Create Java Keystore from PFX file

Recently I got the request to manually create a Java keystore (.jks) to be used on a linux-based webserver.

The certificate to be used had two “issues”:

  • It was provided as a .pfx file
  • It didn’t contain the certificates of the intermediate CAs

Since I use a Windows 10 workstation, I had to assure, that Java was installed, in my case version 1.8.

So, in order to fulfill this request, the following steps were necessary:

  • Create a folder to collect all necessary files in. In my case, this was d:\cert.
  • Copy the following files to this folder
    • The source .pfx file.
    • The certificate of the root CA of the certificate.
    • The certificate(s) of all intermediate CAs existing in the trust chain of the certificate.

In my case the folder contained the following files:

  • wildcard.pfx
  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSAOrganizationValidationSecureServerCA.crt

Now, we’ll use the keytool command inside the java installation folder (in my case C:\Program Files\Java\jre1.8.0_201\bin to create the keystore and put all necessary files in there.

The first command puts the root CA’s certificate into the keystore. Since the key store doesn’t exist, it will create it automatically:

keytool -import -trustcacerts -file "d:\cert\AddTrustExternalCARoot.crt" -alias AddTrustExternalCARoot -keystore d:\cert\wildcard.jks -storepass xxx

Note: Please replace the “xxx” behind “-storepass” with a reasonable password.

Now we import the other two CA certificates the same way:

keytool -import -trustcacerts -file "d:\cert\COMODORSAAddTrustCA.crt" -alias COMODORSAAddTrustCA -keystore d:\cert\wildcard.jks -storepass xxx
keytool -import -trustcacerts -file "d:\cert\COMODORSAOrganizationValidationSecureServerCA.crt" -alias COMODORSAOrganizationValidationSecureServerCA -keystore d:\cert\wildcard.jks -storepass xxx

In order to import the certificate, we first have to reveal the alias used. To do so, run the following command:

keytool -v -list -storetype pkcs12 -keystore d:\cert\wildcard.pfx > d:\cert\cert.txt

Open the file cert.txt and look for the line starting with “Aliasname:“. You’ll need it in the next step.

The last step is now to import the certificate and its private key into the keystore by running the following command:

keytool -importkeystore -srckeystore d:\cert\wildcard.pfx -srcstoretype pkcs12 -srcalias {qqq} -destkeystore d:\cert\wildcard.jks -deststoretype jks -deststorepass xxx -destalias wildcard

Note: Please replace the “qqq” behind “-srcalias” with the alias, you noted in the previous step and the “xxx” behind “-deststorepass” with the password for the .jks file.

Now you can import the file to the destination machine and configure the web server to use it.

Leave a Comment