Skip to main content
Question

Converting a Windows PFX or Windows PKCS12 keystore to a .JKS Keystore

  • June 12, 2012
  • 4 replies
  • 34 views
N
Forum|alt.badge.img+21

While working with a windows admin, we stumbled on this gem of a piece of code that will allow you to convert a Windows PFX or PKCS12 file into a .jks keystore that can be used with Tomcat.

Requirements:

  • KeyTool - installed as part of the Java SDK
  • A PKCS12 file in .pfx or .p12 exported from IIS or Apache
  • The name of the alias for the tomcat key - hint: IIS puts it in GUID format

Obtain the name of the alias for the tomcat key in the certificate file using the following command:

keytool -v -list -storetype pkcs12 -keystore FILE_PFX

Next plug in the source file, alias name, new .jks file name keystore password and new alias into this command:

keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12
 -srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]
 -deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]

NOTE: Casper is coded to look for the destalias "tomcat" in the server.xml file. If you decide to name your destination alias anything different than tomcat, you will need to modify Tomcat's server.xml file and bounce Tomcat.

This link is to the original post that helped me: http://www.tbs-certificats.com/FAQ/en/626.html. I've posted the applicable contents here so that it can be found more easily for others.

    4 replies

    J
    Forum|alt.badge.img+9
    • jpfromdc98
    • Contributor
    • November 21, 2013

    Thank you for this!

    J
    Forum|alt.badge.img+7
    • jrepasky
    • Contributor
    • November 10, 2015

    Updated:
    Run on OS X for a JSS running Windows 2008R2 Server.

    http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-keystore-with-private-key

    Using JDK 1.6 or later

    It has been pointed out by Justin in the comments below that keytool alone is capable of doing this using the following command (although only in JDK 1.6 and later):

    keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS
    Using JDK 1.5 or below

    OpenSSL can do it all. This answer on JGuru is the best method that I've found so far.

    Firstly make sure that you have OpenSSL installed. Many operating systems already have it installed as I found with Mac OS X.

    The following two commands convert the pfx file to a format that can be opened as a Java PKCS12 key store:

    openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
    openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"
    NOTE that the name provided in the second command is the alias of your key in the new key store.

    You can verify the contents of the key store using the Java keytool utility with the following command:

    keytool -v -list -keystore mykeystore.p12 -storetype pkcs12
    Finally if you need to you can convert this to a JKS key store by importing the key store created above into a new key store:

    keytool -importkeystore -srckeystore mykeystore.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS

    R
    Forum|alt.badge.img+1
    • rconfare
    • New Contributor
    • September 21, 2016

    I had a lot of issues doing the above. What I found to work with bringing our Windows wildcard cert in to the JSS was the following:

    from: https://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-a-windows-server-to-an-apache-server.html

    Convert the wildcard .pfx file using OpenSSL

    After you have exported the wildcard certificate from the Windows server you will need to extract all the individual certificates and private key from the .pfx file using OpenSSL. Copy the .pfx file to the server or another computer that has OpenSSL installed.

    Run this OpenSSL command to create a text file with the contents of the .pfx file:

    openssl pkcs12 -in yourdomain.pfx -out yourdomain.txt -nodes

    Open the yourdomain.txt file that the command created in a text editor. Copy each certificate/private key to its own text file including the "
    -----BEGIN RSA PRIVATE KEY-----"
    and "
    -----BEGIN CERTIFICATE-----
    " headers. Save them with names such as yourdomain.key, yourdomain.crt, intermediateCA.crt, etc. My intermediate came directly from GoDaddy in my case.

    Then I used the following article to convert the certs to a .p12

    from: https://jamfnation.jamfsoftware.com/article.html?id=138

    openssl pkcs12 -export -in C: empyourdomain.crt -inkey C: empyourdomain.key -out C: empyourdomain.p12 -name tomcat -CAfile C: empintermediateCA.crt -caname root -chain

    I then used the JSS to import the .p12 instead of following the rest of the instructions on the JAMF article. I logged in directly to the localhost of each of my frontend servers (I have 2 frontends and 1 database box). I then went to System Settings/Apache Tomcat Settings and uploaded the .p12 cert on both.

    I hope my struggles can help someone else.

    A
    Forum|alt.badge.img+3
    • ablend
    • New Contributor
    • May 4, 2017

    Allow me to bring this thread back from the dead. Nick, thank you a thousand times for your post, it got me 99% of the way there. I was hung up on the last part, where I needed to fill in the ALIAS_SRC. My pfx file was reporting the alias as "2" however, no matter how I tried to enter 2 it wouldn't work. After finding a thread on StackOverflow I found if you replace the 2 with a 1 for ALIAS_SRC in your keytool command, it works like a charm.

    I uploaded the new keystore file through the Apache Tomcat Settings > SSL Certificate page in the JSS, manually restarted Tomcat on the server, and I was back in business with my new certificate.

    Thanks again!

    Terms & ConditionsCookie settingsAccessibility statement