How to convert certificate of Let’s encrypt to jks
To convert a Let’s Encrypt SSL certificate (issued as PEM files) into a Java Keystore (JKS), follow these steps:
Step-by-step guide:
Step 1: Get the files ready
After obtaining your certificate from Let’s Encrypt, you’ll typically have the following files:
cert.pem
(your domain certificate)privkey.pem
(private key)chain.pem
(CA intermediate certificates)fullchain.pem
(combined certificate with intermediate)
Ensure these files are available on your machine.
Step 2: Combine your certificate and private key into PKCS12 format
Use OpenSSL to create a PKCS12 (.p12
) file:
openssl pkcs12 -export \
-in fullchain.pem \
-inkey privkey.pem \
-out certificate.p12 \
-name your_alias
Replace your_alias
with a meaningful alias, such as your domain name.
You’ll be asked to set a password. Remember this password, as you’ll need it to import into the keystore.
Step 3: Import PKCS12 file into JKS Keystore
Now, convert the PKCS12 file (certificate.p12
) into a JKS keystore:
keytool -importkeystore \
-deststorepass YOUR_KEYSTORE_PASSWORD \
-destkeypass YOUR_KEYSTORE_PASSWORD \
-destkeystore keystore.jks \
-srckeystore certificate.p12 \
-srcstoretype PKCS12 \
-srcstorepass YOUR_PKCS12_PASSWORD \
-alias your_alias
- Replace
YOUR_KEYSTORE_PASSWORD
with the password you want for your new Java keystore. - Replace
YOUR_PKCS12_PASSWORD
with the password you set when creating the.p12
file in Step 2.
Step 4: Verify your JKS Keystore
To ensure your certificate is correctly imported, use:
keytool -list -v -keystore keystore.jks
You should see your imported certificate details listed.
Step 5: Use your JKS Keystore
Now you can use keystore.jks
in your Java application or server (like Tomcat, Jetty, Spring Boot applications, etc.).
Example configuration (Tomcat server.xml):
<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true"
scheme="https" secure="true"
keystoreFile="/path/to/keystore.jks"
keystorePass="YOUR_KEYSTORE_PASSWORD"
clientAuth="false" sslProtocol="TLS" />
Replace paths/passwords with your details.
Important notes:
- Store your keystore securely and protect the passwords.
- Let’s Encrypt certificates expire every 90 days, so automate renewal and conversion into JKS if possible.
That’s it! Your Let’s Encrypt certificate is now in JKS format, ready for Java applications.