logo

Create java keystore file from EXISTING private key and certificate 17

If you start googling for the topic, most of the pages you'll get will explain you that it is not possible to import private key into java keystore. Usually it is suggested to compile one "magic" file named ImportKey.java, and use it to import private key and cert from DER format. This is ugly because I usually have on server only 2 files (key and certificate) and java installed, so I want to use standard tools.

Only one resource I found that was explaining how to make it possible to import private key: http://nsayer.blogspot.com/2010/02/import-private-key-into-java-keystore.html. But this article didn't covered for some reason how to make pkcs12 file format. So here I'll put instructions:

Suppose you have private.key and cert.crt in PEM format, that was signed by authority or you got it externally. Firstly export them into pkcs12 format:

openssl pkcs12 -export -in cert.crt -inkey private.key -certfile cert.crt -name "My certificate" -out keystore.p12

Next, use java keytool command to create keystore in JKS format (or any other that keytool supports):

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

Thats it. You've got it in format that you need it in java.
Compare this for instance with "Old style" suggestions with need to convert into DER format, then use a compiled java class to import into keystore: http://www.agentbob.info/agentbob/79-AB.html

17 comments !!!!!!

  1. Thank you! this was helpful; have to search so much to figure this out

    ReplyDelete
  2. i also searched for how to make it possible to import private key.And i agree with you that most of result ultimately told me that t it is not possible to import private key into java keystore. But thanks for using this information here.Its quitehelpful

    ReplyDelete
  3. Sir on using the command:
    keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JK
    it is given the following exception:
    keytool error: java.io.IOException: failed to decrypt safe contents entry: javax
    .crypto.BadPaddingException: Given final block not properly padded

    ReplyDelete
  4. hmm.. quite strange. Could it be that you have a password on keystore and didn't specified it in the line? In this case it could be unpredictable errors from keytool.

    ReplyDelete
  5. Sir, i tried again and the problem is solved. A really good tutorial. Sir do you know about java card programming ??
    i really need help in that but could not find any online help regarding security on java card.

    ReplyDelete
  6. this is the best solution i found, i was working on this issue for few days untill i fount this site which resolved my problem in few minutes

    many many thnx

    ReplyDelete
  7. oohh, its works for me. many thanks.

    ReplyDelete
  8. My friend!, this is just "the solution", without unnecessary comments. Thank you. Regards!

    ReplyDelete
  9. Awesome.. thanks. it was worked for me..

    ReplyDelete
  10. Thank you so much, you have save me countless hours to research this issue. Much appreciated!!!

    ReplyDelete
  11. This was spot on :) , very helpful . Thank you .

    ReplyDelete
  12. I waisted 1 day before I stumpled upon your page - Super job, thanks a lot

    ReplyDelete
  13. Hi
    In order to configur Tomcat, I need an alias and a password, but I don't know what the alias is. Could you help me please. I tried using "My Certificate", leaving in blank, but for me it doesn't work.

    ReplyDelete
  14. Thank you thank you thank you! Worked right away!

    ReplyDelete
  15. Thanks a lot man. You made my day.,

    ReplyDelete