How to convert a PKCS#12 to JKS
Most of system administrators use OpenSSL (which is not a good idea, but it’s an another story) to manage their PKI. While OpenSSL is good to create/convert X509 certificates from PEM/DER to PKCS#12 (and vice versa, for sure) it doesn’t understand the JKS (Java KeyStore) format. JKS are used in Java world, for example Glassfish application server, OpenDS and so more. In this post, I’ll explain how to convert a PKCS#12 to a JKS using portecle. portecle is a small, but very useful application (written in Java) to manipulate keystores.
- Download portecle, extract it, and lauch it using
java -jar portecle.jar
(note that Java 6 seems required for version 1.4.x) - Open your PKCS#12 file, provide the password
- Click on Tools/Change KeyStore Type/JKS menu
- If you don’t want to use the default password (which is password), click on the menu keystore password
- Save it, that’s all folks!
You can know list the contents of your JKS using keytool:
% keytool -list -v -keystore yourkeystore.jks
Since I don’t have an internal certificate server and have been considering making one, I’m curious about what you suggest in lieu of OpenSSL. I suppose that Windows Server comes with CA functionality, but I’m interesting in your suggestion.
EJBCA! Is the best CA software, and it is LGPL.
Indeed Windows Server comes with a CA functionnality, however it’s not very flexible regardings workflow, etc. The certificate part of ILM (called CLM) is interesting, but not very well documented, etc. Except if you really want Windows Desktop autoenrollment, I encourage you to use EJBCA. And even if you need this feature, it’s possible to do that with EJBCA!
An other very common solution is to import a PKCS #12 in a Java KeyStore.
This might be done using the PKCS12Import class from Jetty :
http://mortbay.org/jetty/jetty-6/apidocs/org/mortbay/jetty/security/PKCS12Import.html
Alternate tool: Keytool IUI
http://yellowcat1.free.fr/index_ktl_tips.html
PKCS12Import can be dowloaded from here:
http://mirrors.ibiblio.org/pub/mirrors/maven2/org/mortbay/jetty/jetty/6.0.0beta10/jetty-6.0.0beta10-standalone.jar
And invoked like so:
java -cp jetty-6.0.0beta10-standalone.jar org.mortbay.jetty.security.PKCS12Import mycert.pfx keystore.ks
More info including timestamping, from VeriSign:
https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=AR185