Generate Jks File From Crt And Key Using Keytool

Import

Java Keytool is a command line utility which can be used to generate keystores and then we can export keys and self signed public certificates from it with different command options provided by Java Key Tool. In this step by step Java Keytool tutorial, I will explain how to create a key store using Java Keytool and then how to export public certificate from JKS file using Java Keytool.

Openssl pkcs12 -export -in mycert.crt -inkey myprivate.key -certfile mycert.crt -name 'mytomcat' -out mykeystore.p12. Next, use the keytool command to create the jks file: keytool -importkeystore -srckeystore mykeystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS. Keytool -list -v -keystore keystore.jks. If you are generating this for ThinkFree Office there is one more step. Go to the System tab Https Certification. Next to KeyStore (JKS) File click Browse and select the keystore.jks file we just created. (Use keytool -list to see the contents of the keystore.) Make sure the certificate category is set to Identity. Upload the client certificate file in JKS format. Enter the keystore and key passwords used to create the JKS store. While we create a Java keystore, we will first create the.jks file that will initially only contain the private key using the keytool utility. 1 keytool -genkey -keystore keystore.jks -alias ssl. Topic - (1) Using keytool to generate a public-private key pair. The first step in configuring a VT Display session for SSH client authentication using a public key is to use the keytool program to generate a public-private key pair. Keytool is a multipurpose utility program, included in the Java 2 Version 1.4 JRE and distributed with Host On-Demand, for managing keys.

Java Keytool is a command line utility which is available as part of JDK installation and is available in the bin folder of your JDK installation. Java Key tool is used to create self signed certificates. This tool provides different options including generation of keystores, exporting private keys and public certificates from keystores and also importing certificates in the keystore.

If you prefer to watch all the steps in a video format, you can watch below video on TutorialsPedia YouTube Channel explaining step by step process to generate keystore using Java KeyTool and exporting Public Certificate from Keystore file.

Generate jks file from crt and key using keytool

If you prefer going through all the steps of JKS Tutorial in Text format, continue reading below.

Now we will proceed with step by step tuorial for creating Keystore and exporting public certificate from it using Java Keytool.

Java Keytool Tutorial Step 1: Create JKS File using Java KeyTool

To crate a keystore in JKS format, we will use keytool with genkey options as below where we specify alias, algorithm to be used and also name of the keystore file along with its location where it needs to be saved.

keytool -genkey -alias tutorialspedia -keyalg RSA -keystore “C:testtutorialspedia.jks”

Convert

You will be prompted fro the keystore password. You can provide any password with minimum length of 6 characters. You will be asked to enter password twice and then you will be prompted to provide various information including first & last name, name of organization unit, organization name, name of city, state and country and then you will be asked to confirm all provided details if everything is correct. If you want to have different password for key than the keystore password, you can provide a different password otherwise you can press enter and same password will be used for keystore and key file.

As you can see in the screenshot below, we have successfully created a keystore file in JKS format in our provided location.

Java KeyTool Tutorial Step 2: Export Public Certificate from JKS Keystore File

From our generated kestore, we can export public certificate in .cer format using below command:

keytool -export -alias tutorialspedia -file “C:testtutorialspedia_public_cert.cer” -keystore “C:testtutorialspedia.jks”

The above command will export public certificate in a file with the name as specified in -file option. When running above command you will be prompted to provide keystore password and then file will get created containing your public certificate as you can see in screenshot below:

If you want to learn how you can create self signed certificates using Portecle GUI tool, refer to the below Tutorial:

Alternatively, you can also look into another tutorial I wrote about how to generate self signed certificates, keys and CSR using openSSL.

The following article is for users using the Apache Tomcat server, signing Java applications, and working with Java keystrokes in general.

Notice: Creating a CSR for Code Signing is the same as for a server certificate. Common name is then the name of your organization.

Create a keystore and key pair

This command creates a new keystore and key pair that you use to create the certificate request. keytool -genkey -alias test -keyalg RSA -keystore test.jks -keysize 2048 You will then be prompted to enter the keystore password and specify it. The entered data will match those in the CSR:

What is your first and last name?
[Unknown]: Test Test
What is the name of your organizational unit?
[Unknown]: Unit
What is the name of your organization?
[Unknown]: Test corp.
What is the name of your City or Locality?
[Unknown]: Some City
What is the name of your State or Province?
[Unknown]: Some State
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Test Test, OU=Unit, O=Test corp., L=Some City, ST=Some State, C=US correct?
[no]: yes

Create a CSR

To create a CSR, use the following command:
keytool -certreq -alias test -keystore test.jks -file test.csr You entered the requester details when you created the key pair in the previous step, so the keytool no longer asks for them.

The -file test.csr parameter is used to output the CSR to a file. If you omit it, the CSR will be displayed in the terminal and you can copy it directly to our order. Then just wait for the certificate to be issued.

Import issued certificate into keystore

You will receive an issued certificate from SSLmarket by e-mail and must be sent to the keystore.

Keystore requires that the certificate be trusted and the issuing authority is already present in the keystore when importing certificates. This means that certificates are imported in 'reverse order' - from root to server.

Import:
keytool -import -trustcacerts -alias test -file test.txt -keystore test.jks

Error: Failed to establish chain from reply

The previously requested CA import to the keystore causes a frequent keytool error: java.lang.Exception: Failed to establish chain from reply error. An error means that there is no issuing CA/intermediate certificate in the keystore.

Keytool Jks Command

To fix this:

  • 1) import in reverse order - CA certificates first: keytool -import -trustcacerts -alias root -file intermediate.crt -keystore test.jks
  • 2) or by importing the certificate in PKCS#7 (P7B) format. Convert the linux_cert+ca.pem file you received from SSLmarket to P7B with the following command: openssl crl2pkcs7 -nocrl -certfile-linux_cert+ca.pem -out linux_cert+ca.p7b and then import this file into the keystore:
    keytool -import -trustcacerts -alias test -file linux_cert+ca.p7b -keystore test.jks The result Certificate reply was installed in keystore means successful import, while error Public keys in reply and keystore do not match means that there is no certificate for the domain in the P7B file (server, endpoint), but only intermediate.

  • 3) eventually by importing a certificate in PKCS # 12 (PFX) format in which everything is together: keytool -importkeystore -srckeystore pkcs12file.p11 -srcstoretype pkcs12 -destkeystore test.jks -deststoretype JKS Importing with PKCS#12 is the fastest, but if you were doing CSR directly in the keystore, it is unnecessary (requires its export).

GUI Tools

If you don't want to work with a keystore using a command line or terminal, you can use one of the few GUI tools.

Both of these programs can create or open a keystore file, create a CSR, and import a reissued certificate (response from a CA). The procedure is the same as that for the terminal above; the difference is the graphical environment in which you can do it.

Portecle

Portecle is a free Java program that allows you to manage a keystore in a graphical environment. You can run it on different platforms (Linux, MacOS, Windows).

KeyStore Explorer

Convert Jks To Pem Keytool

Generate Jks File From Crt And Key Using Keytool

KeyStore Explorer works similarly to the previous program and is also cross-platform.

Keytool Import Crt

However, the logic of both programs is similar to the original keystore; as a result, it may not save you much.