December 14, 2005

Creating a Java KeyStore (JKS) with an existing key

We are using a lot more SSL than we used to in e-lab because of the new super powerful and secure Single Sign On system. This means we need to programatically access SSL keys and certificates with Java. If you just want to create a new key and use it in Java, you just create a Java KeyStore with the keytool program. However, if you want to use the key and certificate that you already had, things are a little trickier.

I came up with this little unix shell script which should make life easier:

echo Creating keystore for ${host}
echo "Creating pkcs12 file from $certFile and $keyFile"
openssl pkcs12 -export -in $certFile -inkey $keyFile -out ${host}.pkcs12
-name ${host} -passout pass:$storepass
java -classpath . KeystoreKeyImporter ${host}.pkcs12 $storepass ${host}.keystore $storepass
Basically you run: mypass

It will look for an existing and and turn them into which is then imported into with the KeystoreKeyImporter java program.

public class KeystoreKeyImporter {

public static void main(String[] args) throws Exception {

if (args.length < 4) {
System.out.println("Usage: KeystoreKeyImporter <inputpkcs12.file> <inputpkcs12.pass>
 <outputkeystore.file> <outputkeystore.pass>");

String pkcs12Location = args[0];
String pkcs12Password = args[1];

String keystoreLocation = args[2];
String keystorePassword = args[3];

// openssl pkcs12 -export -in test.crt -inkey test.key.nopass 
                //    -out test.pkcs12 -name test

KeyStore kspkcs12 = KeyStore.getInstance("PKCS12");

String alias = null;

FileInputStream fis = new FileInputStream(pkcs12Location);
kspkcs12.load(fis, pkcs12Password.toCharArray());
if (kspkcs12.aliases().hasMoreElements()) {
System.out.println("Has keys!");
Enumeration aliases = kspkcs12.aliases();
while (aliases.hasMoreElements()) {
alias = (String) aliases.nextElement();
System.out.println("Alias:" + alias);
Key key = kspkcs12.getKey(alias,pkcs12Password.toCharArray());
if (key == null) {
System.out.println("No key found for alias: " + alias);

System.out.println("Key:" + key.getFormat());
Certificate cert = kspkcs12.getCertificate(alias);
if (cert == null) {
System.out.println("No certificate found for alias: " + alias);
System.out.println("Cert:" + cert.getType());
} else {
System.out.println("No keys!");

KeyStore ksjks = KeyStore.getInstance("JKS");
Certificate c[] = kspkcs12.getCertificateChain(alias);
Key key = kspkcs12.getKey(alias, pkcs12Password.toCharArray());

ksjks.setKeyEntry(alias, key, keystorePassword.toCharArray(), c); FileOutputStream(keystoreLocation), keystorePassword.toCharArray());

System.out.println("Created " + keystoreLocation);



You now have a nice JKS with your key and certificate in it.

- 2 comments by 1 or more people Not publicly viewable

  1. Bastiaan

    Thanks for this site, was struggeling a bit to get an OpenSSL certificate into a java keystore.

    The reason I needed to do such is because I'm working on Open Project Services an open source project, I was wondering if I was allowed to copy your code and instructions to our documentation site. (link) OPS is released under the GNU GPL license.


    20 Jan 2006, 11:04

  2. No problem, copy away.

    24 Jan 2006, 10:55

Add a comment

You are not allowed to comment on this entry as it has restricted commenting permissions.

December 2005

Mo Tu We Th Fr Sa Su
Nov |  Today  | Jan
         1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31   


Search this blog

Most recent comments

  • One thing that was glossed over is that if you use Spring, there is a filter you can put in your XML… by Mathew Mannion on this entry
  • You are my hero. by Mathew Mannion on this entry
  • And may all your chickens come home to roost – in a nice fluffy organic, non–supermarket farmed kind… by Julie Moreton on this entry
  • Good luck I hope that you enjoy the new job! by on this entry
  • Good luck Kieran. :) by on this entry


Not signed in
Sign in

Powered by BlogBuilder