I recently had to use a PFX certificate for client authentication, and for that reason, I had to convert it to a Java keystore (JKS). In this post, we will learn how to create both a truststore and a keystore, because based on your needs, you might need one or the other. 

The difference between truststore and keystore, if you are not aware is, according to the JSSE ref guide:

TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.

KeyManager: Determines which authentication credentials to send to the remote host.

Next, all you need is OpenSSL and Java 7+! ###先决条件



First, let's generate a key from the PFX file; this key is later used for p12 keystore.

示例:openssl pkcs12 -in example.pfx -nocerts -out example.key


CD c:\OpenSSL-Win32\bin

openssl pkcs12 -in C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.pfx -nocerts -out C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.key

As shown here, you will be asked for the password of the PFX file. Later, you will be asked to enter a PEM passphase. Let's, for example, use 123456 for everything here.


The second command is almost the same, but it is about nokey and a crt this time:

示例:openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.crt

openssl pkcs12 -in C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.pfx -clcerts -nokeys -out C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.crt


Now, we have a key and and a crt file. The next step is to create a truststore, like so:

示例:keytool -import -file example.crt -alias exampleCA -keystore truststore.jks


c:\OpenSSL-Win32\bin>cd "C:\Program Files\Java\jdk1.7.0_79\bin"

C:\Program Files\Java\jdk1.7.0_79\bin>

keytool -import -file C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.crt -alias examplei-zhishiCA -keystore C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103_truststore.jks

As you can see here, you just import this crt file into a JKS truststore and set the password. For the question: "Do you trust this certificate?" answer "yes," so it is then added in the truststore.

If you only need a truststore, you can stop here.


The last step is to create a keystore, like so:

示例:openssl pkcs12 -export -in example.crt -inkey example.key -certfile example.crt -name "examplecert" -out keystore.p12

openssl pkcs12 -export -in C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.crt -inkey C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.key -certfile C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.crt -name "examplei-zhishiCert" -out C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103_keystore.p12


This p12 keystore is enough in many cases. However, if you still need a JKS keystore, you need one additional command:

示例:keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

Importing keystore keystore.p12 to keystore.jks...


c:\OpenSSL-Win32\bin>cd "C:\Program Files\Java\jdk1.7.0_79\bin"

C:\Program Files\Java\jdk1.7.0_79\bin>

keytool -importkeystore -srckeystore C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103_keystore.p12 -srcstoretype pkcs12 -destkeystore C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103_keystore.jks -deststoretype JKS

Importing keystore keystore.p12 to keystore.jks...

Entry for alias examplecert successfully imported.

Import command completed: 1 entries successfully imported, 0 entries failed or cancelled


The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".

That is all folks! Hope this helps, and please feel free to leave any questions or comments.

ls //查看证书文件