How do I import an existing Java keystore (.jks) file into a Java installation?

Asked 18/10, 2011 at 19:17 Answered 23/3, 2016 at 10:18

So, I am having trouble with LDAP. I have an integration test case that hopefully will work out, but it is currently running into LDAPS security issues with the SSL handshake.

I am able to connect to the LDAPS with Apache Directory Studio, and it has downloaded the keystore into a file "permanent.jks".

That's ok, but I want my integration test, which resides in Eclipse using a JRE, to be able to connect to the LDAP server using this keystore.

How can I take this keystore and import it into the JRE for its own use?

Sandrocottus answered 18/10, 2011 at 19:17 Comment(0)

Ok, so here was my process:

keytool -list -v -keystore permanent.jks - got me the alias.

keytool -export -alias alias_name -file certificate_name -keystore permanent.jks - got me the certificate to import.

Then I could import it with the keytool:

keytool -import -alias alias_name -file certificate_name -keystore keystore location

As @Christian Bongiorno says the alias can't already exist in your keystore.

Sandrocottus answered 18/10, 2011 at 19:29 Comment(6)

I got it working but with an ammendment (if you would like to change your answer). In the import process, the part where you have "alias name" (BTW: not a great variable name with a space) this has to be an alias that does not already exist in the destination store. If you don't specify the alias it defaults to "1" -- you can use step 1 to list aliases from your destination before installing – Despondency 3/7, 2013 at 0:34

In the last step (importing), I got the error keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect even though the previous step (exporting), I can successfully finished with my password. Do you know why it is ? – Pierian 23/8, 2014 at 23:33

@ThaiTran For future readers, when importing a cert make sure to use the target cert file's password, not the password used to create the cert in the first place. Also note that on many systems, the JDK is owned by root. If this is the case you need to execute the keytool -import command as root. – Burbage 3/8, 2017 at 17:25

For other future readers that were receiving the IOException, the default password for cacerts is 'changeit'. – Taurine 23/8, 2017 at 20:26

Ok this really did work. However my "permanent.jks" contained like 5 different certifcates. So after keytool -list -v -keystore permanent.jks.. cmd + f "alias" find all the aliases and export them one bye one. And then After 5 separate .cer files i was able to add them to cacerts (also one bye one following the help here). Thanks! – Sennit 21/3, 2018 at 9:46

I'll just put a big warning on this solution, when you want to import any private key, the import command will only import the public part – Autosome 15/7, 2020 at 13:37

You can bulk import all aliases from one keystore to another:

keytool -importkeystore -srckeystore source.jks -destkeystore dest.jks

Couple answered 23/3, 2016 at 10:18 Comment(0)

to load a KeyStore, you'll need to tell it the type of keystore it is (probably jceks), provide an inputstream, and a password. then, you can load it like so:

KeyStore ks  = KeyStore.getInstance(TYPE_OF_KEYSTORE);
ks.load(new FileInputStream(PATH_TO_KEYSTORE), PASSWORD);

this can throw a KeyStoreException, so you can surround in a try block if you like, or re-throw. Keep in mind a keystore can contain multiple keys, so you'll need to look up your key with an alias, here's an example with a symmetric key:

SecretKeyEntry entry = (KeyStore.SecretKeyEntry)ks.getEntry(SOME_ALIAS,new KeyStore.PasswordProtection(SOME_PASSWORD));
SecretKey someKey = entry.getSecretKey();

Graft answered 18/10, 2011 at 19:25 Comment(5)

You saved my life. Was not loading the keystore properly, until I came to your example. Pity that I can not give you 10000 points for that. Thank you very much!! – Nonchalant 11/11, 2013 at 10:42

glad to help! your thanks is worth more than a few points :). – Graft 11/11, 2013 at 18:41

Hi bro, Your code worded well with SHA1RSA, could you help to load a KeyStore SHA256RSA, it says "Invalid keystore format". – Proconsul 28/6, 2018 at 2:3

The method load(InputStream, char[]) in the type KeyStore is not applicable for the arguments (FileInputStream, String) – Freeland 31/12, 2020 at 14:11

I am passing this key store file via JVM arg -Djavax.net.ssl.keyStore How can I load it? Do I still need to use the key path here ks.load(new FileInputStream(PATH_TO_KEYSTORE), PASSWORD);. if I still need to use this path, what is the point of this JVM arg? – Otolith 29/8, 2022 at 8:38

Recommended topics

Hot tags