Convert .cer certificate to .jks

H

5

51

I need to convert a .cer file to a .jks file. I saw a few questions about it, but haven't seen a solution to what I need.

I don't need it in order to add it to my local certificates, but as a file to upload to a server. I also need to do it only once, and not programmatically. There's this thread Converting .cer to .jks using java and the author says he had done it successfully, but I couldn't comment to his last reply as I don't have enough reputation, nor could I send him a personal message and ask him.

So if anyone knows of a simple way to do so, I'll be glad to hear.

Hefner answered 20/5, 2015 at 14:30 Comment(0)

T

96

keytool comes with the JDK installation (in the bin folder):

keytool -importcert -file "your.cer" -keystore your.jks -alias "<anything>"

This will create a new keystore and add just your certificate to it.

So, you can't convert a certificate to a keystore: you add a certificate to a keystore.

Triable answered 20/5, 2015 at 14:47 Comment(2)

Hi, somewhere I can find the keystore created? On the certmgr? – Bilingual 22/3, 2021 at 21:27

@viviramji the keystore will be created as a file, in the folder where you run this command – Triable 24/3, 2021 at 14:41

I

11

Just to be sure that this is really the "conversion" you need, please note that jks files are keystores, a file format used to store more than one certificate and allows you to retrieve them programmatically using the Java security API, it's not a one-to-one conversion between equivalent formats.

So, if you just want to import that certificate in a new ad-hoc keystore you can do it with Keystore Explorer, a graphical tool. You'll be able to modify the keystore and the certificates contained therein like you would have done with the java terminal utilities like keytool (but in a more accessible way).

Insignificance answered 20/5, 2015 at 14:41 Comment(0)

K

5

Use the following will help

keytool -import -v -trustcacerts \
-alias keyAlias \
-file server.cer \
-keystore cacerts.jks \
-keypass changeit

Kynewulf answered 12/7, 2017 at 3:56 Comment(0)

P

3

Export a certificate from a keystore:

keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

Pushy answered 16/2, 2017 at 13:22 Comment(1)

I think this does the reverse of what is being asked. – Stately 20/8, 2021 at 10:39

T

2

This worked for me brilliantly

First, create a PKCS12 keystore :

openssl pkcs12 -export -in my-app-certificate.crt -inkey my-app-certificate-private.key -out my-app-keystore.p12 -name my-app

This will require a password

-name is the alias of the private key entry in keystore.

Next, convert the PKCS12 keystore to JKS keytstore using keytool command :

keytool -importkeystore -srckeystore my-app-keystore.p12 -srcstoretype PKCS12 -destkeystore my-app-certificate.jks -deststoretype JKS

To view the JKS file contents:

keytool -v -list -keystore my-app-certificate.jks

Reference: Steps to create a self-signed certificate using OpenSSL

This will request for the password entered when creating the PKCS12 keystore

Thoer answered 17/7, 2023 at 16:39 Comment(0)

Recommended topics

Hot tags