PKCS#12

How to convert certificate of Let’s encrypt to jks

 in GNU/Linux  tagged certificate / encryption / jks / Let's Encrypt / p12 / PKCS#12 by

To convert a Let’s Encrypt SSL certificate (issued as PEM files) into a Java Keystore (JKS), follow these steps:

Step-by-step guide:

Step 1: Get the files ready

After obtaining your certificate from Let’s Encrypt, you’ll typically have the following files:

  • cert.pem (your domain certificate)
  • privkey.pem (private key)
  • chain.pem (CA intermediate certificates)
  • fullchain.pem (combined certificate with intermediate)

Ensure these files are available on your machine.

Step 2: Combine your certificate and private key into PKCS12 format

Use OpenSSL to create a PKCS12 (.p12) file:

1
2
3
4
5
openssl pkcs12 -export \
  -in fullchain.pem \
  -inkey privkey.pem \
  -out certificate.p12 \
  -name your_alias

Replace your_alias with a meaningful alias, such as your domain name.

You’ll be asked to set a password. Remember this password, as you’ll need it to import into the keystore.

Step 3: Import PKCS12 file into JKS Keystore

Now, convert the PKCS12 file (certificate.p12) into a JKS keystore:

1
2
3
4
5
6
7
8
keytool -importkeystore \
  -deststorepass YOUR_KEYSTORE_PASSWORD \
  -destkeypass YOUR_KEYSTORE_PASSWORD \
  -destkeystore keystore.jks \
  -srckeystore certificate.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass YOUR_PKCS12_PASSWORD \
  -alias your_alias
  • Replace YOUR_KEYSTORE_PASSWORD with the password you want for your new Java keystore.
  • Replace YOUR_PKCS12_PASSWORD with the password you set when creating the .p12 file in Step 2.

Step 4: Verify your JKS Keystore

To ensure your certificate is correctly imported, use:

1
keytool -list -v -keystore keystore.jks

You should see your imported certificate details listed.

Step 5: Use your JKS Keystore

Now you can use keystore.jks in your Java application or server (like Tomcat, Jetty, Spring Boot applications, etc.).

Example configuration (Tomcat server.xml):

1
2
3
4
5
6
<Connector port="8443" protocol="HTTP/1.1"
           SSLEnabled="true"
           scheme="https" secure="true"
           keystoreFile="/path/to/keystore.jks"
           keystorePass="YOUR_KEYSTORE_PASSWORD"
           clientAuth="false" sslProtocol="TLS" />

Replace paths/passwords with your details.

Important notes:

  • Store your keystore securely and protect the passwords.
  • Let’s Encrypt certificates expire every 90 days, so automate renewal and conversion into JKS if possible.

That’s it! Your Let’s Encrypt certificate is now in JKS format, ready for Java applications.

A sophisticated logo design for a Cypriot ethical hacker team, featuring a 3D metallic shield that incorporates the outline of Cyprus. Overlaid on the shield is a digital phoenix, symbolizing rebirth and resilience in the cybersecurity realm. The colors of the flag are present in the form of dynamic streaks across the shield. The team's name, 'Cyber Guardians CY', is embossed in bold, digital font along the lower part of the shield.

Create a PKCS#12 file that contains both the certificate and the private key

 in Firewall / GNU/Linux  tagged certificate / openssl / PEM / PKCS#12 by

In today’s world, security is a significant concern for everyone. Securing sensitive information such as passwords, certificates, and private keys is important. OpenSSL is a widely used tool for encrypting, decrypting, and managing digital certificates and keys. In this blog, we will explain the following command:

1
openssl pkcs12 -export -out certificate.p12 -in certificate.pem -inkey key.pem -passin pass:bytefreaks -passout pass:bytefreaks;

This command creates a PKCS#12 file containing the certificate and the private key. PKCS#12 (Public-Key Cryptography Standards #12) is a file format that stores cryptographic objects such as private keys, certificates, and intermediate certificates.

Let’s break down this command and explain what each option does:

1
openssl pkcs12

This is the OpenSSL command for PKCS#12.

1
-export

This option tells OpenSSL to export the certificate and private key.

1
-out certificate.p12

This option specifies the output file name and format. In this case, the output file will be named certificate.p12.

1
-in certificate.pem

This option specifies the input file name and format. In this case, the input file is the certificate file named certificate.pem.

1
-inkey key.pem

This option specifies the private key file name and format. In this case, the private key file is named key.pem.

1
-passin pass:bytefreaks

This option specifies the password to decrypt the private key. In this case, the password is “bytefreaks”.

1
-passout pass:bytefreaks

This option specifies the password to encrypt the PKCS#12 file. In this case, the password is “bytefreaks”

1
;

This symbol indicates the end of the command.

When you run this command, OpenSSL will prompt you to enter the password for the private key. Once you enter the correct password, OpenSSL will create a PKCS#12 file named certificate.p12 that contains both the certificate and the private key encrypted with the password “bytefreaks”.

In conclusion, the openssl pkcs12 -export -out certificate.p12 -in certificate.pem -inkey key.pem -passin pass:bytefreaks -passout pass:bytefreaks; command is used to create a PKCS#12 file that contains both the certificate and the private key. This file is encrypted with the password “bytefreaks” to ensure security.