How to convert .pfx file to keystore with private key?
Solution 1
Using JDK 1.6 or later
It has been pointed out by Justin in the comments below that keytool alone is capable of doing this using the following command (although only in JDK 1.6 and later):
keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12
-destkeystore clientcert.jks -deststoretype JKS
Using JDK 1.5 or below
OpenSSL can do it all. This answer on JGuru is the best method that I've found so far.
Firstly make sure that you have OpenSSL installed. Many operating systems already have it installed as I found with Mac OS X.
The following two commands convert the pfx file to a format that can be opened as a Java PKCS12 key store:
openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"
NOTE that the name provided in the second command is the alias of your key in the new key store.
You can verify the contents of the key store using the Java keytool utility with the following command:
keytool -v -list -keystore mykeystore.p12 -storetype pkcs12
Finally if you need to you can convert this to a JKS key store by importing the key store created above into a new key store:
keytool -importkeystore -srckeystore mykeystore.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS
Solution 2
I found this page which tells you how to import a PFX to JKS (Java Key Store):
keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12
-srcstorepass PFX_P12_FILE -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE
-deststoretype jks -deststorepass PASSWORD -destalias ALIAS_NAME
Solution 3
jarsigner can use your pfx file as the keystore for signing your jar. Be sure that your pfx file has the private key and the cert chain when you export it. There is no need to convert to other formats. The trick is to obtain the Alias of your pfx file:
keytool -list -storetype pkcs12 -keystore your_pfx_file -v | grep Alias
Once you have your alias, signing is easy
jarsigner.exe -storetype pkcs12 -keystore pfx_file jar_file "your alias"
The above two commands will prompt you for the password you specified at pfx export. If you want to have your password hang out in clear text use the -storepass switch before the -keystore switch
Once signed, admire your work:
jarsigner.exe -verify -verbose -certs yourjarfile
Solution 4
Justin(above) is accurate. However, keep in mind that depending on who you get the certificate from (intermediate CA, root CA involved or not) or how the pfx is created/exported, sometimes they could be missing the certificate chain. After Import, You would have a certificate of PrivateKeyEntry type, but with a chain of length of 1.
To fix this, there are several options. The easier option in my mind is to import and export the pfx file in IE(choosing the option of Including all the certificates in the chain). The import and export process of certificates in IE should be very easy and well documented elsewhere.
Once exported, import the keystore as Justin pointed above. Now, you would have a keystore with certificate of type PrivateKeyEntry and with a certificate chain length of more than 1.
Certain .Net based Web service clients error out(unable to establish trust relationship), if you don't do the above.
Solution 5
Your PFX file should contain the private key within it. Export the private key and certificate directly from your PFX file (e.g. using OpenSSL) and import them into your Java keystore.
Edit
Further information:
- Download OpenSSL for Windows here.
- Export private key:
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
- Export certificate:
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
- Import private key and certificate into Java keystore using
keytool
.
Ola
Updated on December 06, 2020Comments
-
Ola over 3 years
I need to sign Android application (
.apk
).
I have.pfx
file. I converted it to.cer
file via Internet Explorer and then converted.cer
to.keystore
using keytool. Then I've tried to sign.apk
with jarsigner but it says that .keystore doesn't content a private key.What I'm doing wrong?
-
Peter Barbanyaga about 10 yearsThis can be useful: how can I find and run the keytool for Windows stackoverflow.com/questions/5488339/…
-
-
JustinMorris almost 12 yearsthere is no need for all three steps, just run: keytool -importkeystore -srckeystore mykeystore.pxf -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS
-
Sad Al Abdullah over 11 yearscould you please tell me how can i import key.pem and cert.pem using keytool ?
-
David Brossard about 11 yearsI think that the older versions of keytool wouldn't let you do it. I remember that 8 years ago I'd have to run openssl but now with keytool in the Oracle JDK 6 and 7, it works like a charm, just like Justin said.
-
gjpc over 10 yearsPlease note I gave that answer in a simpler form with more detail a year before Justin.
-
MikeD over 10 years@gjpc Noted. Your answer is very complete and deserves lots of up votes :)
-
Hakanai over 10 years+1 for not having to convert the keystore file (I have it in enough formats already!)
-
Mythul over 9 yearsThis really is a great answer and it saved me after days of research. This answer really deserves many more upvotes. Thank you sir.
-
MikeD over 9 years@Mythul Thank you very much. I'm glad that it helped. I never realized that the problem was this common when I posted my answer.
-
user1568901 over 8 yearsThis doesn't seem to work on IE11. It's failing to included the certificate chain even though I'm telling it to. I know this has worked in the past though.
-
morgan_il about 8 yearsSmall addition : you have to add -nodes in the end when exporting private ky
-
John Yeary over 7 yearsI tried the first solution on JDK 7 and 8 on OS X 10.12 and Windows 2012 R2. It did not produce a functional file for use. However, when I used the openssl commands the result was fine.
-
Bahaa over 7 yearsI have a question about the method using JDK 1.6+. Does
clientcert.jks
have to exist before running the command, or does it get created by the command? In otherwords, does this command convert the pfx to a new jks store or does it import it into an existing jks keystore -
MikeD over 7 years@bahaa It's been a while since I looked but I'm pretty sure that it creates a new key store
-
aye2m almost 7 yearsOk, this may be obvious for most people. But let me add my comment for people like me. This command is to run on Terminal if you're on Mac.
-
FiruzzZ almost 4 yearsI have one problem, the pfx doesn't have a password, so
-srcstorepass
is my problem. This PFX is created by a LetsEncrypt client for Windows -
mshikaji about 2 years@FiruzzZ , similar missing PFX password issue here. This worked for me:
... -srcstorepass "" ...