Normally, we used PKCS12 PEM for NGINX, Apache2, OpenLDAP, postfix, etc.

BUT NOT JAVA! :P

Conventions

export PASS=changeit
export DOMAIN=example.org

I’m too lazy, just streamlined it all. :P

Import

openssl pkcs12 -export -in $DOMAIN.crt -inkey $DOMAIN.key -out $DOMAIN.p12 -name $DOMAIN -passout pass:$PASS
keytool -importkeystore -deststorepass $PASS -destkeypass $PASS -destkeystore $DOMAIN.keystore -srckeystore $DOMAIN.p12 -srcstoretype PKCS12 -srcstorepass $PASS -alias $DOMAIN

Note

The keytool command warns this after creating of a keystore:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore clientkeystore -destkeystore clientkeystore -deststoretype pkcs12”.

But, hey, every Java thing still only able to load keystore, not PKCS12.

Reference

Mengubah Format PEM (Apache/NGINX) ke Keystore JAVA Chapter 6. Configuring Jetty Connectors: Configuring SSL/TLS