Import PKCS12 private keys into JKS keystores using Java Keytool

This is very simple yet when I googled around I saw erratic answers such as ‘it is not possible’ or ‘you have to write java code’.

As a matter of fact, keytool (a key management utility shipped in Sun’s JDK) lets you do it simply.

What do you want to do?
Convert alice.p12 to alice.jks
Why do you want to do that?
In Metro, a WS stack, it is common to use JKS as a format for storing private keys
How do you convert then?
See below

Keytool’s documentation refers to the following option

-importkeystore [-v]
             [-srckeystore ] [-destkeystore ]
             [-srcstoretype ] [-deststoretype ]
             [-srcstorepass ] [-deststorepass ]
             [-srcprotected] [-destprotected]
             [-srcprovidername ]
             [-destprovidername ]
             [-srcalias  [-destalias ]
               [-srckeypass ] [-destkeypass ]]
             [-noprompt]
             [-providerclass
 [-providerarg ]] ...
             [-providerpath
]

So in fact in our case, converting from alice.p12 to alice.jks is extremely simple:

Create an empty JKS store

keytool -genkey -alias alice -keystore alice.jks
keytool -delete -alias alice -keystore alice.jks

Import alice.p12 into alice.jks

keytool -v -importkeystore -srckeystore alice.p12 -srcstoretype PKCS12 -destkeystore truststore.jks -deststoretype JKS

This entry was posted by David Brossard on April 8, 2010 at 4:51 pm, and is filed under Identity & Access Management. Follow any responses to this post through RSS 2.0.You can leave a response or trackback from your own site.

Comments (5)
Pings (1)
Related Posts

#1 written by Shawn Workman 10 months ago

Couldn’t this be done with just one command:
keytool -importkeystore -srckeystore alice.p12 -srcstoretype PKCS12 -destkeystore alice.jks

keytool will create alice.jks if it doesn’t already exist.

Quote
#2 written by David Brossard 10 months ago

Yes you are absolutely right!

Here’s a print-out from my prompt:

O:\etc>keytool -importkeystore -srckeystore alice.p12 -srcstoretype PKCS12 -destkeystore alice.jks Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
O:\etc>keytool -list -v -keystore alice.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry
Alias name: 1 Creation date: 05-Apr-2011 Entry type: PrivateKeyEntry Certificate chain length: 1 ...

Quote
#3 written by Jun Huang 7 months ago

Yes, I can generate keystore using following command.

C:>keytool -v -importkeystore -srckeystore keystoresample.p12 -srcstoretype PKCS12 -destkeystore m
ykeystore.ks -deststoretype JKS
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias jun’s verisign, inc. id successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
[Storing mykeystore.ks]

But I have a problem to set keypass. To set keypass, I think I have to use alias name that is jun’s verisign, inc.id in my case. And I always get an error. Here is what I use

C:>keytool -v -importkeystore -srckeystore keystoresample.p12 -srcstoretype PKCS12 -destkeystore m
ykeystore.ks -deststoretype JKS -srcalias -destalias mytest -destkeypass changeit2

error: The system cannot find the file specified.

Any idea? Thanks,

Quote
#4 written by David Brossard 7 months ago

It seems you have a couple typos: first of all shouldn’t it be -destkeystore mykeystore.jks (you forgot the j).

Secondly you do not specify the value for srcalias.
Lastly, you can always change the key password in a second iteration, a separate command altogether.

Quote
CAPTCHA Code *

Type your comment
You may use these HTML tags: <a> <abbr> <acronym> <b> <blockquote> <cite> <code> <del> <em> <i> <q> <strike> <strong>
Comment Feed for this Post