Import PKCS12 private keys into JKS keystores using Java Keytool
This is very simple yet when I googled around I saw erratic answers such as ‘it is not possible’ or ‘you have to write java code’.
As a matter of fact, keytool (a key management utility shipped in Sun’s JDK) lets you do it simply.
- What do you want to do?
Convert alice.p12 to alice.jks - Why do you want to do that?
In Metro, a WS stack, it is common to use JKS as a format for storing private keys - How do you convert then?
See below
Keytool’s documentation refers to the following option
-importkeystore [-v] [-srckeystore ] [-destkeystore ] [-srcstoretype ] [-deststoretype ] [-srcstorepass ] [-deststorepass ] [-srcprotected] [-destprotected] [-srcprovidername ] [-destprovidername ] [-srcalias [-destalias ] [-srckeypass ] [-destkeypass ]] [-noprompt] [-providerclass [-providerarg ]] ... [-providerpath ]
So in fact in our case, converting from alice.p12 to alice.jks is extremely simple:
- Create an empty JKS store
keytool -genkey -alias alice -keystore alice.jks keytool -delete -alias alice -keystore alice.jks
- Import alice.p12 into alice.jks
keytool -v -importkeystore -srckeystore alice.p12 -srcstoretype PKCS12 -destkeystore truststore.jks -deststoretype JKS
Couldn’t this be done with just one command:
keytool -importkeystore -srckeystore alice.p12 -srcstoretype PKCS12 -destkeystore alice.jks
keytool will create alice.jks if it doesn’t already exist.
Yes you are absolutely right!
Here’s a print-out from my prompt:
O:\etc>keytool -importkeystore -srckeystore alice.p12 -srcstoretype PKCS12 -destkeystore alice.jks
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
O:\etc>keytool -list -v -keystore alice.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 1
Creation date: 05-Apr-2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
...
Yes, I can generate keystore using following command.
C:>keytool -v -importkeystore -srckeystore keystoresample.p12 -srcstoretype PKCS12 -destkeystore m
ykeystore.ks -deststoretype JKS
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias jun’s verisign, inc. id successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
[Storing mykeystore.ks]
But I have a problem to set keypass. To set keypass, I think I have to use alias name that is jun’s verisign, inc.id in my case. And I always get an error. Here is what I use
C:>keytool -v -importkeystore -srckeystore keystoresample.p12 -srcstoretype PKCS12 -destkeystore m
ykeystore.ks -deststoretype JKS -srcalias -destalias mytest -destkeypass changeit2
error: The system cannot find the file specified.
Any idea? Thanks,
It seems you have a couple typos: first of all shouldn’t it be -destkeystore mykeystore.jks (you forgot the j).
Secondly you do not specify the value for srcalias.
Lastly, you can always change the key password in a second iteration, a separate command altogether.
keytool -importkeystore is not working for me in jdk 1.5 or 1.6. It says unrecognized option: -importkeystore.
Any idea?
This command only works with jdk 1.6 and +.
It doesnt’t exists in jdk 1.5
I had the same issue.
regards
it’s ok !!!!!!!!
with:
jdk 6.0.17
tomcat 6
tnx very much!!!!
Giacomo
I think you might also want to look at “portecle” which is a free Java UI for dealing with keystores.