently had to use a PFX certificate for client authentication, and for that reason, I had to convert it to a Java keystore (JKS). In this post, we will learn how to create both a truststore and a keystore, because based on your needs, you might need one or the other.
The difference between truststore and keystore, if you are not aware is, according to the JSSE ref guide:
TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.
KeyManager: Determines which authentication credentials to send to the remote host.
Next, all you need is OpenSSL and Java 7+!
First, let's generate a key from the PFX file; this key is later used for p12 keystore.
openssl pkcs12 -in example.pfx -nocerts -out example.key Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
As shown here, you will be asked for the password of the PFX file. Later, you will be asked to enter a PEM passphase. Let's, for example, use 123456 for everything here.
The second command is almost the same, but it is about
nokey and a
crt this time:
openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.crt Enter Import Password: MAC verified OK
Now, we have a key and and a crt file. The next step is to create a truststore, like so:
keytool -import -file example.crt -alias exampleCA -keystore truststore.jks Enter keystore password: Re-enter new password: Owner: CN=..... ....... Trust this certificate? [no]: yes Certificate was added to keystore
As you can see here, you just import this crt file into a JKS truststore and set the password. For the question: "Do you trust this certificate?" answer "yes," so it is then added in the truststore.
If you only need a truststore, you can stop here.
The last step is to create a keystore, like so:
openssl pkcs12 -export -in example.crt -inkey example.key -certfile example.crt -name "examplecert" -out keystore.p12 Enter pass phrase for example.key: Enter Export Password: Verifying - Enter Export Password:
This p12 keystore is enough in many cases. However, if you still need a JKS keystore, you need one additional command:
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS Importing keystore keystore.p12 to keystore.jks... Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias examplecert successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".
That is all folks! Hope this helps, and please feel free to leave any questions or comments.
ls example.pfx example.key keystore.p12 example.crt keystore.jks truststore.jks
Published at DZone with permission of Nayden Gochev. See the original article here.
Opinions expressed by DZone contributors are their own.