Home > SSL > How to convert PFX certificate to JKS format

How to convert PFX certificate to JKS format

Use ikeyman.bat provided by IBM as  part of Websphere and other IBM products, or similar key management utility for your Java platform. It has capability to import PKCS12 certificates (which exactly what PFX is) and save it as Java Key Store.

Or Another possible way consists of 3 steps conversion: (prerequisite – having JDK installed on the machine) :

1.  Extract from PFX file key and cert in PEM format   

 openssl pkcs12 -nocerts -in %_PFXFILE% -out %_KEYPEM% -passin pass:%_PASSWD% -passout pass:%_PASSWD%    
openssl pkcs12 -clcerts -nokeys -in %_PFXFILE% -out %_CERTPEM% -passin pass:%_PASSWD

2.  Convert both cert and key from PEM to DER format     

 openssl pkcs8 -topk8 -nocrypt -in %_KEYPEM% -inform PEM -out %_KEYDER% -outform DER -passin pass:%PASSWD%

 openssl x509 -in %_CERTPEM% -inform PEM -out %_CERTDER% -outform DER

3. Use java code to combine Cert and Key to JKS store format 


To automate this process I have created batch utility you could use.
Download “How to convert PFX to JKS.doc” file from the right side bar Box.net widget, extract all the files in the attachement, and set JAVA_HOME to your JDK installation, then run the bat file:

>pfx2jks.bat <pfxFile> <pfxPassword> <JksPassword>


pfxFile – pfx file you would like to convert
pfxPassword – password set on pfx file (provided to you along with pfx)
jksPassword – password you would like to set on JKS store

Here is the sample output:

C:\certtests\pfx2jks>set JAVA_HOME=c:\IBM\WID62\jdk

C:\certtests\pfx2jks>PFX2JKS.bat ..\certs\intesbtest.pfx xxxx  testjks

 Using JAVA_HOME: c:\IBM\WID62\jdk

Converting: C:\certtests\certs\intesbtest.pfx

To JKS store: C:\certtests\certs\intesbtest.jks

With Password: xxxx

MAC verified OK

Key extracted in PEM format

MAC verified OK

Cert extracted in PEM format

Key converted to DER format

Cert converted to DER format

Using keystore-file : C:\certtests\certs\intesbtest.jks

One certificate, no chain.

Key and certificate stored.

Alias:intesbtest Password:testjks

Java Keystore C:\certtests\certs\intesbtest.jks was created successfully….. with password testjks

More useful SSL information on http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Categories: SSL Tags: , , , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: