When working with SSL keys and certificates, it is sometimes necessary to convert the format they're stored in. One of the more popular formats that's used in Microsoft applications is PKCS#12. This format typically has a .p12 or .pfx file extension.

To use these certificates in a Java based web server, such as Jetty, the SSL private key and certificate stored in a PKCS#12 format needs to be converted to a JKS format. This conversion is done using the Java Keytool found in a Java Runtime's bin folder.

To demonstrate how to do this, I already have a PKCS#12 file named hammer.pfx that contains my private key and certificate. I will be using the keytool to convert this file into a JKS format with a file named hammer.jks.

Import All Keystore Entries

If you want to import all entries from your PKCS#12 keystore, the command to do so is fairly straight forward.

keytool -importkeystore -srckeystore [PKCS#12 File] -srcstoretype pkcs12 -destkeystore [JKS File] -deststoretype jks

Example

$ keytool -importkeystore -srckeystore hammer.pfx -srcstoretype pkcs12 -destkeystore hammer.jks -deststoretype jks
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
Entry for alias hammerandkeyboard.com successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

After you enter the password you want for the destination keystore and enter the source keystore password, the keytool will import all entries from the .pfx file into the .jks file. In this example, I only had one entry with an alias of hammerandkeyboard.com.

Import Single Keystore Entry

If you want to import only a single entry, you will need to define which alias to import.

First step is to retrieve the alias from the PKCS#12 keystore.

$ keytool -list -v -storetype pkcs12 -keystore hammer.pfx
Enter keystore password:  

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: hammerandkeyboard.com
Creation date: Aug 19, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=hammerandkeyboard.com, ST=Some-State, C=US
Issuer: CN=hammerandkeyboard.com, ST=Some-State, C=US
Serial number: 8ffaeb776f153f65
Valid from: Sat Aug 19 15:31:03 EDT 2017 until: Sun Aug 19 15:31:03 EDT 2018
Certificate fingerprints:
	 MD5:  5B:E5:50:C1:B4:73:5D:84:0C:B3:DC:1B:0C:C5:2D:9D
	 SHA1: 68:47:3C:AB:9D:BB:9A:A7:00:FD:FE:E6:39:C3:D6:CA:B7:93:42:98
	 SHA256: 87:D6:C0:71:38:98:0E:42:A0:C3:C5:BC:5F:99:9E:3E:9E:3D:07:56:F1:52:36:D6:4F:8E:92:A4:B8:5C:B3:A3
	 Signature algorithm name: SHA256withRSA
	 Version: 3
...

The alias name in this case is hammerandkeyboard.com. Use this alias name in the -srcalias to define which alias to import into the JKS keystore. This will result in the JKS keystore entry having the same alias name. If you want a different alias name in the JKS keystore, you will need to use the -destalias option.

$ keytool -importkeystore -srckeystore hammer.pfx -srcstoretype pkcs12 -srcalias hammerandkeyboard.com -destkeystore hammer.jks -deststoretype jks
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  

Optional: Use keytool to verify hammer.jks contains the entry from hammer.pfx.

$ keytool -list -v -keystore hammer.jks 
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: hammerandkeyboard.com
Creation date: Aug 19, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=hammerandkeyboard.com, ST=Some-State, C=US
Issuer: CN=hammerandkeyboard.com, ST=Some-State, C=US
Serial number: 8ffaeb776f153f65
Valid from: Sat Aug 19 15:31:03 EDT 2017 until: Sun Aug 19 15:31:03 EDT 2018
Certificate fingerprints:
	 MD5:  5B:E5:50:C1:B4:73:5D:84:0C:B3:DC:1B:0C:C5:2D:9D
	 SHA1: 68:47:3C:AB:9D:BB:9A:A7:00:FD:FE:E6:39:C3:D6:CA:B7:93:42:98
	 SHA256: 87:D6:C0:71:38:98:0E:42:A0:C3:C5:BC:5F:99:9E:3E:9E:3D:07:56:F1:52:36:D6:4F:8E:92:A4:B8:5C:B3:A3
	 Signature algorithm name: SHA256withRSA
	 Version: 3
...

References

Java 8 Keytool Documentation