Tuesday, June 9, 2009

How to convert Java JKS keystore to Microsoft PFX certificate

I have some case need to create .NET WSE 3 Client to refer Axis2 Web Services with WSS4J OASIS Security( WS-Security specification 1.0), if you have only the Java format keystore, you have to convert it to MS format for signatures upon web service call.

Steps which were testified successfully follows here:
  1. Download J2SE package and setup JDK and JRE 6 on workstation. (There are many internet information about it, so omit here)
  2. Download KeyTool IUI version 2.4.1 (Match with JRE 6) from (http://yellowcat1.free.fr/index_ktl.html) and unzip to some folder and double click to run file run_ktl.bat to open visiable KeyTool IUI window
  3. Click menu [View] - [Select task] - [Export] - [Keystore's entry] - [Private key]
  4. Click browser icon to pick up the keystore JKS file and enter the keystore password in Source.
  5. Click to select PEM format on both Target Private key file and Certificates chain file:
  6. Click the save icon to designate some local folder to save the 2 PEM files.
  7. Manullay create a text file merged.pem and merge these 2 PEM files to one pem file. ( Use notepad to open the 2 PEM files and respectively copy to merge in, CERTIFICATE first and then RSA PRIVATE KEY.
  8. Download and setup OpenSSL (http://www.slproweb.com/products/Win32OpenSSL.html)
  9. Open command line and run follows: ( Assume the openssl in C root and you want the PFX file name: pfxname
    C:\OpenSSL\bin\openssl pkcs12 -export -out pfxname.pfx -in merged.pem
  10. You will find the pfx file in current folder then.


Dawna said...

Can you clarify this step: Manullay create a text file merged.pem and merge these 2 PEM files to one pem file. ( Use notepad to open the 2 PEM files and respectively copy to merge in, CERTIFICATE first and then RSA PRIVATE KEY.

I have got everything else to work this far.

Thank you!

Teddy Yu said...

You can use notepad to new a file named merged.pem, then copy the text in from the 2 PEM file(open it by any of text editor). Paste the text of certificate PEM first and press an enter key to go next row and paste the text of RAS Private PEM then. It's kind like follows:


Does this makes sense?

Guru - Singapore said...

Its really great work.. Last 2 days I was struggling, finally I made it with help of above procedure. Thanks a lot. Guru

Victor said...

Worked like a charm, thanks Teddy!

Anonymous said...

KeyTool IUI is no longer available on the net... damn, hopefully these "free software" sites do not host trojan alternatives. :D

Anonymous said...

Teddy, You saved me!!!
Thanks, Leo

ban said...

KeyTool IUI is now a Google Code Project.


Anonymous said...

Great description! Thank you!!!

Rocío Guerrero said...

Hi! I've been doing all the steps, but on the last one, I'm getting this error:

unable to load private key
8652:error.0906D06C:PEM routines:PEM_read_bio: no start line...
Expecting any PrivateKey

I don't understand why this is happening :S Do you happen to you why? Thanks in advance

Teddy Yu said...

Looks like your merge file has some format issue. Try to recombine the to file by regular text editor (such as notepad++, editor plus, etc) with UTF-8 encoding.

Rocío Guerrero said...

Thank you!! It looks like the certificate isn't able to be converted because it is incompatible with openssl :(
Thanks anyway!!

edulib said...

If you want to replace keytool with a GUI tool then you can also use CERTivity.

It can handle different types of keystores (JKS, JCEKS, PKCS12, BKS, UBER, Windows) and digital signatures.

Anonymous said...

The black magic is strong in this one!

Thank you so much!

I spent hours playing around with our many different cer/der/jks files, OpenSSL, signtool, useless guides and disappointing solutions until I found your instructions.

Sebastian Götz said...

Thank you very much. This helped me to solve my signing issue. By the way for those trying to achive this:
Keytool IUI
 -> Export
  -> Keystore's entry
   -> Private Key

to export the private key and its chain. Needed some trys myself to figure this out.

Omar S.V said...

After selecting the files, in the other window in which appears the list of Trusted Certificate Entries, I have two alias, only one of them is marked as Candidate. That mans that the unmarked one won't be exported? What can we do in order to export both entries??
Thank you! Kind regards,

Teddy Yu said...

To Omar,

If I understand correct, you will need to copy the content text and manually merge them together in one file.

joesse said...

Thank you so much! I already had Keystore Explorer in use, but it worked the same way. Left click on the key, select Export->Certificate Chain and Export->Private Key, make sure PEM is checked.