How to convert certificate from PEM to JKS?

Question

I have to convert a certificate in PEM format into an Java key store. To use this one with tomcat at a windows server I've got those files: cert_request.csr cert_public_key.pem cert_private_key.pem cert.txt I tryed to combine the pem files (by combining the two files were chain together) and converted this with openssl into an .der file and import that with

Accepted Answer

You aren&#8217;t clear which files you combined, but it should work to use openssl to combine the cert and private key to a PKCS#12:cat cert_public_key.pem cert_private_key.pem >combined.pemopenssl pkcs12 -export -in combined.pem -out cert.p12or on the fly but (update:) the privatekey must be first:cat cert_private_key.pem cert_public_key.pem | openssl pkcs12 -export -out cert.p12 If your cert needs any chain cert(s) &#8212; the CA should have told you this when you submitted the CSR and they issued the cert &#8212; it&#8217;s easiest to also include it(them) now.Then (1) some Java programs can actually use a pkcs12 directly as a keystore, but (2) if you need or prefer a JKS use keytool:keytool -importkeystore -srckeystore cert.p12 -srcstoretype pkcs12 -destkeystore cert.jks If you care about the alias in the resulting JKS, easiest to fix it after converting. Also: just changing the labels in an encrypted PEM doesn&#8217;t unencrypt it, nor does changing the label from generic PKCS#8 to RSA actually change the data to match (and they are different, though only a little). If you do want a separate PEM file with the decrypted private key:openssl pkey -in encryptedpk8 -out clearpk8.pem # 1.0.0 upopenssl pkcs8 -in encryptedpk8 -out clearpk8.pem # 1.0.0 up openssl pkcs8 -topk8 -nocrypt -in encryptedpk8 -out clearpk8.pem # below 1.0.0openssl rsa -in encryptedpk8 -out clearrsa.pem

Advertisement

Answer