I need some help converting my .P12 certificate file into a JKS keystore. I've followed the standard commands using Java's keytool utility. However, when I try and use the resulting JKS file to access the WS endpoint via SOAPUI, I get a 403.7 error - Forbidden: SSL certificate is required. Using the P12 file with SOAPUI against the same endpoint produces a successful response. Here is the standard command for importing a P12 keystore into a JKS keystore - <pre class="prettyprint"><code>keytool -importkeystore -srckeystore src.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore target.jks </code></pre> I also tried using openssl to convert the P12 -> PEM -> DER -> JKS: <pre class="prettyprint"><code>openssl pkcs12 -in src.p12 -out src.pem -clcerts </code></pre> (Edit src.pem into its two composite parts called src.key and src.cer) <pre class="prettyprint"><code>openssl pkcs8 -topk8 -nocrypt -in src.key -out key.der -inform PEM -outform DER openssl x509 -in src.cer -inform PEM -out cert.der -outform DER </code></pre> (I ran a utility to combine the two keys into keystore.ImportKey ) <pre class="prettyprint"><code>keytool -importkeystore -srckeystore keystore.ImportKey -destkeystore target.JKS </code></pre> and similiarly no dice. Is there something I'm missing?

If you do have Keytool application and your PKCS#12 file, launch the one-line command: <pre class="prettyprint"><code>keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12 -srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks] -deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST] </code></pre> You'll need to modify these parameters: <ul> <li> <code>MY_FILE.p12</code>: indicate the path to the PKCS#12 file (.p12 or .pfx extension) to be converted.</li> <li> <code>MY_KEYSTORE.jks</code>: path to the keystore in which you want to store your certificate. If it does not exist it will be created automatically.</li> <li> <code>PASSWORD_JKS</code>: password that will be requested at the keystore opening.</li> <li> <code>ALIAS_SRC</code>: name matching your certificate entry in the PKCS#12 file, "tomcat" for example. </li> </ul> In case you would export your certificate from a Windows server generating a <code>.PFX</code> file, you'll have to retrieve the "alias" name created by Windows. To do so, you can execute the following command: <pre class="prettyprint"><code>keytool -v -list -storetype pkcs12 -keystore FILE_PFX </code></pre> There, the "alias name" field indicates the storage name of your certificate you need to use in the command line. <ul> <li> <code>ALIAS_DEST</code>: name that will match your certificate entry in the JKS keystore, "tomcat" for example.</li> </ul>

Need help converting P12 certificate into JKS

I need some help converting my .P12 certificate file into a JKS keystore. I've followed the standard commands using Java's keytool utility. However, when I try and use the resulting JKS file to access the WS endpoint via SOAPUI, I get a 403.7 error - Forbidden: SSL certificate is required. Using the P12 file with SOAPUI against the same endpoint produces a successful response. Here is the standard command for importing a P12 keystore into a JKS keystore -

keytool -importkeystore -srckeystore src.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore target.jks

I also tried using openssl to convert the P12 -> PEM -> DER -> JKS:

openssl pkcs12 -in src.p12 -out src.pem -clcerts

(Edit src.pem into its two composite parts called src.key and src.cer)

openssl pkcs8 -topk8 -nocrypt -in src.key -out key.der -inform PEM -outform DER openssl x509 -in src.cer -inform PEM -out cert.der -outform DER

(I ran a utility to combine the two keys into keystore.ImportKey )

keytool -importkeystore -srckeystore keystore.ImportKey -destkeystore target.JKS

and similiarly no dice.

Is there something I'm missing?

Is p12 and JKS same?

The biggest difference between JKS and PKCS12 is that JKS is a format specific to Java, while PKCS12 is a standardized and language-neutral way of storing encrypted private keys and certificates.

If you do have Keytool application and your PKCS#12 file, launch the one-line command:

keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12  -srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]  -deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]

You'll need to modify these parameters:

MY_FILE.p12: indicate the path to the PKCS#12 file (.p12 or .pfx extension) to be converted.
MY_KEYSTORE.jks: path to the keystore in which you want to store your certificate. If it does not exist it will be created automatically.
PASSWORD_JKS: password that will be requested at the keystore opening.
ALIAS_SRC: name matching your certificate entry in the PKCS#12 file, "tomcat" for example.

In case you would export your certificate from a Windows server generating a .PFX file, you'll have to retrieve the "alias" name created by Windows. To do so, you can execute the following command:

keytool -v -list -storetype pkcs12 -keystore FILE_PFX

There, the "alias name" field indicates the storage name of your certificate you need to use in the command line.

ALIAS_DEST: name that will match your certificate entry in the JKS keystore, "tomcat" for example.

Need help converting P12 certificate into JKS

Tags:

security

ssl

openssl

jks

pkcs#12

Adam Doyle

People also ask

1 Answers

deepanmurugan

Recent Activity

Donate For Us

Need help converting P12 certificate into JKS

Tags:

security

ssl

openssl

jks

pkcs#12

Adam Doyle

People also ask

1 Answers

deepanmurugan

Related questions

Recent Activity

Donate For Us