This walkthrough describes 4 different ways A, B, C, D how to import your own final to use certificate into webserver repository depending on the format of your certificate. The part E describes the import of CA reply. There is no common description for all different formats since each format may require specific extra actions so please choose the option below that meets your needs depending on the source format of your certificate!
A: Converting SSL certificate from *.pfx/*.p12 format to cert.jks
1. Start new instance of Portecle > AdminTool GUI > Security > SSL Certificate Toolkit
2. Drop *your_key*.pfx (or *your_key*.p12) to Portecle > (type your password if required)
3. Top-Menu > Tools > Change Keystore Type > JKS (case sensitive)
4. Top-Menu > Tools > Change Keystore Type > JKS (unnecessary step, but do anyway)
5. With RIGHT mouse click on private key entry > Set Password: secret
WARNING: IF YOU USE IN THIS STEP OTHER PASSWORD THAN secret THEN YOU WILL FAIL!
6. Top-Menu > Tools > Set Keystore Password: secret
WARNING: IF YOU USE IN THIS STEP OTHER PASSWORD THAN secret THEN YOU WILL FAIL!
7. Top-Menu > File > Save Keystore As > cert.jks
8. Locate old *\Clients\webserver\cert.jks and replace it by new cert.jks
9. Restart HTML5 server in AdminTool GUI to make the change effective
PS: notice, if you used other passwords than "secret" in steps 5. and 6. then the SSL will fail with wrong password since "secret" is the only password accepted by default.
B: Convert and import SSL certificate from *.key format.
If signing authority provided the private key in *domain_private*.key/*domain_cert*.crt/*CA*.crt format then you need OpenSSL for converting to *.pfx format. You must download OpenSSL binaries firstly
https://wiki.openssl.org/index.php/Binaries or http://gnuwin32.sourceforge.net/packages/openssl.htm
1. Run openssl.exe pkcs12 -export -out your_key.pfx -inkey *domain_private*.key -in *domain_cert*.crt -certfile *CA*.crt
type as pass for export as example: secret
2. After getting your_key.pfx continue with A: Converting SSL certificate from *.pfx/*.p12 format to cert.jks (on the top of this page).
PS: *domain_private*.key/*domain_cert*.crt/*CA*.crt may be named by you differently but should be basically similar.
C: Convert and import SSL certificate from other Windows importable formats.
If signing authority provided *.pfx/*.cer or other file formats that do not contain trust path then as result the key in cert.jks is not trusted.
The private key entry should contain full trust path, as example if cert.jks was finished and contains necessary private key and certificate then you see in details of such private key in Portecle: Certificates 1 of 2, or 1 of 3, or 1 of 4 etc., that is the final state we need!
Like in example below Certificates 1 of 2
1. Firstly import all certificates (usually *.cer/*.crt format) you get from authority into Windows keystore
to do so just click on each file and press Install Certificate
2. Import private key (usually *.pfx/*.p12 format) by clicking on it
when you import the private key go sure you check check-boxes "Mark this key as exportable" and "Include all extended properties"
3. Start certmgr.msc
4. Open - Personal > Certificates
5. Right click on your freshly imported private key > All Tasks > Export
6. Choose > "yes, export the private key"
7. (very important) Check check-boxes "Include all certificates in the certification path if possible" and "Export all extended properties"
in this step Windows automatically includes certificates to trust path
8. After saving key to your_key.pfx continue with A: Converting SSL certificate from *.pfx/*.p12 format to cert.jks (on the top of this page).
D: How to export SSL certificate from IIS
https://support.tsplus.net/solution/articles/44000038484-how-to-export-ssl-https-certificate-from-iis-
E: How to import CA reply in cert.jks
If Certificate Authority provided you CA reply after sending signing request you may have difficulties to import such CA reply so this FAQ handles this question. First of all, never delete/recreate private key for which you have created your CA request, they belong together! And before continue, please, go sure that cert.jks contains the private key for which you have created CA request and then received your CA reply, if your private key is not yet present inside cert.jks then import it firstly by Portecle > Tools > Import Key Pair.
1. Import all root and intermediate certificates you got from CA into cert.jks (default pass: secret), usually that are 2-3 certificates but could be more. You have to import certificates into cert.jks one by one with Portecle > Tools > Import Trusted Certificate. If you get asked by this action for default password of Java's certificates store then use changeit, but usually it is never requested since assumed to be default password changeit but in worst case scenario try that password anyway. In case if you have ever changed Java's certificates store password manually then use your new set password instead. Please remember, certificate and private key are two different entities, certificates have usually *.cer/*.crt extension!
This step is necessary because when you will import CA reply with Portecle, it will try to build certification path, and if at least one necessary root/intermediate certificate is missed in cert.jks keystore then the import will fail with error! Sometimes CA does not send all root/intermediate certificates assuming those to be installed in Windows by default. In such case you have to export root/intermediate certificates from Windows store (as example by certmgr.msc) and after import these into cert.jks. But that could get hardest part to recognize which one certificate belongs to certification path since not always it is possible to distinguish these only by name, or request/download these root/intermediate certificates directly from CA homepage before starting with CA reply import.
2. In Portecle > Right click on your private key > Import CA reply file(BUT NO ROOT OR INTERMEDIATE CERTIFICATE). It may require password, so type pass you have originally used. If something went wrong check all intermediate certificates! If succeed then now the private key entry should contain full trust path, as example if cert.jks was finished and contains necessary private key and certificates then you see in details of such private key in Portecle: Certificates 1 of 2, or 1 of 3, or 1 of 4 etc., that is the final state we need! As in example below Certificates 1 of 2
3. Right click on freshly signed private key > Export > Private Key and Certificates (PKCS#12) > secret (as password assumed, or use your original one) > and save to file *your_key*.p12
4. After saving private key to *your_key*.p12 continue with A: Converting SSL certificate from *.pfx/*.p12 format to cert.jks (on the top of this page). The steps 3. and 4. of this E: part of FAQ are not explicitly necessary steps but the goal why to continue with FAQ part A: is to create new clean cert.jks file without unnecessary entries inside and without presence of few private keys in same key store(cert.jks) and very important, with default password which is "secret" where else the key store won't be accepted.
How to convert different SSL (HTTPS) certificate formats to Java *.jks? Print
Modified on: Fri, 13 Mar, 2020 at 2:05 PM
Did you find it helpful? Yes No
Send feedbackSorry we couldn't be helpful. Help us improve this article with your feedback.