Converting a Windows PFX or Windows PKCS12 keystore to a .JKS Keystore

NickKoval
Contributor
Contributor

While working with a windows admin, we stumbled on this gem of a piece of code that will allow you to convert a Windows PFX or PKCS12 file into a .jks keystore that can be used with Tomcat.

Requirements:

  • KeyTool - installed as part of the Java SDK
  • A PKCS12 file in .pfx or .p12 exported from IIS or Apache
  • The name of the alias for the tomcat key - hint: IIS puts it in GUID format

Obtain the name of the alias for the tomcat key in the certificate file using the following command:

keytool -v -list -storetype pkcs12 -keystore FILE_PFX

Next plug in the source file, alias name, new .jks file name keystore password and new alias into this command:

keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12
 -srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]
 -deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]

NOTE: Casper is coded to look for the destalias "tomcat" in the server.xml file. If you decide to name your destination alias anything different than tomcat, you will need to modify Tomcat's server.xml file and bounce Tomcat.

This link is to the original post that helped me: http://www.tbs-certificats.com/FAQ/en/626.html. I've posted the applicable contents here so that it can be found more easily for others.

4 REPLIES 4

jpfromdc98
New Contributor III

Thank you for this!

jrepasky
New Contributor III

Updated:
Run on OS X for a JSS running Windows 2008R2 Server.

http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-keystore-with-private-key

Using JDK 1.6 or later

It has been pointed out by Justin in the comments below that keytool alone is capable of doing this using the following command (although only in JDK 1.6 and later):

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS
Using JDK 1.5 or below

OpenSSL can do it all. This answer on JGuru is the best method that I've found so far.

Firstly make sure that you have OpenSSL installed. Many operating systems already have it installed as I found with Mac OS X.

The following two commands convert the pfx file to a format that can be opened as a Java PKCS12 key store:

openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"
NOTE that the name provided in the second command is the alias of your key in the new key store.

You can verify the contents of the key store using the Java keytool utility with the following command:

keytool -v -list -keystore mykeystore.p12 -storetype pkcs12
Finally if you need to you can convert this to a JKS key store by importing the key store created above into a new key store:

keytool -importkeystore -srckeystore mykeystore.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS

rconfare
New Contributor

I had a lot of issues doing the above. What I found to work with bringing our Windows wildcard cert in to the JSS was the following:

from: https://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-a-windows-server-to-an-apache-server...

Convert the wildcard .pfx file using OpenSSL

After you have exported the wildcard certificate from the Windows server you will need to extract all the individual certificates and private key from the .pfx file using OpenSSL. Copy the .pfx file to the server or another computer that has OpenSSL installed.

Run this OpenSSL command to create a text file with the contents of the .pfx file:

openssl pkcs12 -in yourdomain.pfx -out yourdomain.txt -nodes

Open the yourdomain.txt file that the command created in a text editor. Copy each certificate/private key to its own text file including the "
-----BEGIN RSA PRIVATE KEY-----"
and "
-----BEGIN CERTIFICATE-----
" headers. Save them with names such as yourdomain.key, yourdomain.crt, intermediateCA.crt, etc. My intermediate came directly from GoDaddy in my case.

Then I used the following article to convert the certs to a .p12

from: https://jamfnation.jamfsoftware.com/article.html?id=138

openssl pkcs12 -export -in C: empyourdomain.crt -inkey C: empyourdomain.key -out C: empyourdomain.p12 -name tomcat -CAfile C: empintermediateCA.crt -caname root -chain

I then used the JSS to import the .p12 instead of following the rest of the instructions on the JAMF article. I logged in directly to the localhost of each of my frontend servers (I have 2 frontends and 1 database box). I then went to System Settings/Apache Tomcat Settings and uploaded the .p12 cert on both.

I hope my struggles can help someone else.

ablend
New Contributor III

Allow me to bring this thread back from the dead. Nick, thank you a thousand times for your post, it got me 99% of the way there. I was hung up on the last part, where I needed to fill in the ALIAS_SRC. My pfx file was reporting the alias as "2" however, no matter how I tried to enter 2 it wouldn't work. After finding a thread on StackOverflow I found if you replace the 2 with a 1 for ALIAS_SRC in your keytool command, it works like a charm.

I uploaded the new keystore file through the Apache Tomcat Settings > SSL Certificate page in the JSS, manually restarted Tomcat on the server, and I was back in business with my new certificate.

Thanks again!