How to convert .pfx file to keystore with private key?

keytool import pfx certificate to keystore
import private key and certificate into java keystore using keytool
convert certificate from pfx to jks format
convert pfx to jks keystore explorer
keytool -import pfx to cacerts
convert certificate to jks
keytool -import pfx to cacerts
import pfx certificate into tomcat

I need to sign Android application (.apk). I have .pfx file. I converted it to .cer file via Internet Explorer and then converted .cer to .keystore using keytool. Then I've tried to sign .apk with jarsigner but it says that .keystore doesn't content a private key.

What I'm doing wrong?

Using JDK 1.6 or later

It has been pointed out by Justin in the comments below that keytool alone is capable of doing this using the following command (although only in JDK 1.6 and later):

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 
-destkeystore clientcert.jks -deststoretype JKS

Using JDK 1.5 or below

OpenSSL can do it all. This answer on JGuru is the best method that I've found so far.

Firstly make sure that you have OpenSSL installed. Many operating systems already have it installed as I found with Mac OS X.

The following two commands convert the pfx file to a format that can be opened as a Java PKCS12 key store:

openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"

NOTE that the name provided in the second command is the alias of your key in the new key store.

You can verify the contents of the key store using the Java keytool utility with the following command:

keytool -v -list -keystore mykeystore.p12 -storetype pkcs12

Finally if you need to you can convert this to a JKS key store by importing the key store created above into a new key store:

keytool -importkeystore -srckeystore mykeystore.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS

Converting .pfx Files to .jks Files, DigiCert provides information on how to remove your certificates and private key from a .pfx file and merge them into a Java, Oracle, or Keytool SSL Keystore. What is Java KeyStore file? JKS also similar to PFX file, It is a repository to store the certificates and private keys. But the JKS files are very specific to Java and its applications.

jarsigner can use your pfx file as the keystore for signing your jar. Be sure that your pfx file has the private key and the cert chain when you export it. There is no need to convert to other formats. The trick is to obtain the Alias of your pfx file:

 keytool -list -storetype pkcs12 -keystore your_pfx_file -v | grep Alias

Once you have your alias, signing is easy

jarsigner.exe -storetype pkcs12 -keystore pfx_file jar_file "your alias"

The above two commands will prompt you for the password you specified at pfx export. If you want to have your password hang out in clear text use the -storepass switch before the -keystore switch

Once signed, admire your work:

jarsigner.exe -verify -verbose -certs  yourjarfile

Steps to create a .jks keystore from .pfx file, So, now your PFX file contains the private key along with the other public certificates. You need to convert the pfx file to .jks to use with� Go to the.pfx folder location. Now type the below command to extract the private key from pfx file. openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key] The explanation for this command, this command extract the private key from the.pfx file.

I found this page which tells you how to import a PFX to JKS (Java Key Store):

keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass PFX_P12_FILE -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass PASSWORD -destalias ALIAS_NAME

How do I convert my .pfx file to a Java Keystore?, Using Keytool run the following command below: keytool -importkeystore - srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks� The following two commands convert the pfx file to a format that can be opened as a Java PKCS12 key store: openssl pkcs12 - in mypfxfile.pfx - out mypemfile.pem openssl pkcs12 - export - in mypemfile.pem - out mykeystore.p12 -name "MyCert" NOTE that the name provided in the second command is the alias of your key in the new key store.

How to import certificates and a private key entry from the ".PFX" file , PFX" file into a keystore? Article. To import a private key entry and certificates into a kesytore file, you can execute the following command using� .pfx files are Windows certificate backup files that combine your SSL Certificate's public key and trust chain with the associated private key. To convert your certificates to a format that is usable by a Java-based server, you need to extract the certificates and keys from the .pfx file using OpenSSL, and then import the certificates to keystore using keytool.

Justin(above) is accurate. However, keep in mind that depending on who you get the certificate from (intermediate CA, root CA involved or not) or how the pfx is created/exported, sometimes they could be missing the certificate chain. After Import, You would have a certificate of PrivateKeyEntry type, but with a chain of length of 1.

To fix this, there are several options. The easier option in my mind is to import and export the pfx file in IE(choosing the option of Including all the certificates in the chain). The import and export process of certificates in IE should be very easy and well documented elsewhere.

Once exported, import the keystore as Justin pointed above. Now, you would have a keystore with certificate of type PrivateKeyEntry and with a certificate chain length of more than 1.

Certain .Net based Web service clients error out(unable to establish trust relationship), if you don't do the above.

Convert PFX Certificate to JKS, P12, CRT, First, let's generate a key from the PFX file; this key is later used for p12 keystore. openssl pkcs12 -in example.pfx -nocerts� Importing a server certificate (private key, public key, identity certificate, etc.) from a PFX file to a JKS file so that it can be used in the Java Key Store to set up WebLogic Server SSL. Sometimes the server certificate is in PFX format, and to utilize the same certificate in WebLogic Server, we need to export its certificates to a JKS file

Converting a Windows PFX or Windows PKCS12 keystore to a .JKS , KeyTool \- installed as part of the Java SDK; A PKCS12 file in .pfx or .p12 / 4217107/how-to-convert-pfx-file-to-keystore-with-private-key. I found this question Converting .PFX to .PEM programmatically? and I have same problem of programmatically export certificates and private key in pfx format from windows key store and convert the

How to transform PEM and PFX keystore in Public Key Cryptography , A PEM encoded file contains a private key or a certificate. PFX is a keystore format used by some applications. A PFX keystore can contain� Second case: To convert a PFX file to separate public and private key PEM files: Extracts the private key form a PFX to a PEM file: openssl pkcs12 -in filename.pfx -nocerts -out key.pem Exports the certificate (includes the public key only): openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem Removes the password (paraphrase) from

How to convert PFX to JKS file using Keytool?, PFX (PKCS#12) files, on the other hand, are not language-dependent way to store encrypted private keys and certificates, and it has been around� Once you enter this command, you will be prompted for the password, and once the password (in this case ‘password’) is given, the private key will be saved to a file by the named private_key.pem.

Comments
  • This can be useful: how can I find and run the keytool for Windows stackoverflow.com/questions/5488339/…
  • there is no need for all three steps, just run: keytool -importkeystore -srckeystore mykeystore.pxf -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS
  • I think that the older versions of keytool wouldn't let you do it. I remember that 8 years ago I'd have to run openssl but now with keytool in the Oracle JDK 6 and 7, it works like a charm, just like Justin said.
  • Please note I gave that answer in a simpler form with more detail a year before Justin.
  • @gjpc Noted. Your answer is very complete and deserves lots of up votes :)
  • This really is a great answer and it saved me after days of research. This answer really deserves many more upvotes. Thank you sir.
  • +1 for not having to convert the keystore file (I have it in enough formats already!)
  • This should be the complete answer!
  • I was looking for an answer like this one - with alias name
  • could you please tell me how can i import key.pem and cert.pem using keytool ?
  • Small addition : you have to add -nodes in the end when exporting private ky
  • This doesn't seem to work on IE11. It's failing to included the certificate chain even though I'm telling it to. I know this has worked in the past though.