X

Deep dive into various configurations with Oracle Weblogic Server

Steps to create a .jks keystore from .pfx file

Puneeth Prakash
Principal Software Engineer
Windows Server makes use of the pfx file to store the public and private key files.

Consider a scenario where in you are exporting a pfx file from IIS server, and you need to use the same in Weblogic Server.

When you are exporting a PFX file make sure you select the following option :

" export the private key and include all certificates in certificate path if possible.

So, now your PFX file contains the private key along with the other public certificates. You need to convert the pfx file to .jks to use with Weblogic Server ( recommended keystore format for Weblogic is jks )

Step 1 :

First convert the .pfx file to .pem using the following command :

Using OpenSSL :

openssl pkcs12 -in mypfxfile.pfx -out frompfx.pem -nodes

Step 2 :

Now, open the pem file that got generated ( frompfx.pem ) in notepad ( preferably Notepad++ ) :

Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00 
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
    friendlyName: xxxxxxxxxx
Key Attributes
    X509v3 Key Usage: 10 
-----BEGIN PRIVATE KEY-----
KQr5BUJClayE5sGk8psPIlpKOH77L/KM44y/5V5eZggScuL1n5TF3zWdxmVCfXyO
6eeMnOraiushpdjqEhdZ81Ovp7WW2P15C5HhRboDTffyIRPymlDQ7z6iYwcJehdC
.
.
.
Tt+Xd8OA4YxGGMqdTvtQM0CMrGAuK87Rn2DenqcU+fPqyQRJYYAfgPsoRp16Ze3U
uENA/5u8wQ3jZGyoAwT6RQ==
-----END PRIVATE KEY-----

Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: xxxxxxxxxx
subject=/C=IN/O=WLS/OU=Oracle/OU=WLS/CN=xxxxxxxxxx
issuer=/C=IN/O=WLS

-----BEGIN CERTIFICATE-----
UzEYMBYGA1UEChMPQ2l0aWdyb3VwIFFBQ0ExMB4XDTE0MDYwMzE4NDgyN1oXDTE2
MDYwMzE5MTgyN1owZTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0NpdGlncm91cCBR
.
.
.
u020Yq/ZURDS5zuUwrTcQ/wEIEb3yPwsg2Ce5kZNyyRmei1tLVqK9Vjxg5JYF0fF
DClwSQ==
-----END CERTIFICATE-----

Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: xxxxxxxxxxx
subject=/C=IN/O=WLS
issuer=/C=IN/O=WLS

-----BEGIN CERTIFICATE-----
REVWLk5BTS5OU1JPT1QuTkVUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAnNW8FRdS0wTsaCkK+QVCQpWshObBpPKbDyJaSjh++y/yjOOMv+VeXmYIEnLi
.
.
.
M/qKGqnM4BI2XD4wCQYDVR0TBAIwADAZBgkqhkiG9n0HQQAEDDAKGwRWOC4xAwID
FX6HOFiP==
-----END CERTIFICATE-----

Step 3 :

The above example contains a private key entry and two certificates, lets create two pem files ( private and public ) as shown below :


-----BEGIN PRIVATE KEY-----
KQr5BUJClayE5sGk8psPIlpKOH77L/KM44y/5V5eZggScuL1n5TF3zWdxmVCfXyO
6eeMnOraiushpdjqEhdZ81Ovp7WW2P15C5HhRboDTffyIRPymlDQ7z6iYwcJehdC
.
.
.
Tt+Xd8OA4YxGGMqdTvtQM0CMrGAuK87Rn2DenqcU+fPqyQRJYYAfgPsoRp16Ze3U
uENA/5u8wQ3jZGyoAwT6RQ==
-----END PRIVATE KEY-----

Save this to a file called key.pem

-----BEGIN CERTIFICATE-----
UzEYMBYGA1UEChMPQ2l0aWdyb3VwIFFBQ0ExMB4XDTE0MDYwMzE4NDgyN1oXDTE2
MDYwMzE5MTgyN1owZTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0NpdGlncm91cCBR
.
.
.
u020Yq/ZURDS5zuUwrTcQ/wEIEb3yPwsg2Ce5kZNyyRmei1tLVqK9Vjxg5JYF0fF
DClwSQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
REVWLk5BTS5OU1JPT1QuTkVUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAnNW8FRdS0wTsaCkK+QVCQpWshObBpPKbDyJaSjh++y/yjOOMv+VeXmYIEnLi
.
.
.
M/qKGqnM4BI2XD4wCQYDVR0TBAIwADAZBgkqhkiG9n0HQQAEDDAKGwRWOC4xAwID
FX6HOFiP==
-----END CERTIFICATE-----

Save this to a file and name it certs.pem

Step 4 :

Now, convert private key file ( key.pem ) to key.der :

- Open a cmd prompt and go to <domain_home>/bin folder and run "setDomainEnv.sh/setDomainEnv.cmd"

- Now run the following comand :

       java utils.pem2der key.pem

This will create a key.der file.

Step 5 :

Now use the following command to import the root and public certificates to a jks identity keystore :

java utils.ImportPrivateKey -keystore identity.jks -storepass password -keyfilepass password -certfile certs.pem -keyfile key.der -alias mykey

Step 6 :

Now, list the keystore and check the certificates and the private key entry, you can also validate the certificate chain :

keytool -list -v -keystore identity.jks -storepass password   (To list the contents of a keystore)

java utils.ValidateCertChain -jks mykey identity.jks   (To validate a certificate chain)

OR


Using Keytool ( JDK 6 and above ) :

Syntax :

keytool -importkeystore -srckeystore <source_keystoreFile> -srcstoretype PKCS12 -destkeystore <destination_keystoreFile>  -deststoretype JKS -srcstorepass mysecret -deststorepass mysecret -srcalias myalias -destalias myalias -srckeypass mykeypass -destkeypass mykeypass -noprompt

Example

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore identity.jks -deststoretype JKS

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.