37

I have a Java keystore (.jks file) holding a single certificate. How can I create a .pfx file from this keystore?

Christian Berg
  • 14,246
  • 9
  • 39
  • 44

4 Answers4

71

From Java 6 onwards, keytool has an -importkeystore option, which should be able to convert a JKS store into a PKCS#12 store (.p12/.pfx):

keytool -importkeystore -srckeystore thekeystore.jks \
            -srcstoretype JKS \
            -destkeystore thekeystore.pfx \
            -deststoretype PKCS12

It will ask you to enter a password for source and destination (jks, pfx) files

shareef
  • 9,255
  • 13
  • 58
  • 89
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • I am getting these errors when I use this command: Problem importing entry for alias root: java.security.KeyStoreException: TrustedCertEntry not supported. Have you seen that? – mikebz Jul 28 '14 at 01:22
  • @mikebz Yes, you can't have entries with only certificates in the PKCS#12 store, it only works for entries for which there is also a private key. – Bruno Jul 28 '14 at 09:46
3

This guy() seems to have written a little Java class and batch file with good instructions to do this here: http://www.crionics.com/products/opensource/faq/signFree.htm#DownloadTools

If you want to do it yourself the key lines in the .bat file seem to be uses

keytool -export -rfc -keystore %KEYSTORE% -storepass %PASSWORD% -alias %ALIAS% > %CERT_64%
java -classpath %JAVACLASSPATH% ExportPrvKey %KEYSTORE% %PASSWORD% %ALIAS% > %PKEY_8%
openssl enc -in %PKEY_8% -a >> %PKEY_64%
openssl pkcs12 -inkey %PKEY_64% -in %CERT_64% -out %CERT_P12% -export

where ExportPrvKey does the step of extracting the private key from the keystore.

Nick Fortescue
  • 43,045
  • 26
  • 106
  • 134
  • Thanks for the answer. I also came across the site you linked via Google and tried it out. However, the last step fails for me. openssl terminates with the message: unable to load private key Any additional hints would be highly appreciated! – Christian Berg Feb 09 '09 at 12:18
  • Have a look at the private key file (%PKEY_64%). Does it actually exist? Googling it seems the most common errors are having it in the wrong directory or a bad format. Which version of openssl do you have? – Nick Fortescue Feb 09 '09 at 12:35
  • The PKEY_64 file exists and looks ok (it contains 858 "random" ascii characters). I'm using openssl 0.9.7d on a linux box. – Christian Berg Feb 09 '09 at 13:10
1

keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] -destkeystore [MY_FILE.p12] -srcstoretype JKS -deststoretype PKCS12

Then it will request your passphrases and BAM - good to go, tried just last night worked great.

you may have to change dir to your java jdk, or jre bin folder first, then include a full path to your current Keystore, and dest .p12 file.

PhatAdam
  • 11
  • 1
-1

You can export a PFX file including private key, with the following command:

keytool -importkeystore -deststorepass secret -destkeypass secret -destkeystore KEYSTOREFILE.jks -srckeystore PFXFILE.pfx -srcstoretype PKCS12 -srcstorepass secret
Orion Edwards
  • 121,657
  • 64
  • 239
  • 328