Jan Peter Alexander

Jan Peter Alexander

There is nothing certain than the uncertainty itself. Capture, learn and mitigate. Welcome!

Normally, we used PKCS12 PEM for NGINX, Apache2, OpenLDAP, postfix, etc.

BUT NOT JAVA! :P

Conventions

export PASS=changeit
export DOMAIN=example.org

Iā€™m too lazy, just streamlined it all. :P

Import

openssl pkcs12 -export -in $DOMAIN.crt -inkey $DOMAIN.key -out $DOMAIN.p12 -name $DOMAIN -passout pass:$PASS
keytool -importkeystore -deststorepass $PASS -destkeypass $PASS -destkeystore $DOMAIN.keystore -srckeystore $DOMAIN.p12 -srcstoretype PKCS12 -srcstorepass $PASS -alias $DOMAIN

Note

The keytool command warns this after creating of a keystore:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using ā€œkeytool -importkeystore -srckeystore clientkeystore -destkeystore clientkeystore -deststoretype pkcs12ā€.

But, hey, every Java thing still only able to load keystore, not PKCS12.

Reference

Mengubah Format PEM (Apache/NGINX) ke Keystore JAVA Chapter 6. Configuring Jetty Connectors: Configuring SSL/TLS

You May Also Enjoy