I recently had to use a PFX certificate for client authentication, and for that reason, I had to convert it to a Java keystore (JKS). In this post, we will learn how to create both a truststore and a keystore, because based on your needs, you might need one or the other.
The difference between truststore and keystore, if you are not aware is, according to the JSSE ref guide:
TrustManager: Determines whether the remote authentication credentials (and thus the connection) should be trusted.
KeyManager: Determines which authentication credentials to send to the remote host.
Next, all you need is OpenSSL and Java 7+! ###先决条件
1qaz@WSX
###1.通过pfx生成Key文件
First, let's generate a key from the PFX file; this key is later used for p12 keystore.
示例:openssl pkcs12 -in example.pfx -nocerts -out example.key
###转到OpenSSL目录
CD c:\OpenSSL-Win32\bin
openssl pkcs12 -in C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.pfx -nocerts -out C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.key
As shown here, you will be asked for the password of the PFX file. Later, you will be asked to enter a PEM passphase. Let's, for example, use 123456 for everything here.
###2.通过pfx生成CRT文件
The second command is almost the same, but it is about nokey and a crt this time:
示例:openssl pkcs12 -in example.pfx -clcerts -nokeys -out example.crt
openssl pkcs12 -in C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.pfx -clcerts -nokeys -out C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.crt
###3.通过CRT生成truststore.jks
Now, we have a key and and a crt file. The next step is to create a truststore, like so:
示例:keytool -import -file example.crt -alias exampleCA -keystore truststore.jks
###转到JDK目录
c:\OpenSSL-Win32\bin>cd "C:\Program Files\Java\jdk1.7.0_79\bin"
C:\Program Files\Java\jdk1.7.0_79\bin>
keytool -import -file C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.crt -alias examplei-zhishiCA -keystore C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103_truststore.jks
As you can see here, you just import this crt file into a JKS truststore and set the password. For the question: "Do you trust this certificate?" answer "yes," so it is then added in the truststore.
If you only need a truststore, you can stop here.
###4.通过crt/key/crt创建keystore.p12
The last step is to create a keystore, like so:
示例:openssl pkcs12 -export -in example.crt -inkey example.key -certfile example.crt -name "examplecert" -out keystore.p12
openssl pkcs12 -export -in C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.crt -inkey C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.key -certfile C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103.crt -name "examplei-zhishiCert" -out C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103_keystore.p12
###5.通过.keystore.p12创建keystore.jks
This p12 keystore is enough in many cases. However, if you still need a JKS keystore, you need one additional command:
示例:keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
Importing keystore keystore.p12 to keystore.jks...
###转到JDK目录
c:\OpenSSL-Win32\bin>cd "C:\Program Files\Java\jdk1.7.0_79\bin"
C:\Program Files\Java\jdk1.7.0_79\bin>
keytool -importkeystore -srckeystore C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103_keystore.p12 -srcstoretype pkcs12 -destkeystore C:\OpenSSL-Win32\bin\JKS\i-zhishi_com\i-zhishi_com_20210103_keystore.jks -deststoretype JKS
Importing keystore keystore.p12 to keystore.jks...
Entry for alias examplecert successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".
That is all folks! Hope this helps, and please feel free to leave any questions or comments.
ls //查看证书文件
example.pfx
example.key
example.crt
keystore.p12
keystore.jks
truststore.jks