I need some help converting my .P12 certificate file into a JKS keystore. I've followed the standard commands using Java's keytool utility. However, when I try and use the resulting JKS file to access the WS endpoint via SOAPUI, I get a 403.7 error - Forbidden: SSL certificate is required. Using the P12 file with SOAPUI against the same endpoint produces a successful response. Here is the standard command for importing a P12 keystore into a JKS keystore -

keytool -importkeystore -srckeystore src.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore target.jks

I also tried using openssl to convert the P12 -> PEM -> DER -> JKS:

openssl pkcs12 -in src.p12 -out src.pem -clcerts

(Edit src.pem into its two composite parts called src.key and src.cer)

openssl pkcs8 -topk8 -nocrypt -in src.key -out key.der -inform PEM -outform DER
openssl x509 -in src.cer -inform PEM -out cert.der -outform DER

(I ran a utility to combine the two keys into keystore.ImportKey )

keytool -importkeystore -srckeystore keystore.ImportKey -destkeystore target.JKS

and similiarly no dice.

Is there something I'm missing?

If you do have Keytool application and your PKCS#12 file, launch the one-line command:

keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12
 -srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]
 -deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]

You'll need to modify these parameters:

• MY_FILE.p12: indicate the path to the PKCS#12 file (.p12 or .pfx extension) to be converted.
• MY_KEYSTORE.jks: path to the keystore in which you want to store your certificate. If it does not exist it will be created automatically.
• PASSWORD_JKS: password that will be requested at the keystore opening.
• ALIAS_SRC: name matching your certificate entry in the PKCS#12 file, "tomcat" for example.

In case you would export your certificate from a Windows server generating a .PFX file, you'll have to retrieve the "alias" name created by Windows. To do so, you can execute the following command:

keytool -v -list -storetype pkcs12 -keystore FILE_PFX

There, the "alias name" field indicates the storage name of your certificate you need to use in the command line.

• ALIAS_DEST: name that will match your certificate entry in the JKS keystore, "tomcat" for example.

But he asked how to convert .p12 to JKS, so the answer is:

keytool -importkeystore  -srckeystore mystore.p12 -destkeystore myotherstore.jks -srcstoretype PKCS12 -deststoretype jks -srcstorepass mystorepass -deststorepass myotherstorepass -srcalias myserverkey -destalias myotherserverkey -srckeypass mykeypass -destkeypass myotherkeypass

Just had to use this line, works for me.

I am surprised why No one has answered this question for so long. Anyways the easiest method to convert p12 to jks is by using Keytool. Following is the command you might need to use:

keytool -importkeystore  -srckeystore mystore.jck -destkeystore myotherstore.jks -srcstoretype jceks
-deststoretype jks -srcstorepass mystorepass -deststorepass myotherstorepass -srcalias myserverkey
-destalias myotherserverkey -srckeypass mykeypass -destkeypass myotherkeypass

I believe the issues you are facing are probably because you didn't provide Keypass. Please note that its a good practice to keep the keypass and storepass as same, since at times the server is unable to distinguish between keypass and storepass.

Here are some great answers, but I have figured out, in some cases some p12 certificates may not work under some circumstances if converted to jks. For example we had the jks, generated in keytool from Java 11, which were OK for the application running in tomcat 9 on Java 11, but certificate created in the same way then did not work in Tomcat 10 with java 17 in the case the application runs in the compatibility mode with the old javax libraries, so there is not clear, which libraries are in the reality how used for the access of the jks keystore from Java application.

We then got the "Invalid keystore format" exceptions for such keystores on such infrastructure.

Also is important with which Java version the keytool is keystore is generated.

But I got the information, if the PKCS12 keystore is once "prepared to be fully java-compatible" - please do not ask me, what does it mean :-) - then it works - it seems not all p12 certificates are the same. And really, this also was our case - so in the case you need to store in jks the client certificate originally delivered in p12 format to access some remote service as the client, then you might find this script handsome - it first reconverts the p12 certificate through pem and then creates the jks keystore and then also renames the imported key in the keystore to be named with the alias which is requested.

#!/bin/bash

############### start of the execution ################
#Perform initial cleanup:
echo -e 'Cleanup of possibly existing temporary files...'
rm -f "${PKCS12_FILENAME}.pem"
#First delete also the result keystore if existing - there can be only one client certificate in client keystore, so any previous keystore content will be so deleted:
rm -f "${KEYSTORE_FILENAME}"
rm -f "JAVA_FULLY_COMPATIBLE_${KEYSTORE_FILENAME}"

echo -e 'Starting...'


#For export of the p12 certificate into pem format use following statement:
openssl pkcs12 -in "${PKCS12_FILENAME}" -out "${PKCS12_FILENAME}.pem" -descert -passin pass:"${PKCS12_PASSWORD}" -passout pass:"${PKCS12_PASSWORD}"

# Create Java-fully-compatible P12 certificate file:
openssl pkcs12 -export -out "JAVA_FULLY_COMPATIBLE_${PKCS12_FILENAME}" -in "${PKCS12_FILENAME}.pem" -passin pass:"${PKCS12_PASSWORD}" -passout pass:"${PKCS12_PASSWORD}"

#Now create the JKS keystore from the fully compatible PKCS12 certificate
${KEYTOOL_LOCATION}keytool -importkeystore -srckeystore "JAVA_FULLY_COMPATIBLE_${PKCS12_FILENAME}" -srcstoretype PKCS12 -srcstorepass "${PKCS12_PASSWORD}" -deststorepass "${KEYSTORE_PASSWORD}" -destkeypass "${PKCS12_PASSWORD}" -deststoretype ${KEYSTORE_TYPE} -destkeystore "${KEYSTORE_FILENAME}"

#Now rename the key in the keystore to the wished alias, the default created key is named "1"
${KEYTOOL_LOCATION}keytool -changealias -alias "1" -destalias "${ALIAS}" -keypass "${PKCS12_PASSWORD}" -keystore "${KEYSTORE_FILENAME}" -storepass "${KEYSTORE_PASSWORD}"

echo -e 'Keystore with following content created:'
${KEYTOOL_LOCATION}keytool -list -keystore "${KEYSTORE_FILENAME}" -storepass "${KEYSTORE_PASSWORD}"

echo -e 'Finished.'

It is called for example like this (the above script is in file keystore-gen-tomcat-compatibility-mode.sh):

#!/bin/bash
# Created with the help of following sources:
# https://mcmap.net/q/406000/-need-help-converting-p12-certificate-into-jks

# Customize following properties to meet your needs
KEYTOOL_LOCATION="/usr/lib/jdk11.0/bin/"
PKCS12_FILENAME="my p12 certificate.p12"
PKCS12_PASSWORD="pkcspwd"
# possible values here are {jks|pkcs12}:
KEYSTORE_TYPE=jks
KEYSTORE_FILENAME="java_keystore.jks"
KEYSTORE_PASSWORD="jkspwd"
ALIAS=${PKCS12_FILENAME}

#performs the generation based on corresponding variables:
. ../../../common/certs/keystore-gen-tomcat-compatibility-mode.sh

If you want a simple import ca certs into keystore use the command:

keytool -importkeystore -deststorepass <destpass> -destkeystore filename-new-keystore.jks -srckeystore ./ca.p12 -srcstoretype PKCS12

source