Create a Java keystore from a p12 file

You will need a keystore to sign jars. In my case I was given a p12 file from my Certificate Authority. It took a while but I finally found how to make a keystore from my p12.

You don’t need a keystore to exist to import a p12:

> keytool -v -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

Now the keystore will have the contents of the p12, which is the certificate and the key.

Sources:
http://www.webfarmr.eu/2010/04/import-pkcs12-private-keys-into-jks-keystores-using-java-keytool/
http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

5 thoughts on “Create a Java keystore from a p12 file

  1. Pingback: How to sign a jar | Michael Ozeryansky

  2. Pingback: Finding an imported certificate’s alias in a java keystore | Michael Ozeryansky

  3. Pingback: Java 7.51 – Applets must be signed | Michael Ozeryansky

  4. Minh

    I’m facing the following error when I try to make a keystore from my p12 file:
    keytool -v -importkeystore -srckeystore mBankingApp.p12 -srcstoretype PKCS12 -destkeystore mBanking.jks -deststoretype JKS
    Enter destination keystore password:
    Re-enter new password:
    Enter source keystore password:

    keytool error: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
    java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
    at sun.security.util.DerInputStream.getLength(DerInputStream.java:561)
    at sun.security.util.DerValue.init(DerValue.java:365)
    at sun.security.util.DerValue.(DerValue.java:320)
    at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1872)
    at java.security.KeyStore.load(KeyStore.java:1433)
    at sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:1894)
    at sun.security.tools.keytool.Main.doImportKeyStore(Main.java:1932)
    at sun.security.tools.keytool.Main.doCommands(Main.java:1021)
    at sun.security.tools.keytool.Main.run(Main.java:340)
    at sun.security.tools.keytool.Main.main(Main.java:333)

    Please help me to fix this error.
    Thank you a lot.

    Reply
  5. Michael Post author

    I don’t know the solution but I found a few resources online
    + http://www-01.ibm.com/support/docview.wss?uid=swg21303472
    + http://mail-archives.apache.org/mod_mbox/tomcat-users/200305.mbox/%3C4.3.2.7.2.20030504095807.00b47f60@wells.cisco.com%3E
    + http://stackoverflow.com/questions/23126282/java-apns-certificate-error-with-derinputstream-getlength-lengthtag-109-too

    From what I can tell from these above discussions, the format of your certificate is different. It seems you should use “P12” instead of “JKS”, then maybe try following one of the above suggestions. Best of luck.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *