How to convert certificate of Let’s encrypt to jks

Tux

2 months ago

To convert a Let’s Encrypt SSL certificate (issued as PEM files) into a Java Keystore (JKS), follow these steps:

Step-by-step guide:

Step 1: Get the files ready

After obtaining your certificate from Let’s Encrypt, you’ll typically have the following files:

cert.pem (your domain certificate)
privkey.pem (private key)
chain.pem (CA intermediate certificates)
fullchain.pem (combined certificate with intermediate)

Ensure these files are available on your machine.

Step 2: Combine your certificate and private key into PKCS12 format

Use OpenSSL to create a PKCS12 (.p12) file:

openssl pkcs12 -export \
  -in fullchain.pem \
  -inkey privkey.pem \
  -out certificate.p12 \
  -name your_alias

Replace your_alias with a meaningful alias, such as your domain name.

You’ll be asked to set a password. Remember this password, as you’ll need it to import into the keystore.

Step 3: Import PKCS12 file into JKS Keystore

Now, convert the PKCS12 file (certificate.p12) into a JKS keystore:

keytool -importkeystore \
  -deststorepass YOUR_KEYSTORE_PASSWORD \
  -destkeypass YOUR_KEYSTORE_PASSWORD \
  -destkeystore keystore.jks \
  -srckeystore certificate.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass YOUR_PKCS12_PASSWORD \
  -alias your_alias

Replace YOUR_KEYSTORE_PASSWORD with the password you want for your new Java keystore.
Replace YOUR_PKCS12_PASSWORD with the password you set when creating the .p12 file in Step 2.

Step 4: Verify your JKS Keystore

To ensure your certificate is correctly imported, use:

keytool -list -v -keystore keystore.jks

You should see your imported certificate details listed.

Step 5: Use your JKS Keystore

Now you can use keystore.jks in your Java application or server (like Tomcat, Jetty, Spring Boot applications, etc.).

Example configuration (Tomcat server.xml):

&lt;Connector port="8443" protocol="HTTP/1.1"
           SSLEnabled="true"
           scheme="https" secure="true"
           keystoreFile="/path/to/keystore.jks"
           keystorePass="YOUR_KEYSTORE_PASSWORD"
           clientAuth="false" sslProtocol="TLS" />

Replace paths/passwords with your details.

Important notes:

Store your keystore securely and protect the passwords.
Let’s Encrypt certificates expire every 90 days, so automate renewal and conversion into JKS if possible.

That’s it! Your Let’s Encrypt certificate is now in JKS format, ready for Java applications.

This post is also available in: Greek