Convert Server Certificate and Key into PKCS#12, and Java Keystore (JKS)

I was looking for simple instructions on how to convert a certificate to a keystore. Here is my simplified version.

  1. Build the certificate chain into a single file.
    cat server.pem intermediate.pem root.pem > import.pem
  2. Convert the private key and merged certificate files into a PKCS12 file.
    openssl pkcs12 -export -in import.pem -inkey server.key -name serverHostName > server.p12
  3. Import the PKCS12 file into Java Keystore (JKS).

    Note: Java 9 changed the default Java Keystore to PKCS#12. The following is only required for Java 8, or applications that have JKS dependency. See JEP 229: Create PKCS12 Keystores by Default

keytool -importkeystore -srckeystore server.p12 -destkeystore keystore.jks -srcstoretype pkcs12 -alias serverHostName 


If you are using PKCS#12 as your keystore, edit the JAVA_HOME/jre/lib/security/ file and change the default keystore type as shown below:

# Default keystore type.