Converting PFX to Java KeyStore (JKS) and use with Application Servers

What is PFX file?

What is PFX file?

A Personal Information Exchange (PFX) file is an encrypted security file that stores secure certificates used to authenticate devices such as computers or web servers. PFX files facilitate the transfer of certificates and their private keys from one computer to another or to removable media. The PFX format, also known as PKCS #12, is utilized by the Microsoft Windows CryptoAPI.

What is JKS file?

A Java KeyStore (JKS) file is similar to a PFX file in that it is a repository for storing certificates and private keys. However, JKS files are specific to Java and its applications. Application servers such as Tomcat, Oracle WebLogic, and IBM WebSphere use JKS files as a KeyStore.

By understanding the differences and specific uses of PFX and JKS files, you can effectively manage security certificates within different environments.

Prerequisite:

• Java JDK or JRE: Ensure that either Java Development Kit (JDK) or Java Runtime Environment (JRE) is installed.
• System Variable Path: The system variable path must be set to include the Java path.
• Tomcat (Optional): Required if you need to install a JKS Store in Tomcat

Converting between formats using KeyTool:

• PFX to JKS keystore:
  To convert a PFX file to a JKS keystore, use the following command:

keytool -importkeystore -srckeystore yourpfxfile.pfx -srcstoretype pkcs12 -destkeystore yourjkskeystore.jks -deststoretype JKS

• JKS to PFX keystore:
  To convert a JKS file to a PFX keystore, use the following command:

keytool -importkeystore -srckeystore yourjksfile.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore yourpfxkeystore.pfx

When prompted, enter the password for the source keystore file (PFX). This should be the same password used when exporting the certificate. Then, create a new password for the destination file (JKS). In this example, use 123456 as the Destination Keystore Password for simplicity.

Tomcat SSL Setup with JKS KeyStore:

1. Copy the JKS File: Store the JKS file in your desired location. For example, store it in C:\Apache Tomcat 9\yourjkskeystore.jks.
2. Open the server.xml File: Open the Tomcat server.xml file, typically found in the conf directory of your Tomcat installation.
3. Configure SSL/HTTPS:

• Locate the <Connector> element configured for port 443 or 8443.
• If it doesn’t exist, create a new entry as shown below:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
 maxThreads="150" scheme="https" secure="true"
 keystoreFile="C:\Apache Tomcat 9\yourjkskeystore.jks" keystorePass="123456"
 clientAuth="false" acceptCount="100"/>

• Save the settings.xml file and restart the Tomcat to access the web page with https.

Enjoy your coding!