security
Converting PFX Certificates to Java Keystores
Mon, 04/30/2007 - 03:24 — Chris BarberA PFX (Personal inFormation eXchange) file is a PKCS #12 certificate that can contain both public and private keys. Windows loves this format, but if we want to use them from a Java program, we will need to convert them to a Java keystore.
Before we begin, make sure you have the Java runtime installed. I'm using Java 1.5.0_07, but 1.6 may work. I doubt 1.4 or below will work.
To make this easy, we are going to leverage a utility class that is bundled with Jetty, a free Java web server. Download the latest stable version from their site, which at the time is version 6.1.1.
Extract the zip file to a folder, then open a terminal and change into that folder and execute the following:
> java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import
You should get a message that looks like this:
usage: java PKCS12Import {pkcs12file} [newjksfile]If you don't see this exact message, then make sure you are using a valid Java and Jetty version and make sure you are in the Jetty folder. Moving on.
Now, that things work, you can actually pass the path of the PFX file and the keystore to create. You will be prompted for the passwords for both files.
> java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import \
MyCert.pfx MyCert.jks
Enter input keystore passphrase: ******
Enter output keystore passphrase: ******When it is all said and done, you should be looking at a shiny new Java keystore file. Verify the keystore by executing the following and entering the password you entered above:
> keytool -list -keystore MyCert.jks -v
Enter keystore password: ******
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 29d1a9e13ca529ef1a32b1ea135b713_5a537e12-9c8e-833f-bb76-30ab870dd21
Creation date: Jan 1, 2007
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=XXXX, OU=IT, O=XXXX, L=XXXX, ST=XXXX, C=XXXX, EMAILADDRESS=XXXX
Issuer: CN=XXXX, O=IT, L=XXXX, ST=XXXX, C=XXXX, EMAILADDRESS=XXXX
Serial number: a0032c317ba3200000e1
Valid from: Mon Jan 1 00:00:00 CDT 2007 until: Tue Jan 1 00:00:00 CDT 2008
Certificate fingerprints:
MD5: B1:63:6A:2C:2E:97:A4:33:E9:61:98:01:CA:0B:74:91
SHA1: 61:98:01:04:7D:33:6C:2E:97:A4:D2:C7:61:61:B1:63:6A:2C:2E:97Your output may vary, but you should have a valid Java keystore in the end. You can use the keytool tool to merge this keystore into another existing keystore, but I'll leave that for another day.
Recent comments
2 weeks 4 days ago
5 weeks 1 day ago
6 weeks 5 days ago
6 weeks 6 days ago
7 weeks 6 days ago
9 weeks 5 days ago
9 weeks 6 days ago
10 weeks 1 day ago
10 weeks 5 days ago
10 weeks 5 days ago