Matthew Ahrenstein bio photo

Matthew Ahrenstein

Security Focused SRE for an amazing company, hiker, amateur radio operator, target shooter, developer, and cryptocurrency enthusiast.

Author's Website Author's Twitter Author's LinkedIn Author's Github Author's Author's GPG Key

I recently had to configure a server that uses a Java KeyStore for SSL certificate information. The issue was importing existing keys, and certs. After spending too much time on this, I’m writing a post about it so I never have to look for this info again. Hopefully this is helpful to others as well.

Step 1: Add a password to your SSL key:

The SSL key requires a password in order for Java Keytool to import it:

1) openssl rsa -des3 -in -out

Step 2: Create an All-In-One PEM file

We need a single file that contains the SSL key, SSL Cert, and CABundle (in that order) for the conversion to PKCS12

1) cat > aio.pem

Step 3: Convert the All-In-One PEM file to PKCS12

Java needs PKCS12 as a source to import into JKS KeyStores. The following command will convert the aio.pem to a PKCS12

1) openssl pkcs12 -export -out aio.pkcs12 -in aio.pem

Step 4: Create a Java KeyStore from your PKCS12 KeyStore

Now we create a Java KeyStore from the PKCS12 KeyStore. Note: The KeyStore password you create must be the same as the SSL key’s password from Step 1. Also the last destination KeyStore must not already exist.

1) keytool -v -importkeystore -srckeystore aio.pkcs12 -srcstoretype PKCS12 -destkeystore route1337JavaSite.jks

That’s it. You now have a Java KeyStore that contains SSL information that was already on hand.