Clever Geek Handbook

Import PFX file into an existing JKS file (NOT converting from .pfx to .jks)

I have a Java web service and implemented X.509 using jks files generated by Java Keytool.

keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias myservicekey -keypass skpass -storepass sspass -keystore serviceKeystore.jks -dname "cn=localhost"

keytool -genkey -keyalg RSA -sigalg SHA1withRSA -validity 730 -alias myclientkey  -keypass ckpass -storepass cspass -keystore clientKeystore.jks -dname "cn=clientuser"

To establish trust between client and server, I import the server certificates to the client and client certificates to the server.

Import the server's public key (certs) to the client.

keytool -export -rfc -keystore clientKeystore.jks -storepass cspass -alias myclientkey -file MyClient.cer
keytool -import -trustcacerts -keystore serviceKeystore.jks -storepass sspass -alias myclientkey -file MyClient.cer -noprompt

Import the client's public key (certs) to the server

keytool -export -rfc -keystore serviceKeystore.jks -storepass sspass -alias myservicekey -file MyService.cer
keytool -import -trustcacerts -keystore clientKeystore.jks -storepass cspass -alias myservicekey -file MyService.cer -noprompt

Both the service and the client are written in Java and work fine. Now I have a .NET client and I understand that if I give the same jave client certificates to a .NET client i.e. clientKeystore.jks it should work, but the .net client is having problems.

.NET client client insisted on using the .pfx certificate it generated , how can I import the .pfx certificate into an existing .jks file .

The examples I've seen on the internet require me to create a new .jks file.

Thank.

+3


source to share


1 answer


You can treat the file as Java PKCS12 keystore. You can use all of the same keytool commands, except that you need to specify -storetype PKCS12

as the default is JKS. An example that works in JDK 1.6 and up:

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 
-destkeystore clientcert.jks -deststoretype JKS


Also see this thread. I think this answers your question, but if you don't mind the suggestion, I'll just output your existing JKS file as a P12 file and then serve the P12 file to the .NET client. This will solve your problem if it really is a format issue. You can do this by following the steps below. If you still have problems, you must post the .NET Exception client, otherwise we cannot help you.

+12


source






More articles:


All Articles