Posts Tagged ‘pkcs12’

How to convert PFX certificate to JKS format

October 12, 2010 Leave a comment

Use ikeyman.bat provided by IBM as  part of Websphere and other IBM products, or similar key management utility for your Java platform. It has capability to import PKCS12 certificates (which exactly what PFX is) and save it as Java Key Store.

Or Another possible way consists of 3 steps conversion: (prerequisite – having JDK installed on the machine) :

1.  Extract from PFX file key and cert in PEM format   

 openssl pkcs12 -nocerts -in %_PFXFILE% -out %_KEYPEM% -passin pass:%_PASSWD% -passout pass:%_PASSWD%    
openssl pkcs12 -clcerts -nokeys -in %_PFXFILE% -out %_CERTPEM% -passin pass:%_PASSWD

2.  Convert both cert and key from PEM to DER format     

 openssl pkcs8 -topk8 -nocrypt -in %_KEYPEM% -inform PEM -out %_KEYDER% -outform DER -passin pass:%PASSWD%

 openssl x509 -in %_CERTPEM% -inform PEM -out %_CERTDER% -outform DER

3. Use java code to combine Cert and Key to JKS store format 


To automate this process I have created batch utility you could use.
Download “How to convert PFX to JKS.doc” file from the right side bar widget, extract all the files in the attachement, and set JAVA_HOME to your JDK installation, then run the bat file:

>pfx2jks.bat <pfxFile> <pfxPassword> <JksPassword>


pfxFile – pfx file you would like to convert
pfxPassword – password set on pfx file (provided to you along with pfx)
jksPassword – password you would like to set on JKS store

Here is the sample output:

C:\certtests\pfx2jks>set JAVA_HOME=c:\IBM\WID62\jdk

C:\certtests\pfx2jks>PFX2JKS.bat ..\certs\intesbtest.pfx xxxx  testjks

 Using JAVA_HOME: c:\IBM\WID62\jdk

Converting: C:\certtests\certs\intesbtest.pfx

To JKS store: C:\certtests\certs\intesbtest.jks

With Password: xxxx

MAC verified OK

Key extracted in PEM format

MAC verified OK

Cert extracted in PEM format

Key converted to DER format

Cert converted to DER format

Using keystore-file : C:\certtests\certs\intesbtest.jks

One certificate, no chain.

Key and certificate stored.

Alias:intesbtest Password:testjks

Java Keystore C:\certtests\certs\intesbtest.jks was created successfully….. with password testjks

More useful SSL information on

Categories: SSL Tags: , , , ,

Convert PFX certificate to PEM format

October 12, 2010 Leave a comment

PEM format is widely used by PHP applications and by LoadRunner scripts. To convert PFX /PKCS12 formatted certificate use OpenSSL tool:

openssl pkcs12 -in c:\pathTo\cert.pfx -out c:\pathTo\cert.pem

Cool SSL site and tools

Categories: SSL Tags: , ,

Renew certificate in Websphere keystore while retaining same alias

October 12, 2010 3 comments

Renewing expired SSL certificates in Websphere in some cases is problematic. There are not many functions available for manipulating aliases in keystores using Websphere admin console. And if certificate alias is used throughout your infrastructure mappings – for example in SSL Configurations and web chains fixing the entries with new alias could be cumbersome. Below are few easy steps to renew/replace ssl certificate in keystore while retaining same alias. General idea is to manipulate keystore and truststore using iKeyman utility instead of websphere admin console.

  1. Copy key.p12 and trust.p12 from Deployment Manager config (<DeploymentManager_profile\>config\cells\<cell_name>) to some separate backup directory
  2. Start iKeyman.bat uitlity from \bin directory in Deployment manager profile
  3. Open key.p12 from the backup directory and delete the certificate that you would like to replace in “Personal Certificates”
  4. Now import the new obtained from CA certificate to keystore “Personal Cerificates”
  5. When prompted to change label (it is GUID in case of Microsoft CA issuer), give it the same alias name as it was before. Click “Apply”, and “OK”
  6. You will see the new certificate with proper alias in the list of “Personal Certificates”
  7. Save the key.p12 file changes

Repeat same steps with trust.p12 file, but use .cer file instead of .pfx to import just public certificate part. And use “Signer Certificates”  folder instead of  “Personal Certificates”

Now that you have prepared both key.12 and trust.p12 files :

  1.  Stop Deployment Manager\
  2. Copy new key.p12 and trust.p12 files to Deployment Manager config (<DeploymentManager_profile\>config\cells\<cell_name>)
  3. Start Deployment manager

And if you have option “Synchronize nodes on startup”  you are done and could verify the new certificates in Websphere console. If not just synchronize the nodes and they will get the updated key and trust files.

Error Importing PKCS12/ PFX Certificate to Websphere 6.1 and Establishing Handshake

October 15, 2009 Leave a comment

Having spent few hours debugging handshake between WESB and WAS server in the backend, we found out that the problem was with the root CA certificate key size  -it was 4K, while WAS policy files restrict it to 1K.

One of the symptoms was that when trying to import certificate generated by our local Enterprise Microsoft CA Server to Websphere Server we’ve got errors described below. Both importing from WAS console and through ikeyman.bat gave errors: “Database is corrupted” and “Could not open keystore“.

Trying to see the content of this PFX file using keytool
\java\jre\bin>keytool -list -v -keystore test.pfx -storetype pkcs12 -storepass test

Also ended up in error “ Error in loading the keystore: Private key decryption error: ( Illegal key size)

The issue appeared to boil down to a problem with the Java security policy files and thier ‘restricted’ and ‘unrestricted’ flavours and the size of the keys used by our local CA.

Downloading the unrestricted JCE policy files for IBM JVM 1.4.2+ (US_export_policy.jar and local_policy.jar) and replacing them in WAS JVM worked like a charm.

Resolution steps for WAS 6.1:

    • Go to the developerWorks Java Technology Security page at URL: Java Technology Security
    • Click on the “J2SE 5.0” link for WebSphere Application Server 6.1.xx
    • Scroll down on the resulting page and click on the “IBM SDK Policy files” link.
    • Select “Unrestricted JCE Policy files for SDK for all newer versions 1.4.2+” and download them
    • Extract the local_policy.jar and US_export_policy.jar files from the archive.
    • Stop the application server
    • Back up the local_policy.jar and US_export_policy.jar files located in the following directory: \java\jre\lib\security\
    • Place the new files, previously downloaded to \java\jre\lib\security\
    • Start the server

Now you will be able to open it with ikeyman and from admin console