cancel
Showing results for 
Search instead for 
Did you mean: 

Create TrustStore & KeyStore Files From Certificate?

whaleyl
New Contributor III

I’ve been provided a PEM certificate in a .cer file format for connecting to an API by a third-party, and I’m trying to convert it to the correctly formatted truststore and keystore .jks files so that I can create a REST SSL account.

Does anyone have any resources or instructions that clearly outline how to do this? I’ve unfortunately been unsuccessful using the keytool utility bundled with the JDK. I don’t personally have any experience doing this.

Thank you in advance.

1 ACCEPTED SOLUTION

whaleyl
New Contributor III

I have resolved this after doing some research, and now can authenticate to the target API using a REST SSL account. 😁

For anyone that may reference this down the line, below are the steps I took.

Some prerequisites:

  • Obtain a certificate and key, and determine the file types of each (mine were a .cer and .key, respectively)

  • Install OpenSSL (in my case it was installed previously via Git), and the latest JDK (I used v20)

Steps:

  1. Create a PKCS12 file (.p12) that combines your provided certification (in my case a .cer file as noted), and your private key (in my case a .key file) using the following command via OpenSSL (which I ran in Git Bash):
    openssl pkcs12 -export -out {{new file name}}.p12 -in {{your certificate}} -inkey {{your private key}} -passin pass:{{root cert password if applicable}} -passout pass:{{new password}}

  2. Create the keystore (.jks) using your newly created .p12 via the JDK Keytool utility (-deststoretype should be “JDK”):
    keytool -importkeystore -deststorepass {{new keystore password}} -destkeypass {{new key password}} -destkeystore {{new keystore name}}.jks -deststoretype JKS -srckeystore {{p12 file name}}.p12 -srcstoretype PKCS12 -srcstorepass {{p12 password}}

  3. Create the truststore (.jks) from your original certificate (.cer in my case) via the JDK Keytool utility (-storetype should be “JDK”):
    keytool -import -v -trustcacerts -keystore {{new keystore name}}.jks -storetype JKS -storepass {{keystore password}} -alias {{new entry alias}} -file {{your certificate}}

…and that’s it.

Hoping this helps someone in my position down the line.

View solution in original post

3 REPLIES 3

whaleyl
New Contributor III

I have resolved this after doing some research, and now can authenticate to the target API using a REST SSL account. 😁

For anyone that may reference this down the line, below are the steps I took.

Some prerequisites:

  • Obtain a certificate and key, and determine the file types of each (mine were a .cer and .key, respectively)

  • Install OpenSSL (in my case it was installed previously via Git), and the latest JDK (I used v20)

Steps:

  1. Create a PKCS12 file (.p12) that combines your provided certification (in my case a .cer file as noted), and your private key (in my case a .key file) using the following command via OpenSSL (which I ran in Git Bash):
    openssl pkcs12 -export -out {{new file name}}.p12 -in {{your certificate}} -inkey {{your private key}} -passin pass:{{root cert password if applicable}} -passout pass:{{new password}}

  2. Create the keystore (.jks) using your newly created .p12 via the JDK Keytool utility (-deststoretype should be “JDK”):
    keytool -importkeystore -deststorepass {{new keystore password}} -destkeypass {{new key password}} -destkeystore {{new keystore name}}.jks -deststoretype JKS -srckeystore {{p12 file name}}.p12 -srcstoretype PKCS12 -srcstorepass {{p12 password}}

  3. Create the truststore (.jks) from your original certificate (.cer in my case) via the JDK Keytool utility (-storetype should be “JDK”):
    keytool -import -v -trustcacerts -keystore {{new keystore name}}.jks -storetype JKS -storepass {{keystore password}} -alias {{new entry alias}} -file {{your certificate}}

…and that’s it.

Hoping this helps someone in my position down the line.

Thank you for posting your solution.


Diane Miller

whaleyl
New Contributor III

Not a problem!