Import PKCS12 private keys into JKS keystores using Java Keytool

This is very simple yet when I googled around I saw erratic answers such as ‘it is not possible’ or ‘you have to write java code’.

As a matter of fact, keytool (a key management utility shipped in Sun’s JDK) lets you do it simply.

  • What do you want to do?
    Convert alice.p12 to alice.jks
  • Why do you want to do that?
    In Metro, a WS stack, it is common to use JKS as a format for storing private keys
  • How do you convert then?
    See below


Keytool’s documentation refers to the following option

-importkeystore [-v]
             [-srckeystore ] [-destkeystore ]
             [-srcstoretype ] [-deststoretype ]
             [-srcstorepass ] [-deststorepass ]
             [-srcprotected] [-destprotected]
             [-srcprovidername ]
             [-destprovidername ]
             [-srcalias  [-destalias ]
               [-srckeypass ] [-destkeypass ]]
             [-noprompt]
             [-providerclass
 [-providerarg ]] ...
             [-providerpath
]

So in fact in our case, converting from alice.p12 to alice.jks is extremely simple:

  1. Create an empty JKS store
    keytool -genkey -alias alice -keystore alice.jks
    keytool -delete -alias alice -keystore alice.jks
  2. Import alice.p12 into alice.jks
    keytool -v -importkeystore -srckeystore alice.p12 -srcstoretype PKCS12 -destkeystore truststore.jks -deststoretype JKS

11 thoughts on “Import PKCS12 private keys into JKS keystores using Java Keytool

  1. [...] This post was mentioned on Twitter by David Brossard. David Brossard said: #webfarmr Import PKCS12 private keys into JKS keystores using Java Keytool: This is very simple yet when I googled… http://bit.ly/d3dvtC [...]

  2. Shawn Workman says:

    Couldn’t this be done with just one command:
    keytool -importkeystore -srckeystore alice.p12 -srcstoretype PKCS12 -destkeystore alice.jks

    keytool will create alice.jks if it doesn’t already exist.

  3. Yes you are absolutely right!

    Here’s a print-out from my prompt:

    O:\etc>keytool -importkeystore -srckeystore alice.p12 -srcstoretype PKCS12 -destkeystore alice.jks
    Enter destination keystore password:
    Re-enter new password:
    Enter source keystore password:
    Entry for alias 1 successfully imported.
    Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

    O:\etc>keytool -list -v -keystore alice.jks
    Enter keystore password:

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: 1
    Creation date: 05-Apr-2011
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    ...

  4. Jun Huang says:

    Yes, I can generate keystore using following command.

    C:>keytool -v -importkeystore -srckeystore keystoresample.p12 -srcstoretype PKCS12 -destkeystore m
    ykeystore.ks -deststoretype JKS
    Enter destination keystore password:
    Re-enter new password:
    Enter source keystore password:
    Entry for alias jun’s verisign, inc. id successfully imported.
    Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
    [Storing mykeystore.ks]

    But I have a problem to set keypass. To set keypass, I think I have to use alias name that is jun’s verisign, inc.id in my case. And I always get an error. Here is what I use

    C:>keytool -v -importkeystore -srckeystore keystoresample.p12 -srcstoretype PKCS12 -destkeystore m
    ykeystore.ks -deststoretype JKS -srcalias -destalias mytest -destkeypass changeit2

    error: The system cannot find the file specified.

    Any idea? Thanks,

  5. It seems you have a couple typos: first of all shouldn’t it be -destkeystore mykeystore.jks (you forgot the j).

    Secondly you do not specify the value for srcalias.
    Lastly, you can always change the key password in a second iteration, a separate command altogether.

  6. cs says:

    keytool -importkeystore is not working for me in jdk 1.5 or 1.6. It says unrecognized option: -importkeystore.

    Any idea?

  7. Marq says:


    cs:

    keytool -importkeystore is not working for me in jdk 1.5 or 1.6. It says unrecognized option: -importkeystore.
    Any idea?

    This command only works with jdk 1.6 and +.
    It doesnt’t exists in jdk 1.5
    I had the same issue.

    regards

  8. giacomo says:

    it’s ok !!!!!!!!
    with:
    jdk 6.0.17
    tomcat 6

    tnx very much!!!!
    Giacomo

  9. Felix says:

    I think you might also want to look at “portecle” which is a free Java UI for dealing with keystores.

Leave a Reply