36

I need some help converting my .P12 certificate file into a JKS keystore. I've followed the standard commands using Java's keytool utility. However, when I try and use the resulting JKS file to access the WS endpoint via SOAPUI, I get a 403.7 error - Forbidden: SSL certificate is required. Using the P12 file with SOAPUI against the same endpoint produces a successful response. Here is the standard command for importing a P12 keystore into a JKS keystore - 

keytool -importkeystore -srckeystore src.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore target.jks

I also tried using openssl to convert the P12 -> PEM -> DER -> JKS:

openssl pkcs12 -in src.p12 -out src.pem -clcerts

(Edit src.pem into its two composite parts called src.key and src.cer)

openssl pkcs8 -topk8 -nocrypt -in src.key -out key.der -inform PEM -outform DER
openssl x509 -in src.cer -inform PEM -out cert.der -outform DER

(I ran a utility to combine the two keys into keystore.ImportKey )

keytool -importkeystore -srckeystore keystore.ImportKey -destkeystore target.JKS

and similiarly no dice.

Is there something I'm missing?

Adam Doyle
  • 361
  • 1
  • 3
  • 4

3 Answers3

44

If you do have Keytool application and your PKCS#12 file, launch the one-line command:

keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12
 -srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]
 -deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]

You'll need to modify these parameters:

  • MY_FILE.p12: indicate the path to the PKCS#12 file (.p12 or .pfx extension) to be converted.
  • MY_KEYSTORE.jks: path to the keystore in which you want to store your certificate. If it does not exist it will be created automatically.
  • PASSWORD_JKS: password that will be requested at the keystore opening.
  • ALIAS_SRC: name matching your certificate entry in the PKCS#12 file, "tomcat" for example.

In case you would export your certificate from a Windows server generating a .PFX file, you'll have to retrieve the "alias" name created by Windows. To do so, you can execute the following command: 

keytool -v -list -storetype pkcs12 -keystore FILE_PFX

There, the "alias name" field indicates the storage name of your certificate you need to use in the command line.

  • ALIAS_DEST: name that will match your certificate entry in the JKS keystore, "tomcat" for example.
Tunaki
  • 132,869
  • 46
  • 340
  • 423
deepanmurugan
  • 1,815
  • 12
  • 18
  • I tried this command on freebsd OS but getting this error: `Exception in thread "main" java.lang.AssertionError: Platform not recognized at sun.nio.fs.DefaultFileSystemProvider.create(DefaultFileSystemProvider.java:85) at java.io.FilePermission.(FilePermission.java:191) at sun.net.www.protocol.file.FileURLConnection.getPermission(FileURLConnection.java:225) at java.net.URLClassLoader.getPermissions(URLClassLoader.java:666) at java.security.SecureClassLoader.getProtectionDomain(SecureClassLoader.java:206)` though it works fine on mac terminal. Any lead on how to fix this? – Dhruvam Gupta Jun 22 '22 at 15:10
11

But he asked how to convert .p12 to JKS, so the answer is:

keytool -importkeystore  -srckeystore mystore.p12 -destkeystore myotherstore.jks -srcstoretype PKCS12 -deststoretype jks -srcstorepass mystorepass -deststorepass myotherstorepass -srcalias myserverkey -destalias myotherserverkey -srckeypass mykeypass -destkeypass myotherkeypass

Just had to use this line, works for me.

Schroeffu
  • 111
  • 1
  • 3
  • 5
    Thanks for that. Just in case someone don't have an alias like me, the command would be like: `keytool -importkeystore -srckeystore keystore,jks -destkeystore keystore.jks -srcstoretype PKCS12 -deststoretype jks -deststorepass changeit` It will ask you the source password only. – lauksas Jan 03 '19 at 18:57
  • Any way to pass the source password from command line itself? – Aditya Pal Jan 25 '23 at 16:27
  • Any way to pass the source password from command line itself? – Aditya Pal Jan 25 '23 at 16:27
3

I am surprised why No one has answered this question for so long. Anyways the easiest method to convert p12 to jks is by using Keytool. Following is the command you might need to use: 

keytool -importkeystore  -srckeystore mystore.jck -destkeystore myotherstore.jks -srcstoretype jceks
-deststoretype jks -srcstorepass mystorepass -deststorepass myotherstorepass -srcalias myserverkey
-destalias myotherserverkey -srckeypass mykeypass -destkeypass myotherkeypass

I believe the issues you are facing are probably because you didn't provide Keypass. Please note that its a good practice to keep the keypass and storepass as same, since at times the server is unable to distinguish between keypass and storepass.

eshaa
  • 537
  • 1
  • 4
  • 14