Thursday, June 23, 2011

Importing an existing SSL key/certificate pair into a Java keystore

I'm writing this blog post in case anyone else has to Google that. In Java 6 keytool has been improved so that it now becomes possible to import an existing key and certificate (say one you generated outside of the Java world) into a keystore.

You need: Java 6 and openssl.

1. Suppose you have a certificate and key in PEM format. The key is named host.key and the certificate host.crt.

2. The first step is to convert them into a single PKCS12 file using the command: openssl pkcs12 -export -in host.crt -inkey host.key > host.p12. You will be asked for various passwords (the password to access the key (if set) and then the password for the PKCS12 file being created).

3. Then import the PKCS12 file into a keystore using the command: keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks -srcstoretype pkcs12. You now have a keystore named host.jks containing the certificate/key you need.

For the sake of completeness here's the output of a full session I performed:
$ openssl pkcs12 -export -in host.crt -inkey host.key > host.p12
Enter pass phrase for host.key:
Enter Export Password:
Verifying - Enter Export Password:
$ keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks
-srcstoretype pkcs12
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed
or cancelled


Rajat Nair said...

Thanks a lot for this.

So many guides online and this is simplest one which explains how to create a JKS file from an valid/existing certificate. Most guides presume that a self-signed certificate is used.

Bartosz Lach said...


Raymond Rugemalira said...

Well written instructions. Thank you.

Tommy said...

This was short, easy to understand and most importantly worked. Thank you so much.