How can I create a PFX file from a Java Keystore?

Asked 9/2, 2009 at 10:2 Answered 20/1, 2021 at 14:33

I have a Java keystore (.jks file) holding a single certificate. How can I create a .pfx file from this keystore?

Garnishment answered 9/2, 2009 at 10:2 Comment(0)

From Java 6 onwards, keytool has an -importkeystore option, which should be able to convert a JKS store into a PKCS#12 store (.p12/.pfx):

keytool -importkeystore -srckeystore thekeystore.jks \
            -srcstoretype JKS \
            -destkeystore thekeystore.pfx \
            -deststoretype PKCS12

It will ask you to enter a password for source and destination (jks, pfx) files

Banksia answered 12/1, 2012 at 16:44 Comment(2)

I am getting these errors when I use this command: Problem importing entry for alias root: java.security.KeyStoreException: TrustedCertEntry not supported. Have you seen that? – Rhondarhondda 28/7, 2014 at 1:22

@Rhondarhondda Yes, you can't have entries with only certificates in the PKCS#12 store, it only works for entries for which there is also a private key. – Banksia 28/7, 2014 at 9:46

This guy() seems to have written a little Java class and batch file with good instructions to do this here: http://www.crionics.com/products/opensource/faq/signFree.htm#DownloadTools

If you want to do it yourself the key lines in the .bat file seem to be uses

keytool -export -rfc -keystore %KEYSTORE% -storepass %PASSWORD% -alias %ALIAS% > %CERT_64%
java -classpath %JAVACLASSPATH% ExportPrvKey %KEYSTORE% %PASSWORD% %ALIAS% > %PKEY_8%
openssl enc -in %PKEY_8% -a >> %PKEY_64%
openssl pkcs12 -inkey %PKEY_64% -in %CERT_64% -out %CERT_P12% -export

where ExportPrvKey does the step of extracting the private key from the keystore.

Enloe answered 9/2, 2009 at 12:7 Comment(3)

Thanks for the answer. I also came across the site you linked via Google and tried it out. However, the last step fails for me. openssl terminates with the message: unable to load private key Any additional hints would be highly appreciated! – Garnishment 9/2, 2009 at 12:18

Have a look at the private key file (%PKEY_64%). Does it actually exist? Googling it seems the most common errors are having it in the wrong directory or a bad format. Which version of openssl do you have? – Enloe 9/2, 2009 at 12:35

The PKEY_64 file exists and looks ok (it contains 858 "random" ascii characters). I'm using openssl 0.9.7d on a linux box. – Garnishment 9/2, 2009 at 13:10

keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] -destkeystore [MY_FILE.p12] -srcstoretype JKS -deststoretype PKCS12

Then it will request your passphrases and BAM - good to go, tried just last night worked great.

you may have to change dir to your java jdk, or jre bin folder first, then include a full path to your current Keystore, and dest .p12 file.

Kmeson answered 20/1, 2021 at 14:33 Comment(0)

-1

You can export a PFX file including private key, with the following command:

keytool -importkeystore -deststorepass secret -destkeypass secret -destkeystore KEYSTOREFILE.jks -srckeystore PFXFILE.pfx -srcstoretype PKCS12 -srcstorepass secret

Martensite answered 13/10, 2016 at 20:33 Comment(0)

Recommended topics

Hot tags