11 Jan 2016

Convert a .p12 Keystore to .jks

The below steps seem to be a headache at my workplace. Learn to go from a p12 to jks keystore in this easy tutorial.

In step 1, we will generate the certificates required to build a p12 keystore. In step 2, we will build the .p12 keystore. Then in step 3, we will convert the p12 to a jks keystore. Make sure you are in the correct directory before running the commands. Depending on your installation of Java, it is not the path, you will need to go to the java directory to run ./keytool.

Step 1 - Generate the Certificates:

# Generate Private Key (the master key) in OpenSSL:

openssl genrsa -out johnghawi.com.key 2048

# Generate CSR (Certificate Signing Request - used to get the public certificate) from the Private Key above:

openssl req -new -key johnghawi.com.key -out johnghawi.com.csr

Submit the .csr file to a Certificate Authority (CA) and get your .cer certificate (ASCII/text). The .cer file is your public-facing certificate.

Once you get your host's certificate, you'll likely have been given a one or more intermediate certificates and a root certificate to download as well. Download those as well. What you have, is a chained certificate. It means the intermediates and root certificates are used to complete the chain of authority. In English, the certificate you were given may have been issued by a third-party company. That company may not be in your application's or browser's Trust Store. However, a major Certificate Authority will be in that Trust Store. The certificate that the major CA will have in there is known as a root certificate and it is used to validate the intermediate certificates. In turn, the Intermediates validate the certificate issued to you, and that my friends, is how you complete the chain.

Next, 'bundle' the intermediates and root into one file using the cat command. This step makes managing the certs both easy and central. The certs must be text-based. Do not add your host cert to the line below, only add the intermediates (all of them in order) and the root certificate.

cat intermediate1.cer intermediate2.cer root.cer > chain-bundle.cer

Using a text editor, you can take a look in the chain-bundle.cer file to see your results. Just type:

cat chain-bundle.cer

Step 2 - Build the .p12 Keystore

Before performing the conversion, we will build our p12 keystore in the first command. There is a good chance you arrived here because you wanted to just convert from one to the other. We will build the p12 keystore to illustrate how the OpenSSL keystore maps to the Java keytool keystore. If you have the prerequisite to convert, skip to step 3.

Create .p12 keystore with the certificates from above:

openssl pkcs12 -export -in johnghawi.com.cer -name applet -CAfile chain-bundle.cer -chain -inkey johnghawi.com.key -out myKeys.p12

Step 3 - Convert the p12 keystore to a java keystore (jks):

Depending on how keytool was installed, you may need to add ./ before keytool, such as: ./keytool

keytool -importkeystore \
-deststorepass 123456 -destkeypass 123456 -destkeystore myKeys.jks \
-srckeystore myKeys.p12 -srcstoretype PKCS12 -srcstorepass 123456 -alias applet

Let's find out what each switch in the above command means (you can find this by typing: man keytool at the terminal):
keytool is the 'java keytool' application we are using to perform the function.
-importkeystore tells keytool we are importing contents from another keystore - we don't pass any values here. It only signals to keytool the sub-function we are performing.
-deststorepass 123456 is the password (123456) of the destination jks keystore we are converting to.
-destkeypass 123456 ..when working with PKCS12 keystores, deststorepass and destkeypass need to be the same (see man keytool). This may not be necessary when going from PKCS12 to JKS but I had no issues doing it this way.
-destkeystore myKeys.jks is the path to the Java keystore we will be creating.
-srckeystore myKeys.p12 is the path of the openssl p12 keystore we created earlier.
-srcstoretype PKCS12 is the keystore type of the source openssl keystore we are importing from.
-srcstorepass 123456 the password to open and retrieve from the openssl p12 keystore.
-alias applet is the alias I used in my keystore. Most people use '1' but it helps to make it something useful for when you read the keystore at a later date.

If you've got any questions, feel free to use the comment section below.