Phase 1 – Get Required Software
We will need to use some Java utilities to convert the PFX. Your client machine needs to have the Java Runtime Environment (JRE) installed. You can get the latest version here:
http://java.com/en/download/index.jsp
You will also need Jetty, the free Java web server. We will use some built in functions in Jetty to perform the conversion. For this example I will be using version 6.1.1. Newer versions can be found here:
http://docs.codehaus.org/display/JETTY/Downloading+Jetty
Install the JRE using the defaults. Extract the Jetty files to C:\Jetty. We will not actually be installing Jetty, just using a utility included with it.
Phase 2 – Add a Password To The PFX.
If the PFX was generated using the OpenSSL, then it possibly has a blank password. If the PFX already has a password, skip this scection. The JKS standard does not allow blank passwords, so we must add one to the PFX. To do this open the MMC by going to Start -> Run.. In the run dialogue box type “mmc” (without quotes) and then hit Ok.
Next follow these steps:
The PFX should now have a password assigned to it.
Phase 3 – Convert the PFX
Open A Command Prompt and navigate to the Jetty directory.
At the Command Prompt use the following command to test for existence of the Java class.
java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import
You should get a return message that looks like this:
usage: java PKCS12Import {pkcs12file} [newjksfile]
If you do not get that message back then the version of Jetty you have does not have the class. In which case download version 6.1.1 which I have attached to this document.
If all is good let’s convert the PFX. Replace www.domain.com.pfx and www.domain.com with the name of your cert. Ensure you spell the name of the PFX right and you point it to the directory where you exported the PFX.
java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import C:\jetty-6.1.1\www.domain.com.pfx C:\jetty-6.1.1\www.domain.com.jks
Here is what you should see after running the command:
Phase 4 – Verify the JKS
At the Command Prompt, navigate to the Java Runtime bin directory. If you installed it with the defaults it should be located at C:\Program Files\Java\jre6\bin Note: You may have a later version.
Run this command to verify if the JKS is valid. Note: Replace the cert name with yours.
keytool -list -keystore C:\jetty-6.1.1\www.domain.com.jks -v
If everything went right you should see something similar to the following:
C:\Program Files\Java\jre6\bin>keytool -list -keystore C:\jetty-6.1.1\www.domain.com.jks -v
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
If all went well you should have a working JKS file.
<p>Thanks, that worked a treat! Good work.</p><p>Jon</p>
<p>Glad it worked for you. =)</p>
<p>I tried this but i cant convert it:</p><p>C:\jetty-6.1.11>java -classpath lib/jetty-6.1.11.jar org.mortbay.jetty.security.
PKCS12Import C:\epos_pfx.pfx C:\mialmacenpfx.jks
Enter input keystore passphrase: epos
Enter output keystore passphrase: epos
Exception in thread "main" java.io.IOException: Error in loading the keystore: P
rivate key decryption error: (java.lang.SecurityException: Unsupported keysize o
r algorithm parameters)
at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:695)
at org.mortbay.jetty.security.PKCS12Import.main(PKCS12Import.java:95)</p>
<p>Never seen that error before. I would check to ensure the PFX works correctly on a Windows based machine first. If not then the PFX may be corrupted.</p>
Thank you for this very well written document. I'm not a java person at all and I needed to create a JKS for someone and this worked well for me.