Steps to create a .jks keystore from .pfx file

Original Publish date : 3/4/2015

 

Windows Server makes use of the pfx file to store the public and private key files.

 

Consider a scenario where in you are exporting a pfx file from IIS server, and you need to use the same in Weblogic Server.

 

When you are exporting a PFX file make sure you select the following option :

 

” export the private key and include all certificates in certificate path if possible. ” 

 

So, now your PFX file contains the private key along with the other public certificates. You need to convert the pfx file to .jks to use with Weblogic Server ( recommended keystore format for Weblogic is jks )

 

– 

Step 1 :

First convert the .pfx file to .pem using the following command :

 

Using OpenSSL :

openssl pkcs12 -in mypfxfile.pfx -out frompfx.pem -nodes

Step 2 :

Now, open the pem file that got generated ( frompfx.pem ) in notepad ( preferably Notepad++ ) :

 

 

The above example contains a private key entry and two certificates, lets create two pem files ( private and public ) as shown below :

 

—–BEGIN PRIVATE KEY—–

KQr5BUJClayE5sGk8psPIlpKOH77L/KM44y/5V5eZggScuL1n5TF3zWdxmVCfXyO

6eeMnOraiushpdjqEhdZ81Ovp7WW2P15C5HhRboDTffyIRPymlDQ7z6iYwcJehdC

.

.

.

Tt+Xd8OA4YxGGMqdTvtQM0CMrGAuK87Rn2DenqcU+fPqyQRJYYAfgPsoRp16Ze3U

uENA/5u8wQ3jZGyoAwT6RQ==

—–END PRIVATE KEY—–

 

Save this to a file called key.pem

 

—–BEGIN CERTIFICATE—–

UzEYMBYGA1UEChMPQ2l0aWdyb3VwIFFBQ0ExMB4XDTE0MDYwMzE4NDgyN1oXDTE2

MDYwMzE5MTgyN1owZTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0NpdGlncm91cCBR

.

.

.

u020Yq/ZURDS5zuUwrTcQ/wEIEb3yPwsg2Ce5kZNyyRmei1tLVqK9Vjxg5JYF0fF

DClwSQ==

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

REVWLk5BTS5OU1JPT1QuTkVUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC

AQEAnNW8FRdS0wTsaCkK+QVCQpWshObBpPKbDyJaSjh++y/yjOOMv+VeXmYIEnLi

.

.

.

M/qKGqnM4BI2XD4wCQYDVR0TBAIwADAZBgkqhkiG9n0HQQAEDDAKGwRWOC4xAwID

FX6HOFiP==

—–END CERTIFICATE—–

 

Save this to a file and name it certs.pem

 

Step 4 :

Now, convert private key file ( key.pem ) to key.der :

– Open a cmd prompt and go to <domain_home>/bin folder and run “setDomainEnv.sh/setDomainEnv.cmd”

 

– Now run the following comand :

 

       java utils.pem2der key.pem

 

This will create a key.der file.

 

Now use the following command to import the root and public certificates to a jks identity keystore :

java utils.ImportPrivateKey -keystore identity.jks -storepass password -keyfilepass password -certfile certs.pem -keyfile key.der -alias mykey

 

Now, list the keystore and check the certificates and the private key entry, you can also validate the certificate chain :

keytool -list -v -keystore identity.jks -storepass password   (To list the contents of a keystore)

 

java utils.ValidateCertChain -jks mykey identity.jks   (To validate a certificate chain)

 

OR

 

Using Keytool ( JDK 6 and above ) :

Syntax :

keytool -importkeystore -srckeystore <source_keystoreFile> -srcstoretype PKCS12 -destkeystore <destination_keystoreFile>  -deststoretype JKS -srcstorepass mysecret -deststorepass mysecret -srcalias myalias -destalias myalias -srckeypass mykeypass -destkeypass mykeypass -noprompt

Example : 

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore identity.jks -deststoretype JKS