Create java keystore file from EXISTING private key and certificate 16

If you start googling for the topic, most of the pages you'll get will explain you that it is not possible to import private key into java keystore. Usually it is suggested to compile one "magic" file named ImportKey.java, and use it to import private key and cert from DER format. This is ugly because I usually have on server only 2 files (key and certificate) and java installed, so I want to use standard tools.

Only one resource I found that was explaining how to make it possible to import private key: http://nsayer.blogspot.com/2010/02/import-private-key-into-java-keystore.html. But this article didn't covered for some reason how to make pkcs12 file format. So here I'll put instructions:

Suppose you have private.key and cert.crt in PEM format, that was signed by authority or you got it externally. Firstly export them into pkcs12 format:

openssl pkcs12 -export -in cert.crt -inkey private.key -certfile cert.crt -name "My certificate" -out keystore.p12

Next, use java keytool command to create keystore in JKS format (or any other that keytool supports):

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

Thats it. You've got it in format that you need it in java.
Compare this for instance with "Old style" suggestions with need to convert into DER format, then use a compiled java class to import into keystore: http://www.agentbob.info/agentbob/79-AB.html


  1. Thank you! this was helpful; have to search so much to figure this out

  2. i also searched for how to make it possible to import private key.And i agree with you that most of result ultimately told me that t it is not possible to import private key into java keystore. But thanks for using this information here.Its quitehelpful

  3. Sir on using the command:
    keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JK
    it is given the following exception:
    keytool error: java.io.IOException: failed to decrypt safe contents entry: javax
    .crypto.BadPaddingException: Given final block not properly padded

  4. hmm.. quite strange. Could it be that you have a password on keystore and didn't specified it in the line? In this case it could be unpredictable errors from keytool.

  5. Sir, i tried again and the problem is solved. A really good tutorial. Sir do you know about java card programming ??
    i really need help in that but could not find any online help regarding security on java card.

  6. this is the best solution i found, i was working on this issue for few days untill i fount this site which resolved my problem in few minutes

    many many thnx

  7. oohh, its works for me. many thanks.

  8. My friend!, this is just "the solution", without unnecessary comments. Thank you. Regards!

  9. Awesome.. thanks. it was worked for me..

  10. Thank you so much, you have save me countless hours to research this issue. Much appreciated!!!

  11. This was spot on :) , very helpful . Thank you .

  12. I waisted 1 day before I stumpled upon your page - Super job, thanks a lot

  13. Hi
    In order to configur Tomcat, I need an alias and a password, but I don't know what the alias is. Could you help me please. I tried using "My Certificate", leaving in blank, but for me it doesn't work.