Converting Certificate Files from .pfx to .jks
Note, the goal of these instructions is to show how to remove your certificates and private key from a .pfx file and merge them into a Java keystore.
This operation will require both keytool and OpenSSL, and requires a Weblogic specific utility to complete the process.
PFX to .JKS on Weblogic
PFX files are a Windows based certificate backup format that combines your SSL certificate's public key file and trust chain with their associated private key.
In order to convert your certificate files to a format usable by a Java based server, you will need to first extract the certificates and keys from your PFX file using OpenSSL, and then import the certs to your keystore using keytool.
- First, create a .pfx file from your Microsoft server if you have not already.
-
Second, run the following OpenSSL command to extract your certificates and key from the .pfx:
openssl pkcs12 -in yourfilename.pfx -out tempcertfile.crt -nodes -
You should now have a file called tempcertfile.crt.
Open this file with a text editor (such as WordPad) and you will see the private key listed first,
followed by your certificate files:
-----BEGIN RSA PRIVATE KEY-----
(Block of Encrypted Text)
-----END RSA PRIVATE KEY----- -
Cut and paste all of the private key, including the BEGIN and END tags to a new text file and save it as
your_domain_name.key
The certificates remaining in your tempcertfile.crt will be in the following order, Server Certificate, Root Certificate, Intermediate Certificate; depending on your PFX export there could be between 2 and 4 separate certificates inside this one file.
As long as you exported the certificates correctly, whatever you have is what you are supposed to have. Make sure the private key was removed (not just copied and pasted), and then go ahead and save this file as your_domain_name.pem.
If you have access to log in to your DigiCert account, go ahead and log in, click your order number, and download the TrustedRoot.crt file.
If you do not, go back into the tempcertfile.crt file and copy the second set of -----BEGIN CERTIFICATE----- & -----END CERTIFICATE----- tags, and all the coded text in between into a separate file. Call this file TrustedRoot.crt.
You can make sure that you chose the right file by verifying that your TrustedRoot was issued to and by the same organization. Note: Because DigiCert frequently issues certificates cross-signed by multiple certification authorities for enhanced compatibility, your root certificate information could be different than what is shown in the image below.
You will create a trust certificate keystore -
Run the next two lines as one command in keytool:
keytool -import -trustcacerts -file TrustedRoot.crt -alias server
-keystore new_trust_keystore.jks -storepass NEWPASSWORDYou should enter your own password after -storepass in the above code.
-
Next, you will create a identity certificate keystore,
run the following as one command -
java utils.ImportPrivateKey -keystore new_identity_keystore.jks -storepass
NEWPASSWORD -storetype JKS -keypass NEWPASSWORD -alias
server -certfile tempcertfile.crt -keyfile your_domain_name.key
-keyfilepass PFXPASSWORDYou will enter your own password for the -storepass and -keypass attributes, above, and the PFX password would have been created when your PFX file was created.
You should now have two files, new_trust_keystore.jks and new_identity_keystore.jks. These files should be ready to be enabled for use with your java based server.
Weblogic PFX Export/Import Tutorial
How to Import/Export your SSL Server Security Certificate Across Java Based Servers.
© 2003-2012 DigiCert® Inc • SSL Certificate Authority • All Rights Reserved
All trademarks displayed on this web site are the exclusive property of the respective holders.