Home > Security, Sysadmin > How to convert a PKCS#12 to JKS

How to convert a PKCS#12 to JKS

July 2nd, 2009 Leave a comment Go to comments

Most of system administrators use OpenSSL (which is not a good idea, but it’s an another story) to manage their PKI. While OpenSSL is good to create/convert X509 certificates from PEM/DER to PKCS#12 (and vice versa, for sure) it doesn’t understand the JKS (Java KeyStore) format. JKS are used in Java world, for example Glassfish application server, OpenDS and so more. In this post, I’ll explain how to convert a PKCS#12 to a JKS using portecle. portecle is a small, but very useful application (written in Java) to manipulate keystores.

  1. Download portecle, extract it, and lauch it using java -jar portecle.jar (note that Java 6 seems required for version 1.4.x)
  2. Open your PKCS#12 file, provide the password
  3. Click on Tools/Change KeyStore Type/JKS menu
  4. If you don’t want to use the default password (which is password), click on the menu keystore password
  5. Save it, that’s all folks!

You can know list the contents of your JKS using keytool:


% keytool -list -v -keystore yourkeystore.jks

Categories: Security, Sysadmin Tags:
  1. Matt Simmons
    July 2nd, 2009 at 14:33 | #1
    Reply | Quote

    Since I don’t have an internal certificate server and have been considering making one, I’m curious about what you suggest in lieu of OpenSSL. I suppose that Windows Server comes with CA functionality, but I’m interesting in your suggestion.

  2. asyd
    July 2nd, 2009 at 14:38 | #2
    Reply | Quote

    EJBCA! Is the best CA software, and it is LGPL.

  3. asyd
    July 2nd, 2009 at 14:42 | #3
    Reply | Quote

    Indeed Windows Server comes with a CA functionnality, however it’s not very flexible regardings workflow, etc. The certificate part of ILM (called CLM) is interesting, but not very well documented, etc. Except if you really want Windows Desktop autoenrollment, I encourage you to use EJBCA. And even if you need this feature, it’s possible to do that with EJBCA!

  4. alesueur
    July 5th, 2009 at 08:37 | #4
    Reply | Quote

    An other very common solution is to import a PKCS #12 in a Java KeyStore.

    This might be done using the PKCS12Import class from Jetty :
    http://mortbay.org/jetty/jetty-6/apidocs/org/mortbay/jetty/security/PKCS12Import.html

  5. adidier
    July 19th, 2009 at 19:41 | #5
    Reply | Quote

    Alternate tool: Keytool IUI
    http://yellowcat1.free.fr/index_ktl_tips.html

  6. punk
    November 10th, 2011 at 16:26 | #6
    Reply | Quote

    PKCS12Import can be dowloaded from here:
    http://mirrors.ibiblio.org/pub/mirrors/maven2/org/mortbay/jetty/jetty/6.0.0beta10/jetty-6.0.0beta10-standalone.jar
    And invoked like so:
    java -cp jetty-6.0.0beta10-standalone.jar org.mortbay.jetty.security.PKCS12Import mycert.pfx keystore.ks

    More info including timestamping, from VeriSign:
    https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=AR185

  1. March 22nd, 2010 at 21:41 | #1
    UI for managing PKI, instead of keytool or openssl « Bozho’s Weblog
  2. August 2nd, 2011 at 13:58 | #2
    Convertir un certificat .p12 en .jks | Base de connaissances
  3. September 13th, 2011 at 16:02 | #3
    Bozho's tech blog » UI for Managing PKI, Instead of keytool or openssl