Monday, February 11, 2008

Converting keystores between JKS and P12

Johan dug up these keytool commands, that works with JDK6 and onwards (not in JDK5 and earlier).

JKS → P12
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12

P12 → JKS
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks

I recently retested the p12 to jks conversion on Java 7u79, converting a superadmin.p12 keystore from EJBCA to JKS. Still works!

If you need a CA software that can generate both JKS, P12 or PEM keystores directly so you don't have to convert. Take a look at EJBCA Community, or it's supported big brother EJBCA Enterprise.


BKS said...

THANK YOU for posting this.....I was having all kinds of weird issues and I eventually got my cert converted to P12 and then used your info to get my store created and working.


Saman said...

You are awesome!! Thank you!!

KuNjAn_11 said...

This is great, however what will be the alias of the JKS keystore converted from p12, can it be viewed from keytool -list command, if yes then what will be the password for alias ?

Thanks in advance!

tomas said...

try it out and you will probably get answers to your questions.

Jeryl Cook said...


Vish said...

Hi I'm Trying to convert a jks keystore to p12 keystore using the commmand given by you. I faced the following error:

Problem importing entry for alias Certificate: TrustedCertEntry not supported.

Would really appreciate your help.