Learn in 
SSL Series - Table of Contents
Part 1 : Easy Guide to SSL - All the terms you need to know
Part 2 : Convert PKCS#12 to JKS and PEM to JKS format - [This article]
Part 3 : Two way SSL/Mutual Authentication - How to use client certificate in Postman and SOAP UI
There are lots of articles on converting from PKCS#12 to PEM or extracting artifacts from PEM but most of them do not work properly or missing some information. We are going to present you with working commands along with all the missing or undocumented information.
If you are new to these formats or want to brush up your knowledge on the terms, refer to this Easy Guide to SSL - All the terms you need to know
As said earlier, we will convert using real files and not just give out some commands. In this article, we will be using sample files from www.badssl.com. Before we proceed further, we want to appreciate this website for all the very useful information they put together. You can actually do all kinds of certificate related testing against this website.
Alright, let's get our hands dirty a bit. First, go ahead and download the p12 and pem files from here.
Remember!
It's very important to know that on windows, the
openssl tool is not available by default so we will use Git Bash command line. Git Bash comes with openssl which makes our life easlier.1. Retrieve Alias name from the store
This is required. If you provide a wrong alias name, you will be greeted with an exception saying alias does not exist.
keytool -v -list -storetype pkcs12 -keystore badssl.com-client.p12 | grep AliasOutput:
$ keytool -v -list -storetype pkcs12 -keystore badssl.com-client.p12 | grep Alias
Enter keystore password: badssl.com
Alias name: 1
$ keytool -v -list -storetype pkcs12 -keystore badssl.com-client.p12 | grep Alias
Enter keystore password: badssl.com
Alias name: 1
2. Convert to JKS format
keytool -importkeystore -srckeystore badssl.com-client.p12 -destkeystore badssl.com-client-jks.jks -srcstoretype pkcs12 -alias 1This will create a file named
badssl.com-client-p12.jks. However, this is in java proprietary format. It is recommended to always convert into PKCS#12 format. To do so, issue the below command,keytool -importkeystore -srckeystore badssl.com-client-jks.jks -destkeystore badssl.com-client-p12.jks -deststoretype pkcs12Output:
$ keytool -importkeystore -srckeystore badssl.com-client-jks.jks -destkeystore badssl.com-client-p12.jks -deststoretype pkcs12
Importing keystore badssl.com-client-jks.jks to badssl.com-client-p12.jks...
Enter destination keystore password: badssl.com
Re-enter new password: badssl.com
Enter source keystore password: badssl.com
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
$ keytool -importkeystore -srckeystore badssl.com-client-jks.jks -destkeystore badssl.com-client-p12.jks -deststoretype pkcs12
Importing keystore badssl.com-client-jks.jks to badssl.com-client-p12.jks...
Enter destination keystore password: badssl.com
Re-enter new password: badssl.com
Enter source keystore password: badssl.com
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
1. Extract Private Key from PEM file
winpty openssl pkey -in badssl.com-client.pem -out private-key.pem Remember!
Observe the
winpty command at the beginning. This is very important on windows and without this command, the openssl will hang waiting indefinitely.Output:
$ winpty openssl pkey -in badssl.com-client.pem -out private-key.pem
Enter pass phrase for badssl.com-client.pem:
$ winpty openssl pkey -in badssl.com-client.pem -out private-key.pem
Enter pass phrase for badssl.com-client.pem:
2. Extract Certificate from PEM file
winpty openssl x509 -in badssl.com-client.pem -out certificate.crtOutput:
$ winpty openssl x509 -in badssl.com-client.pem -out certificate.crt
$
$ winpty openssl x509 -in badssl.com-client.pem -out certificate.crt
$
Remember!
If you included -outform -der in the above command like,
winpty openssl x509 -outform der -in badssl.com-client.pem -out certificate.crtthen you will see an error message(unable to load certificates) while using/converting this certificate. To fix this error, run this additional command,
openssl x509 -inform DER -in certificate.crt -out certificate-1.crt3. Convert Private Key and Certificate into a single PKCS#12 file
Now that we have the Certificate and Private Key, let's combine these two into a single file and provide a password.
winpty openssl pkcs12 -export -in certificate.crt -inkey private-key.pem -name shared -out cert-and-key.p12Output:
$ winpty openssl pkcs12 -export -in certificate.crt -inkey private-key.pem -name shared -out cert-and-key.p12
Enter Export Password:
Verifying - Enter Export Password:
$
$ winpty openssl pkcs12 -export -in certificate.crt -inkey private-key.pem -name shared -out cert-and-key.p12
Enter Export Password:
Verifying - Enter Export Password:
$
Remember!
If you have a chain of certificates, use the below command instead,
winpty openssl pkcs12 -export -inkey private_key.pem -in certificate.crt -certfile chain_of_certificates.pem -name-out certs-and-key.p12 4. Import PKCS#12 file into JKS
keytool -importkeystore -srckeystore cert-and-key.p12 -destkeystore badssl.com-client-pem.jks -srcstoretype pkcs12 -deststoretype pkcs12 -alias sharedOutput:
$ keytool -importkeystore -srckeystore cert-and-key.p12 -destkeystore badssl.com-client-pem.jks -srcstoretype pkcs12 -deststoretype pkcs12 -alias shared
Importing keystore cert-and-key.p12 to badssl.com-client-pem.jks...
Enter destination keystore password: badssl.com
Re-enter new password: badssl.com
Enter source keystore password: badssl.com
$
$ keytool -importkeystore -srckeystore cert-and-key.p12 -destkeystore badssl.com-client-pem.jks -srcstoretype pkcs12 -deststoretype pkcs12 -alias shared
Importing keystore cert-and-key.p12 to badssl.com-client-pem.jks...
Enter destination keystore password: badssl.com
Re-enter new password: badssl.com
Enter source keystore password: badssl.com
$
Now that we have created JKS stores from PKCS#12 and PEM files, we will use these files in our next article to test and see how to configure TLS Mutual Authentication, also called as Two way SSL.
Thats all folks !! Happy coding. If you feel this helped you, keep supporting us by or or below or on the articles on social media.
