Skip to content

How to convert certificate from PEM to JKS?

I have to convert a certificate in PEM format into an Java key store.

To use this one with tomcat at a windows server

I’ve got those files:

  • cert_request.csr

      -----BEGIN CERTIFICATE REQUEST-----
      ...
      -----END CERTIFICATE REQUEST-----
    
  • cert_public_key.pem

      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
    
  • cert_private_key.pem

      -----BEGIN ENCRYPTED PRIVATE KEY-----
      ...
      -----END ENCRYPTED PRIVATE KEY-----
    
  • cert.txt

      contains an 16 digit key
    

I tryed to combine the pem files (by combining the two files were chain together) and converted this with openssl into an

  • .der file and import that with keytool into an new keystore
  • same with .p12
  • directly imported to keystore

I also tryed to change the

    -----BEGIN ENCRYPTED PRIVATE KEY-----
    ...
    -----END ENCRYPTED PRIVATE KEY-----

into

    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----

and tryed the 3 ways above

what have I to do that I get an working certificate?

EDIT:

I combinied the cert_public_key.pem and the cert_private_key.pem to cert_comb.pem

    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    ...
    -----END ENCRYPTED PRIVATE KEY-----

Answer

You aren’t clear which files you combined, but it should work to use openssl to combine the cert and private key to a PKCS#12:

cat cert_public_key.pem cert_private_key.pem >combined.pem
openssl pkcs12 -export -in combined.pem -out cert.p12

or on the fly but (update:) the privatekey must be first:

cat cert_private_key.pem cert_public_key.pem | openssl pkcs12 -export -out cert.p12 

If your cert needs any chain cert(s) — the CA should have told you this when you submitted the CSR and they issued the cert — it’s easiest to also include it(them) now.

Then (1) some Java programs can actually use a pkcs12 directly as a keystore, but (2) if you need or prefer a JKS use keytool:

keytool -importkeystore -srckeystore cert.p12 -srcstoretype pkcs12 -destkeystore cert.jks 

If you care about the alias in the resulting JKS, easiest to fix it after converting.

Also: just changing the labels in an encrypted PEM doesn’t unencrypt it, nor does changing the label from generic PKCS#8 to RSA actually change the data to match (and they are different, though only a little). If you do want a separate PEM file with the decrypted private key:

openssl pkey -in encryptedpk8 -out clearpk8.pem # 1.0.0 up
openssl pkcs8 -in encryptedpk8 -out clearpk8.pem # 1.0.0 up 
openssl pkcs8 -topk8 -nocrypt -in encryptedpk8 -out clearpk8.pem # below 1.0.0
openssl rsa -in encryptedpk8 -out clearrsa.pem