Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Need help converting P12 certificate into JKS

I need some help converting my .P12 certificate file into a JKS keystore. I've followed the standard commands using Java's keytool utility. However, when I try and use the resulting JKS file to access the WS endpoint via SOAPUI, I get a 403.7 error - Forbidden: SSL certificate is required. Using the P12 file with SOAPUI against the same endpoint produces a successful response. Here is the standard command for importing a P12 keystore into a JKS keystore -

keytool -importkeystore -srckeystore src.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore target.jks 

I also tried using openssl to convert the P12 -> PEM -> DER -> JKS:

openssl pkcs12 -in src.p12 -out src.pem -clcerts 

(Edit src.pem into its two composite parts called src.key and src.cer)

openssl pkcs8 -topk8 -nocrypt -in src.key -out key.der -inform PEM -outform DER openssl x509 -in src.cer -inform PEM -out cert.der -outform DER 

(I ran a utility to combine the two keys into keystore.ImportKey )

keytool -importkeystore -srckeystore keystore.ImportKey -destkeystore target.JKS 

and similiarly no dice.

Is there something I'm missing?

like image 241
Adam Doyle Avatar asked Apr 26 '13 19:04

Adam Doyle


People also ask

Is p12 and JKS same?

The biggest difference between JKS and PKCS12 is that JKS is a format specific to Java, while PKCS12 is a standardized and language-neutral way of storing encrypted private keys and certificates.


1 Answers

If you do have Keytool application and your PKCS#12 file, launch the one-line command:

keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12  -srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]  -deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST] 

You'll need to modify these parameters:

  • MY_FILE.p12: indicate the path to the PKCS#12 file (.p12 or .pfx extension) to be converted.
  • MY_KEYSTORE.jks: path to the keystore in which you want to store your certificate. If it does not exist it will be created automatically.
  • PASSWORD_JKS: password that will be requested at the keystore opening.
  • ALIAS_SRC: name matching your certificate entry in the PKCS#12 file, "tomcat" for example.

In case you would export your certificate from a Windows server generating a .PFX file, you'll have to retrieve the "alias" name created by Windows. To do so, you can execute the following command:

keytool -v -list -storetype pkcs12 -keystore FILE_PFX 

There, the "alias name" field indicates the storage name of your certificate you need to use in the command line.

  • ALIAS_DEST: name that will match your certificate entry in the JKS keystore, "tomcat" for example.
like image 116
deepanmurugan Avatar answered Oct 06 '22 17:10

deepanmurugan