Importing an SSL Cert from PKCS12 to JKS

Importing an SSL Cert from PKCS12 to JKS

September 26, 2018 0 By Tad Reeves

When you’re working with a java app like AEM, generally I’ve used this process to set up SSL, where you first generate your CSR with the keytool command which embeds the private key into a JKS file, then get the cert signed and import the signed cert back into the JKS file.

However, what happens when you’ve got a PKCS12 key & certificate chain that has been generated for you which you then need to import into your java keystore?  I’ve had trouble with this before, as attempts to import keys with a command like this:

gave an error like this

I didn’t know how to get around this impasse for a while until finally realizing that the certificate provider did not have an alias in the PKCS12 file, and for Java Keystores, Aliases are REQUIRED elements so that you can select what key you want your application to use.

On the source P12 file I was using, I saw this:

The problem, of course, is that the key has no name.  Without an alias though, you can’t reference it, you can’t convert it, but critically – in keytool, you can’t rename it either – as you can’t say

The solution comes in the form of a little tool called Keystore Explorer, which is a gui tool that lets you import a p12 key, and then select & rename keys in the keystore even if those keys have no name.  

After using that, I was able to run the first command above with my newly-renamed p12 file, and it worked like a charm.

Hope that helps anyone else that has been in the same predicament.