How to Creat JKS KeyStore file from existing private key and certificate

When you are working with JAVA applications and JAVA based server, you may need to configure a Java key store (JKS) file. Self signed keystore can be easily created with keytool command. But if you have a private key and a CA signed certificate of it, You can not create a key store with just one keytool command.

You need to go through following to get it done.

Step 1. Create PKCS 12 file using your private key and CA signed certificate of it. You can use openssl command for this.

openssl pkcs12 -export -in [path to certificate] -inkey [path to private key] -certfile [path to certificate ] -out testkeystore.p12

If your private key has a password, It would promote to enter the password of private key. You need to define a password for PKCS 12 file as well.

As an example, say i have a private key called “server.pem” and certificate with “servercret.pem”

asela@localhost:~/svn/demo/keystores/casigned$ openssl pkcs12 -export -in servercret.pem -inkey server.pem -certfile servercret.pem -out testkeystore.p12
Enter pass phrase for server.pem:
Enter Export Password:
Verifying - Enter Export Password:

Step 2. Create JKS file using keytool command

keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS

Created PKCS 12 file has been given as the source keystore and new file name (wso2carbon.jks) has been given as the destination keystore.

As an example,

asela@localhost:~/svn/demo/keystores/casigned$ keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

As an additional steps, you can change the private key password of the created JKS file and also the alias name for your private key entry.

Step 3 (Optional). Changing the password of private key file in keystore. More details from here as well

keytool -keypasswd -alias [Alias name for private key] -keystore [path to key store]

Step 4 (Optional). Change the alias name of the private key entry

keytool -changealias -keystore [path to key store] -alias [current alias]

By default [current alias] is set to “1”


Thanks for reading…!!!  Also  you can find more details on creating self signed KeyStore from here

Discuss this article on Stack Overflow

Leave a Reply

Your email address will not be published. Required fields are marked *