Home/ Questions/Q 7411905
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T06:27:31+00:00

I am programatically loading a certificate into a default keystore with the following code

  • 0

I am programatically loading a certificate into a default keystore with the following code

KeyStore kStore = KeyStore.getInstance(KeyStore.getDefaultType());
java.io.FileInputStream fis = new FileInputStream(keystorePath);
kStore.load(fis, new String(keystorePass).toCharArray());
fis.close();

I have a certificate from a third party in pfx format. If I try to load it, it fails with invalid format.

If I update to use the following it works. But I don’t want to change the code. 

KeyStore keystore = KeyStore.getInstance("PKCS12");

How can I convert the pfx file to a format that will be accepted by the following

KeyStore kStore = KeyStore.getInstance(KeyStore.getDefaultType());
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Certificate stuff is never simple . You need openssl (the Cygwin version works on Windows) to convert the pfx / p12 file to a pem file, then you can create a certificate from the pem. Finally, you can use the Java keytool program to convert the certificate to JKS format (the KeyStore default).

    Convert the pfx to pem:

    openssl pkcs12 -in whatever.pfx -out whatever.pem -clcerts -nokeys

    Create an X509 certificate from the pem file:

    openssl x509 -in whatever.pem -inform PEM -out whatever.crt -outform DER

    Use Java’s keytool to create a JKS file from the cert:

    keytool -import -trustcacerts -keystore whatever.jks -storepass somepassword -noprompt -file whatever.crt -alias localhost

    Note the -alias can be whatever unique name you want to use for this cert. The convention is to use the URL of your web site.

    Now, you should be able to load the JKS file with the KeyStore instance in your code. Maybe it’s easier to just change your Java code to use a PKCS12 instance?

    • 0