Creating an internal PK certificate and its associated inter-conversions
A PKCS12 keystore stores S/MIME user certificates and SSL/TLS server certificates. It might contain both private keys and their corresponding certificates, with or without a complete chain. The keystore's purpose is to store the credentials of an identity, being a user or a server. Common file extensions are .p12 and .pfx.
Creating a keystore with a self-signed certificate by using the Java key tool
Using the Java key tool, run the following command to create the keystore with a self-signed certificate:
-alias somealias \
-keystore keystore.p12 \
-storetype PKCS12 \
-keyalg RSA \
-storepass somepass \
-validity 730 \
-keysize 4096
The keystore generation options are as follows:
Keytool option | Description |
|---|---|
-genkey | Generate keystore |
-alias | Alias of the generated private key entry |
-keystore | Keystore file to be created |
-storetype | Type of keystore In this example, the storetype is PKCS12. |
-keyalg | Key algorithm of the key entry to be generated |
-storepass | Password to set on both the key entry and keystore |
-validity | Validity of the certificate associated with the key entry |
-keysize | Size of the generated private key in bits |
Creating a PKCS12 keystore from an existing private key and certificate by using OpenSSL
To create the keystore from an existing private key and certificate, run the following command:
-export \
-in certificate.pem \
-inkey key.pem \
-out keystore.p12
The OpenSSL options for creating PKCS12 keystore from an existing private key and certificate:
OpenSSL Option | Description |
|---|---|
pkcs12 | Create PKCS12 formatted keystore |
-export | Export the keystore to a file |
-in | The existing certificate file. This may include the chain for simplicity to avoid adding it later. |
-inkey | Existing key file |
-out | Name of the newly created PKCS12 keystore |
Converting a JKS keystore to PKCS12
To convert a Java keystore to a PKCS12 keystore (.jks to .p12), run the following command:
-srckeystore keystore.jks \
-destkeystore keystore.p12 \
-srcstoretype JKS \
-deststoretype PKCS12 \
-deststorepass password \
-srcalias alias \
-destalias alias
The Keytool options are as follows:
Keytool Options | Description |
|---|---|
-importkeystore | Import existing keystore into new keystore |
-srckeystore | Keystore to be imported |
-destkeystore | Keystore to accept the import |
-srcstoretype | Type of keystore to be imported |
-deststoretype | Type of keystore to accept the import |
-deststorepass | Password of the new keystore |
-srcalias | Alias to be imported |
-destalias | Alias to import to |
Converting a PKCS12 keystore to JKS
To convert a PKCS12 keystore to JKS, run the following command:
-srckeystore example.p12 \
-srcstoretype PKCS12 \
-destkeystore example.jks \
-deststoretype JKS
Changing the password of a PKCS12 keystore
To change the password of a PKCS12 keystore follow these steps:
- Change the keystore password:
keytool -storepasswd -keystore keystore.p12 - Change the key password in that keystore for each alias:
keytool -keypasswd -alias alias -keystore keystore.p12
Changing an alias name in a keystore
When generating a keystore, the default alias is 1 if not explicitly set. This default value might vary based on the software used to generate the keystore. To change the alias, run the following command:
Listing the contents of a keystore
We recommend that you verify changes to a keystore by listing the contents. To list the contents of the PKCS12 keystore, run the following command:
Extracting a private key from a keystore using OpenSSL
Some software requires a stand-alone private key instead of a keystore for authentication, signing, and so on. To extract the private key from a keystore, run the following command:
Extracting the certificates from a keystore using OpenSSL
Similar to requiring a stand-alone key, some software require stand-alone certificate files instead of a keystore. To extract a certificate or certificate chain from a PKCS12 keystore by using OpenSSL, run the following command:
In this command -in example.p12 is the keystore and -nokeys means only extracting the certificates, not the keys.
Updating the trust chain in an existing keystore for a specific keystore entry
To update the trust chain for a given alias in a PKCS12 keystore, run the following command:
-trustcacerts \
-alias alias_to_be_updated \
-file chain.pem \
-keystore keystore.p12
In this command,
- -trustcacerts means the trust chain is being added to the existing entry.
- -alias alias_to_be_updated is the entry being updated.
- -file chain.pem is the complete certificate chain including the end entity certificate, all intermediate certificates, the root certificate
- -keystore keystore.p12 is the keystore being updated.
If you encounter an error java.lang.exception: failed to establish chain from reply,then you might have not included the correct chain or the complete chain, including the root. Also, check the formatting of the chain in case you missed character in the header or footer of each certificate in the chain.
Creating PKCS12 truststore by using OpenSSL
To creating a PKCS12 (.p12 or .pfx) truststore or keystore, use the -nokeys flag. To import only a certificate into a new keystore, run the following command:
If the -nokeys flag is not provided, the following error is displayed:
140022995109184:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
Related topics
Creating-a-self-signed-SSL-certificate-for-File-AID-Services