Home > Security, Sysadmin > How to convert a PKCS#12 to JKS

How to convert a PKCS#12 to JKS

Most of system administrators use OpenSSL (which is not a good idea, but it’s an another story) to manage their PKI. While OpenSSL is good to create/convert X509 certificates from PEM/DER to PKCS#12 (and vice versa, for sure) it doesn’t understand the JKS (Java KeyStore) format. JKS are used in Java world, for example Glassfish application server, OpenDS and so more. In this post, I’ll explain how to convert a PKCS#12 to a JKS using portecle. portecle is a small, but very useful application (written in Java) to manipulate keystores.

  1. Download portecle, extract it, and lauch it using java -jar portecle.jar (note that Java 6 seems required for version 1.4.x)
  2. Open your PKCS#12 file, provide the password
  3. Click on Tools/Change KeyStore Type/JKS menu
  4. If you don’t want to use the default password (which is password), click on the menu keystore password
  5. Save it, that’s all folks!

You can know list the contents of your JKS using keytool:


% keytool -list -v -keystore yourkeystore.jks

Categories: Security, Sysadmin Tags:
  1. July 2nd, 2009 at 14:33 | #1

    Since I don’t have an internal certificate server and have been considering making one, I’m curious about what you suggest in lieu of OpenSSL. I suppose that Windows Server comes with CA functionality, but I’m interesting in your suggestion.

  2. July 2nd, 2009 at 14:38 | #2

    EJBCA! Is the best CA software, and it is LGPL.

  3. July 2nd, 2009 at 14:42 | #3

    Indeed Windows Server comes with a CA functionnality, however it’s not very flexible regardings workflow, etc. The certificate part of ILM (called CLM) is interesting, but not very well documented, etc. Except if you really want Windows Desktop autoenrollment, I encourage you to use EJBCA. And even if you need this feature, it’s possible to do that with EJBCA!

  4. alesueur
    July 5th, 2009 at 08:37 | #4

    An other very common solution is to import a PKCS #12 in a Java KeyStore.

    This might be done using the PKCS12Import class from Jetty :
    http://mortbay.org/jetty/jetty-6/apidocs/org/mortbay/jetty/security/PKCS12Import.html

  5. July 19th, 2009 at 19:41 | #5

    Alternate tool: Keytool IUI
    http://yellowcat1.free.fr/index_ktl_tips.html

  6. punk
    November 10th, 2011 at 16:26 | #6

    PKCS12Import can be dowloaded from here:
    http://mirrors.ibiblio.org/pub/mirrors/maven2/org/mortbay/jetty/jetty/6.0.0beta10/jetty-6.0.0beta10-standalone.jar
    And invoked like so:
    java -cp jetty-6.0.0beta10-standalone.jar org.mortbay.jetty.security.PKCS12Import mycert.pfx keystore.ks

    More info including timestamping, from VeriSign:
    https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=AR185

  1. March 22nd, 2010 at 21:41 | #1
  2. August 2nd, 2011 at 13:58 | #2
  3. September 13th, 2011 at 16:02 | #3