Tag Archives: pkcs12

Importing a SSL certificate into a Java Keystore via a PKCS12 file

Here are the instructions on how to import a SSL certificate into the Java Keystore from a PKCS12 (pfx or p12) file.

  1. Create a new keystore
    1. Navigate to C:\Program Files\Java\jdk_xxxx\bin\ via command prompt
  2. Execute: keytool -genkey -alias mycertificate -keyalg RSA -keysize 2048 -keystore mykeystore
    1. Use password of: Use the same password/passphrase as the PKCS12 file
    2. What is your first and last name?  (should be the dns you’re going to use) [Unknown]:  server.mydomain.com
      What is the name of your organizational unit? [Unknown]: MyCompanysITDepartment
      What is the name of your organization?  [Unknown]:  MyCompany
      What is the name of your City or Locality?  [Unknown]:  CITY
      What is the name of your State or Province?  [Unknown]:  STATE
      What is the two-letter country code for this unit?  [Unknown]:  US
      Is CN=……………………………….. correct?  [no]:  yes
      Enter key password for <mycertificate>
      (RETURN if same as keystore password): Hit Return/Enter
  3. Empty the keystore
    1. Execute via command prompt: keytool -delete -alias mycertificate -keystore mykeystore
    2. Ensure nothing is in the keystore by executing: keytool -v -list -keystore mykeystore
  4. Import the PKCS12 File
    1. Execute via command prompt: keytool -v -importkeystore -srckeystore whateverthefileis.p12 -srcstoretype PKCS12 -destkeystore mykeystore -deststoretype JKS
    2. Enter the PKCS12 password/passphrase for both the Source and Destination password.

Generating a PKCS12 file with openSSL

  1. Generate the CSR
    1. openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
  2. Sign the CSR with your Certificate Authority
    1. Send the CSR (or text from the CSA) to VeriSign, GoDaddy, Digicert, internal CA, etc.
  3. Download the CRT
    1. Grab a copy of the signed certificate from your CA and place both the signed certificate and the CA chain certificate inside the same folder as your csr
  4. Create the PKCS#12 file (.pfx .p12)
    1. openssl pkcs12 -export -out nameofpkcsfilewearegoingtogenerate.pfx -inkey yourdomain.key -in publiccertfromCA.crt -certfile CAcertificatechain.crt
    2. Enter in a password that will be used to protect your PKCS file’s private key

That’s all that’s to it!

Note: If you have multiple certificate authorities, you will have to create a certificate chain.  Use the following command for Step 4:

openssl.exe pkcs12 -export -in publiccertfromCA.crt -inkey yourdomain.key -name “MyCertYouCanChangeThisToWhateverItsAnAliasFriendlyName” -chain -CAfile certs.pem -passout pass:testpassword -out nameofpkcsfilewearegoingtogenerate.pfx

The certs.pem file will contain a list of your certificate authorities, starting from your intermediate authorities to the root authorities.

—–BEGIN CERTIFICATE—–
INTERMEDIATECERTIFICATEBASE64STUFFHERE.crt
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
ROOTCERTIFICATEBASE64STUFFHERE.crt
—–END CERTIFICATE—–