A PFX (Personal inFormation eXchange) file is a PKCS #12 certificate that can contain both public and private keys. Windows loves this format, but if we want to use them from a Java program, we will need to convert them to a Java keystore.
Before we begin, make sure you have the Java runtime installed. I’m using Java 1.5.0_07, but 1.6 may work. I doubt 1.4 or below will work.
To make this easy, we are going to leverage a utility class that is bundled with Jetty, a free Java web server. Download the latest stable version from their site, which at the time is version 6.1.1.
Extract the zip file to a folder, then open a terminal and change into that folder and execute the following:
$ java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import
You should get a message that looks like this:
usage: java PKCS12Import {pkcs12file} [newjksfile]
If you don’t see this exact message, then make sure you are using a valid Java and Jetty version and make sure you are in the Jetty folder. Moving on.
Now, that things work, you can actually pass the path of the PFX file and the keystore to create. You will be prompted for the passwords for both files.
$ java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import
MyCert.pfx MyCert.jks
Enter input keystore passphrase: ******
Enter output keystore passphrase: ******
When it is all said and done, you should be looking at a shiny new Java keystore file. Verify the keystore by executing the following and entering the password you entered above:
$ keytool -list -keystore MyCert.jks -v
Enter keystore password: ******
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 29d1a9e13ca529ef1a32b1ea135b713_5a537e12-9c8e-833f-bb76-30ab870dd21
Creation date: Jan 1, 2007
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=XXXX, OU=IT, O=XXXX, L=XXXX, ST=XXXX, C=XXXX, EMAILADDRESS=XXXX
Issuer: CN=XXXX, O=IT, L=XXXX, ST=XXXX, C=XXXX, EMAILADDRESS=XXXX
Serial number: a0032c317ba3200000e1
Valid from: Mon Jan 1 00:00:00 CDT 2007 until: Tue Jan 1 00:00:00 CDT 2008
Certificate fingerprints:
MD5: B1:63:6A:2C:2E:97:A4:33:E9:61:98:01:CA:0B:74:91
SHA1: 61:98:01:04:7D:33:6C:2E:97:A4:D2:C7:61:61:B1:63:6A:2C:2E:97
Your output may vary, but you should have a valid Java keystore in the end. You can use the keytool tool to merge this keystore into another existing keystore, but I’ll leave that for another day.
It worked! You made my day, thanks.
Comment by dayg — July 4, 2008 @ 7:10 am
Thanks a lot,This helped me a lot and jettey too
Comment by Kasun — July 16, 2008 @ 1:05 am
Very useful for me, thanks.
Comment by Milos — October 13, 2008 @ 1:31 pm
Thanks man !
You saved my task from many days of searching, work and trouble.
It worked, and the validation (i used org.apache.commons.httpclient.contrib.ssl.AuthSSLProtocolSocketFactory – with both truststore and keystore) passed in a blinking of an eye !
Comment by mike — December 22, 2008 @ 9:31 am
First of all thank you very much!
I just followed your steps and it workd! But want to verify it before i send it to my programmer but below command didn’t work.
keytool -list -keystore MyCert.jks -v
Do I ahve to follow any special steps in it?
by the I am using “jetty-6.1.15.pre0″ version
Comment by JOhn — January 28, 2009 @ 11:20 pm
Nevermind!
.Net bee and new to java so got confused earlier.Worked for me and thanks again for the good article.
Comment by JOhn — January 28, 2009 @ 11:45 pm