Converting a Windows keystore (PFX/PKCS12) to a Tomcat (JKS) Keystore

So, we’re looking to change over to Web Help Desk at work and we got a very handy OVA file for VMWare and got it up and running.

Let me start by saying: Web Help Desk is pretty slick.  Very full-featured, seems to be extensible, mobile friendly, email for creation/comment/take tickets.

I was initially looking at RT and even ZenDesk, but we went with Web Help Desk at the end of the day.

However, there is only part we got stuck at, and I’m still waiting to hear back from their support department: getting our certificate added to the web server to make it a SSL site.

For the life of them, they couldn’t figure out or find documentation on how to convert our wildcard PFX/PKC12 certificate over to the Tomcat (JKS) keystore.  As I recall they said “Getting this done in Windows is very easy, but most people who do choose the Linux version already know how to do this.”  Well isn’t that marvelous.  We don’t.  Do you want us to buy your product or not?  We’re still waiting to hear back, but we figured it out.  Here’s the guide for you, just in case.

Reposted from JAMF Nation

  1. Get your certificate onto your server, into a temp folder (i used /tmp).
  2. Find where your KeyTool program is located (i used ‘ find / -name “keytool” ‘).  KeyTool is installed as a part of the Java SDK.
  3. Run your keytool with the following arguments:

    keytool -v -list -storetype pkcs12
    -keystore yourkeyfilename.extension

  4. Make note of the alias for the certificate (for me I think it was apache, but I’m not 100% certain after the fact).
  5. Now we need to use the keytool to actually do the conversion.

    keytool -importkeystore -srckeystore yourkeyfilename.extension
    -srcstoretype pkcs12 -srcalias thealias -destkeystore newkeystorefile.jks
    -deststoretype jks -deststorepass apassword -destalias tomcat

  6. Now place the certificate wherever you need it and you’re good to go!

Notes: You don’t need to supply a password.  I didn’t.  The destalias can be required to be something by whatever program you’re plugging into.  For me it was tomcat.  srcalias is the alias from step 4.

Thanks to Nick Koval (nkoval) for the fix.


Leave a Reply