3 minute read

How to Convert Certificates and Keystore Types using OpenSSL and Keytool

Certificates and keystores play an essential role in securing communication in web applications, servers, and Java-based environments. Whether you’re handling SSL/TLS certificates for a web server or managing Java keystores, conversions between different formats are often required. This guide will show you how to convert certificates and keystore types using popular tools like OpenSSL and Keytool.

Prerequisites

Before we begin, ensure you have the following installed on your system:

  • OpenSSL: A powerful command-line tool for working with SSL/TLS certificates and conversions.
  • Keytool: A utility provided with the Java Development Kit (JDK) for managing certificates and keystores.
  • Basic understanding of certificates (PEM, DER, PKCS12, etc.) and keystores (JKS, PKCS12).

Common Certificate and Keystore Formats

Before diving into the commands, it’s essential to understand the key formats and types you’ll encounter:

  • PEM (.pem): Base64-encoded certificate format often used in Linux environments.
  • DER (.der): Binary format for certificates, commonly used with Windows.
  • PKCS12 (.pfx, .p12): Binary format that stores the private key and certificates in a password-protected container.
  • JKS (.jks): Java Keystore, the default format used by Java-based applications for storing keys and certificates.

1. Convert PEM to DER Format (OpenSSL)

PEM is a common format for certificates, but some applications require DER format. Here’s how to convert PEM to DER using OpenSSL:

openssl x509 -in certificate.pem -outform der -out certificate.der

Explanation:

  • certificate.pem: The input certificate in PEM format.
  • certificate.der: The output certificate in DER format.

2. Convert DER to PEM Format (OpenSSL)

To convert a DER-formatted certificate back to PEM:

openssl x509 -in certificate.der -inform der -out certificate.pem -outform pem

Explanation:

  • -inform der: Specifies the input format as DER.
  • -outform pem: Specifies the output format as PEM.

3. Convert PKCS12 (.pfx or .p12) to PEM (OpenSSL)

You may need to extract the private key and certificate from a PKCS12 (PFX/P12) keystore. Here’s how to convert a .p12 file into PEM format:

openssl pkcs12 -in keystore.p12 -out keystore.pem -nodes

Explanation:

  • keystore.p12: The input PKCS12 keystore.
  • -nodes: Prevents the encryption of the private key in the output.
  • keystore.pem: The resulting PEM file containing the private key and certificates.

4. Extract Private Key and Certificate from PKCS12 (OpenSSL)

To extract the private key and certificate separately:

Private Key:

openssl pkcs12 -in keystore.p12 -nocerts -out private.key -nodes

Certificate:

openssl pkcs12 -in keystore.p12 -clcerts -nokeys -out certificate.crt

Explanation:

  • -nocerts: Extracts only the private key.
  • -clcerts: Extracts only the client certificate.
  • -nodes: Keeps the private key unencrypted.

5. Convert PEM to PKCS12 (OpenSSL)

If you need to create a PKCS12 keystore from a PEM file (e.g., to import into a Windows server or Java keystore):

openssl pkcs12 -export -out keystore.p12 -inkey private.key -in certificate.crt -certfile ca_bundle.crt

Explanation:

  • -export: Exports to PKCS12 format.
  • private.key: The private key in PEM format.
  • certificate.crt: The certificate in PEM format.
  • ca_bundle.crt: (Optional) A bundle of CA certificates.

6. Convert JKS to PKCS12 (Keytool)

To convert a Java Keystore (JKS) to PKCS12, use the Keytool utility:

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12

Explanation:

  • keystore.jks: The input JKS keystore.
  • keystore.p12: The output PKCS12 keystore.
  • -deststoretype PKCS12: Specifies the destination format as PKCS12.

7. Convert PKCS12 to JKS (Keytool)

You can also convert a PKCS12 keystore back to JKS using Keytool:

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

Explanation:

  • keystore.p12: The input PKCS12 keystore.
  • keystore.jks: The output JKS keystore.
  • -srcstoretype PKCS12: Specifies the source keystore type.

8. Export a Certificate from JKS (Keytool)

You may need to export a certificate from a Java Keystore:

keytool -exportcert -alias myalias -file certificate.crt -keystore keystore.jks

Explanation:

  • myalias: The alias of the certificate within the keystore.
  • certificate.crt: The output certificate in .crt format.
  • keystore.jks: The source keystore.

9. Import a Certificate into a JKS (Keytool)

To import a certificate into a JKS keystore:

keytool -import -alias myalias -file certificate.crt -keystore keystore.jks

Explanation:

  • myalias: The alias under which to store the certificate.
  • certificate.crt: The certificate file to import.
  • keystore.jks: The target keystore.

Conclusion

These commands cover some of the most common conversions you’ll need when working with certificates and keystores. Whether you’re handling SSL certificates for a web server, managing Java keystores for an application, or ensuring compatibility between different systems, OpenSSL and Keytool provide the flexibility needed to manage and convert these formats.

Further Reading:

Updated: