A PFX (Personal inFormation eXchange) file is a PKCS #12 certificate that can contain both public and private keys. Windows loves this format, but if we want to use them from a Java program, we will need to convert them to a Java keystore.

Before we begin, make sure you have the Java runtime installed. I’m using Java 1.5.0_07, but 1.6 may work. I doubt 1.4 or below will work.

To make this easy, we are going to leverage a utility class that is bundled with Jetty, a free Java web server. Download the latest stable version from their site, which at the time is version 6.1.1.

Extract the zip file to a folder, then open a terminal and change into that folder and execute the following:

$ java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import

You should get a message that looks like this:

usage: java PKCS12Import {pkcs12file} [newjksfile]

If you don’t see this exact message, then make sure you are using a valid Java and Jetty version and make sure you are in the Jetty folder. Moving on.

Now, that things work, you can actually pass the path of the PFX file and the keystore to create. You will be prompted for the passwords for both files.

$ java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import 
         MyCert.pfx MyCert.jks
Enter input keystore passphrase: ******
Enter output keystore passphrase: ******

When it is all said and done, you should be looking at a shiny new Java keystore file. Verify the keystore by executing the following and entering the password you entered above:

$ keytool -list -keystore MyCert.jks -v

Enter keystore password:  ******

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 29d1a9e13ca529ef1a32b1ea135b713_5a537e12-9c8e-833f-bb76-30ab870dd21
Creation date: Jan 1, 2007
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=XXXX, OU=IT, O=XXXX, L=XXXX, ST=XXXX, C=XXXX, EMAILADDRESS=XXXX
Issuer: CN=XXXX, O=IT, L=XXXX, ST=XXXX, C=XXXX, EMAILADDRESS=XXXX
Serial number: a0032c317ba3200000e1
Valid from: Mon Jan 1 00:00:00 CDT 2007 until: Tue Jan 1 00:00:00 CDT 2008
Certificate fingerprints:
         MD5:  B1:63:6A:2C:2E:97:A4:33:E9:61:98:01:CA:0B:74:91
         SHA1: 61:98:01:04:7D:33:6C:2E:97:A4:D2:C7:61:61:B1:63:6A:2C:2E:97

Your output may vary, but you should have a valid Java keystore in the end. You can use the keytool tool to merge this keystore into another existing keystore, but I’ll leave that for another day.


30 Comments

  1. It worked! You made my day, thanks.

    Comment by dayg — July 4, 2008 @ 7:10 am

  2. Thanks a lot,This helped me a lot and jettey too

    Comment by Kasun — July 16, 2008 @ 1:05 am

  3. Very useful for me, thanks.

    Comment by Milos — October 13, 2008 @ 1:31 pm

  4. Thanks man !
    You saved my task from many days of searching, work and trouble.
    It worked, and the validation (i used org.apache.commons.httpclient.contrib.ssl.AuthSSLProtocolSocketFactory – with both truststore and keystore) passed in a blinking of an eye !

    Comment by mike — December 22, 2008 @ 9:31 am

  5. First of all thank you very much!

    I just followed your steps and it workd! But want to verify it before i send it to my programmer but below command didn’t work.
    keytool -list -keystore MyCert.jks -v

    Do I ahve to follow any special steps in it?
    by the I am using “jetty-6.1.15.pre0” version

    Comment by JOhn — January 28, 2009 @ 11:20 pm

  6. Nevermind!

    .Net bee and new to java so got confused earlier.Worked for me and thanks again for the good article.

    Comment by JOhn — January 28, 2009 @ 11:45 pm

  7. Thanks Chris,
    This is exactly what i was looking for.
    Simple, precise and easy to understand.

    Cheers mate.

    Comment by Dejan — February 22, 2010 @ 7:34 pm

  8. Thanks for this, but do you know how to change the alias to something alot smaller and manageable?

    Comment by Ben — March 12, 2010 @ 3:09 am

  9. Like a charm man, you saved me a lot of time.

    Thank you so much

    Comment by Ă“scar — April 12, 2010 @ 9:03 am

  10. Thanks a lot. you saved a lots of time.. Can you please share the way to merge this new keystore to the existing one? I am working on jdk 1.5 and It does not have the importkeystore command like 1.6 have. Thanks in advance.

    Comment by RV — October 12, 2010 @ 4:15 pm

  11. […] one blogged here and […]

    Pingback by Conversion PFX to JKS (Java Key Store) using Jetty « Just Knowledge Briefs — November 8, 2010 @ 7:22 am

  12. […] http://www.cb1inc.com/2007/04/30/converting-pfx-certificates-to-java-keystores/ […]

    Pingback by screen-scrapeable » Using Client Certificates with screen-scraper — January 21, 2011 @ 6:20 pm

  13. Thanks a ton! Super easy and just what I was looking for. It’s a shame that Sun did not add this until JRE 1.6.

    Comment by dufftime — February 28, 2011 @ 10:35 am

  14. Thanks. Works nice.

    Comment by Petr — March 16, 2011 @ 10:59 am

  15. Show de bola! Tudo funcionando!

    Comment by Roosewelt — March 18, 2011 @ 3:35 pm

  16. Great, it works! Thank you very much đŸ™‚

    Comment by Tsvetan Vasilev — July 8, 2011 @ 2:39 am

  17. What is the default alias name

    Comment by naga — July 20, 2011 @ 3:16 pm

  18. Hi,

    I am able to concert pfx to JKS. Thanks!

    However, can you tell me how to import JKS to cacerts. My java version is 1.5. The chain length of this JKS is 2.

    thank you.

    Comment by jfu — September 20, 2011 @ 11:36 am

  19. Hi jfu, I’ve never tried, but something like this might work:

    keytool -import -trustcacerts -alias "MyCert" -file CAcert.crt -keystore $JAVA_HOME/lib/security/cacerts
    

    Comment by Chris Barber — September 20, 2011 @ 12:03 pm

  20. Thank you very much for your reply.

    I have been working on the other project, so I did not come back to check the post. Now, I start to work on this project again.

    Yes, I did try to use keytool to import jks file I converted from pfx to java key store cacerts, but i got java.lang.exception: Input not a X.509 certificate

    here is command I used

    keytool -import -trustcacerts -keypass mypass -file c:\java_home\jre\lib\security\myCert.jks -keystore c:\java_home\jre\lib\security\cacerts -storepass mypassword2

    Thank you.

    Comment by jfu — October 12, 2011 @ 5:15 pm

  21. brilliant, many thanks!

    Comment by renĂ© — November 8, 2011 @ 1:52 am

  22. Thanks Chris & jetty……really usefull

    Comment by Shailendra — January 13, 2012 @ 8:53 am

  23. How can i import a .pfx certificate in android keystore programmatically? Kindly email me the solution

    Comment by salman — July 22, 2012 @ 10:44 pm

  24. To transfer the keys in one keystore to another
    keytool -importkeystore -srcstorepass -srckeystore -destkeystore -storepass

    Comment by navid — August 3, 2012 @ 10:59 am

  25. very good advice!

    Comment by הסרת שיער — March 5, 2013 @ 6:53 am

  26. […] Source : http://www.cb1inc.com/2007/04/30/converting-pfx-certificates-to-java-keystores/ […]

    Pingback by Convertir un fichier PEM en JKS | Romgo's blog — August 21, 2013 @ 8:11 am

  27. After I generated keystore, the only thing I had to do to make it trusted was import chain certificate.

    Thank you.

    Comment by Alex — February 3, 2014 @ 3:00 pm

  28. You can also use keytool (starting form jdk1.6) to import a PKCS12 file with the following command:

    keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

    http://wiki.eclipse.org/Jetty/Howto/Configure_SSL

    Comment by Alex — February 3, 2014 @ 7:05 pm

  29. Somehow the keytool did not work for the conversion of the pfx to .jks, let me rephrase it did convert the pfx file to jks, and i could use keytool command to verify what was inside, however the size of the jks created by jetty and keytool was different, and teh one craeted by jetty worked for my application, however the one created by Keytool did not. This is weird and keytool -list -v -keystore keystoreName -storepass pswd, shows the same output for both the JKS files.

    Comment by Deeps — October 9, 2014 @ 7:19 pm

  30. Private Investigator Philadelphia PA

    Converting PFX Certificates to Java Keystores | CB1, INC.

    Trackback by Private Investigator Philadelphia PA — December 4, 2014 @ 7:27 am

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.