Skip to main content

Convert PFX certificate to JKS, P12, CRT

I recently had to use a PFX certificate for client authentication (maybe another post will be coming) and for that reason I had to convert it to a Java keystore (JKS). 

We will create BOTH a truststore and a keystore, because based on your needs you might need one or the other. 
The difference between truststore and keystore if you are not aware is(quote from the JSSE ref guide:

TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.
KeyManager: Determines which authentication credentials to send to the remote host.

Ok that's enough what you will need is openssl and Java 7+ ;) !

First let's generate a key from the pfx file, this key is later used for p12 keystore.

openssl pkcs12 -in example.pfx -nocerts -out example.key  
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

As shown here you will be asked for the password of the pfx file, later you will be asked to enter a PEM passphase lets for example use 123456 for everything here.
The second commands is almost the same but it is about nokey and a crt this time

openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.crt
Enter Import Password:
MAC verified OK

Now we have a key and and a crt file
Next step is to create a truststore.

keytool -import -file example.crt -alias exampleCA -keystore truststore.jks
Enter keystore password:
Re-enter new password:
Owner: CN=.....
Trust this certificate? [no]:  yes
Certificate was added to keystore

As you can see here you just import this crt file into a jks truststore and set some password. For the question do you trust this certificate you say yes, so it is added in the truststore.

We are done if you only need a truststore. 
The last step(s) is to create a keystore

openssl pkcs12 -export -in example.crt -inkey example.key -certfile example.crt -name "examplecert" -out keystore.p12
Enter pass phrase for example.key:
Enter Export Password:
Verifying - Enter Export Password:

This p12 keystore is enough in many cases, still if you need a JKS keystore you need one additional command

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
Importing keystore keystore.p12 to keystore.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias examplecert successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".

That is all folks ! I hope this helps someone :) 

example.pfx  example.key            keystore.p12
example.crt  keystore.jks           truststore.jks

See you in post 2 how to use this keystore for client side authentication. Also how to use the truststore if you need to use it.


Popular posts from this blog

Hibernate Generic DAO.

When you use Hibernate and DAO pattern it is a good idea to use a Generic Base Dao. The fallowing code snippet contains GenericDAO that is a base class for all my DAO classes. This GenericDAO uses HibernateDaoSupport from Spring for its implementation if you want you can use JpaDaoSupport or JdbcDaoSupport in your projects. My Generic DAO interface looks like this : package org.joke.myproject.dao.base; import; import java.util.List; /** * @author Naiden Gochev * @param <E> * @param <PK> */ public interface GenericDao<E,PK  extends Serializable> {     PK save(E newInstance);     void update(E transientObject);     void saveOrUpdate(E transientObject);     void delete(E persistentObject);     E findById(PK id);     List<E> findAll();     List<E> findAllByProperty(String propertyName,Object value); } All method names are very common so I don't

Patching a Maven library with your custom class.

Sometimes you use a library that has a bug. Or maybe it doesn’t has a bug but you want to change something. Of course if it is an open source you can get the sources… build them … with your change and so on. However this first takes a lot of time and second you need the sources. What you usually want .. is to just replace one class.. or few classes with something custom… maybe add a line .. or remove a line and so on. Yesterday… I had an issue with jboss-logging. The version I was using was 3.2.0Beta1 and it turns out that using this version and log4j2 2.0 final basically meant that no log is send to log4j2. The reason was a null pointer exception that was catched in jboss logging class called Log4j2Logger. The bug I submitted is here and it was fixed at the same day. However I will use it as an example since I didn’t knew when this will be fixed.. and I didn’t want to wait till it is fixed. So I was thinking what I want.. to take the j