Normally, we used PKCS12 PEM for NGINX, Apache2, OpenLDAP, postfix, etc.
BUT NOT JAVA! :P
Conventions
export PASS=changeit
export DOMAIN=example.org
Iām too lazy, just streamlined it all. :P
Import
openssl pkcs12 -export -in $DOMAIN.crt -inkey $DOMAIN.key -out $DOMAIN.p12 -name $DOMAIN -passout pass:$PASS
keytool -importkeystore -deststorepass $PASS -destkeypass $PASS -destkeystore $DOMAIN.keystore -srckeystore $DOMAIN.p12 -srcstoretype PKCS12 -srcstorepass $PASS -alias $DOMAIN
Note
The keytool
command warns this after creating of a keystore:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using ā
keytool -importkeystore -srckeystore clientkeystore -destkeystore clientkeystore -deststoretype pkcs12
ā.
But, hey, every Java thing still only able to load keystore, not PKCS12.
Reference
Mengubah Format PEM (Apache/NGINX) ke Keystore JAVA Chapter 6. Configuring Jetty Connectors: Configuring SSL/TLS