How can I create keystore from an existing certificate (abc.crt) and abc.key files?

Question

I am trying to import a certificate and a key file into the keystore but I'm unable to do that.

How can I create a keystore by importing both an existing certificate (abc.crt) and abc.key files?

score 172 · Answer 1 · answered Aug 14 '12 at 14:41

172

The easiest is probably to create a PKCS#12 file using OpenSSL:

openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12

You should be able to use the resulting file directly using the PKCS12 keystore type.

If you really need to, you can convert it to JKS using keytool -importkeystore (available in keytool from Java 6):

keytool -importkeystore -srckeystore abc.p12 \
        -srcstoretype PKCS12 \
        -destkeystore abc.jks \
        -deststoretype JKS

answered Aug 14 '12 at 14:41

Bruno

119,590
31
270
376

Thanks Bruno, Can you please let me know from where I can get openssl utility? – Ravi Jain Aug 14 '12 at 16:59
1

One more question here, is generated keystore platform specific? Means will it work if I create keystore in windows and use it in unix? – Ravi Jain Aug 14 '12 at 17:02
2

The generated keystore is platform independent. OSX and most Linux distributions should come with OpenSSL (otherwise, just install the package). There are binaries for Windows too ([here](http://www.openssl.org/related/binaries.html), for example, although you can probably find other places too.) – Bruno Aug 14 '12 at 17:18
1

I should also point out that with a `PKCS12` keystore, the keys password is the same as the store's password (whereas they may be different for other types of stores, especially `JKS`). – Bruno Aug 14 '12 at 19:44
Where does the password that must be used in KeyStore.load() come from? I don't think there's one already set in the `.key` file I have, because `openssl rsa -text` is able to display something that looks like a valid private key. – hmakholm left over Monica Aug 15 '12 at 14:35
3

@HenningMakholm, it's possible that your private key file isn't password-protected, you'll have to set one up when you create he PKCS#12 file. – Bruno Aug 15 '12 at 14:48
soo suppose i don't have the private keystore, anyway to convert from .crt to .jks? – Jeryl Cook Jan 03 '17 at 18:00
@Bruno Thanks. I have s pkcs #7 certificate. Should I have to use pkcs12 or 7 ? – Abel Jojo Mar 06 '18 at 13:20
Note: I think something changed in Java 10's keytool. It was not generating a "Java KeyStore" file. Changed it to Java 8's keytool and it worked as expected. – dvlcube Apr 15 '19 at 18:15
Is there a way to do this without using openssl/keytool? Like doesn't Java have built-in functionality to import a separate crt and key into a in-memory Keystore? – Simao Gomes Viana Apr 26 '23 at 13:16

score 45 · Answer 2 · answered Feb 13 '15 at 17:51

45

You must use OpenSSL and keytool.

OpenSSL for CER & PVK file > P12

openssl pkcs12 -export -name servercert -in selfsignedcert.crt -inkey serverprivatekey.key -out myp12keystore.p12

Keytool for p12 > JKS

keytool -importkeystore -destkeystore mykeystore.jks -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercert

answered Feb 13 '15 at 17:51

Shivan A.

769
6
5

4

where is the private key? – Sequoya Dec 29 '16 at 03:56
1

that's what i don't understand!! – Sequoya Dec 29 '16 at 03:57
2

How is this different from the other earlier answer?? – vikingsteve Mar 20 '17 at 12:28
Thanks. I have s pkcs #7 certificate. Should I have to use pkcs12 or 7 ? – Abel Jojo Mar 06 '18 at 13:17
1

Please note the options which we are passing -name ( for PKCS) -alias (for Jks). – Vijayanand Jun 13 '19 at 00:59

Swarna · Answer 3 · 2020-04-29T09:48:41.973

7

Adding to @MK Yung and @Bruno's answer.. Do enter a password for the destination keystore. I saw my console hanging when I entered the command without a password.

openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12 -name localhost  -passout pass:changeit

edited Apr 29 '20 at 09:48

answered Apr 29 '20 at 08:15

Swarna

186
1
5

Thanks! I've also got hanged console and it helped to tackle it – Sergey Ch Mar 16 '23 at 09:39

score 6 · Answer 4 · answered Oct 07 '21 at 06:02

Ideally you should have received 3 files: ca_bundle.crt yourname.crt yourname.key

Use the following command to create the pk cs 12 version of it with:

openssl pkcs12 -export -out yourname.pfx -inkey yourname.key -in yourname.crt -certfile ca_bundle.crt

Then you will need to import it into key store that is easy to configure in Apache

keytool -importkeystore -srckeystore yourname.pfx -srcstorepass yourpassword -srcstoretype pkcs12 -destkeystore yourkeystore.jks -deststoretype jks -deststorepass yourkeystorepassword

score 4 · Answer 5 · answered Feb 05 '19 at 03:48

In addition to @Bruno's answer, you need to supply the -name for alias, otherwise Tomcat will throw Alias name tomcat does not identify a key entry error

Sample Command: openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.p12 -name localhost

score 2 · Answer 6 · answered Sep 24 '19 at 11:09

If the keystore is for tomcat then, after creating the keystore with the above answers, you must add a final step to create the "tomcat" alias for the key:

keytool -changealias -alias "1" -destalias "tomcat" -keystore keystore-file.jks

You can check the result with:

keytool -list -keystore keystore-file.jks -v

How can I create keystore from an existing certificate (abc.crt) and abc.key files?

6 Answers6

Linked