getting error while trying to convert pfx without password to jks

7.5k views Asked by At

When I'm trying to convert pfx file, which was generated without password, to jks I get a WARNING WARNING etc... message from keytool, and an error afterwards

When I do the same with an password protected pfx, then everything is fine.

Can anyone suggest what I can do !? maybe a conversion from other formats or using other tools ?

ps. I did also conversion to pem, and pem to jks, but it failed, because it was not an x509 cert.

EDIT

keytool.exe -importkeystore -srckeystore "C:\Users\rodislav.moldovan\Projects
\ceva.pfx" -srcstoretype pkcs12 -destkeystore "C:\Users\rodislav.mol
dovan\Projects\ceva.jks" -deststoretype JKS
Enter destination keystore password: ******
Re-enter new password: ******
Enter source keystore password: // pressed enter, because there is no pass

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in the srckeystore*
* has NOT been verified!  In order to verify its integrity, *
* you must provide the srckeystore password.                *
*****************  WARNING WARNING WARNING  *****************

keytool error: java.security.UnrecoverableKeyException: Get Key failed: null
3

There are 3 answers

0
Shivan A. On BEST ANSWER

You can do it by making a p12 keystore first with OpenSSL and then convert it into JKS format with Keytool.

OpenSSL for CER & PVK file > P12

openssl pkcs12 -export -name servercert -in selfsignedcert.crt -inkey serverprivatekey.key -out myp12keystore.p12

Keytool for p12 > JKS

keytool -importkeystore -destkeystore mykeystore.jks -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercert

1
primetomas On

Try to convert it to a p12 with a password before.

openssl pkcs12 -in in.pfx -out out.p12

0
Ian On

If you just have a full PFX file that isn't password protected; for instance you downloaded the cert from Azure Key Vault like so:

az keyvault secret download -f mycert.pfx --encoding base64 --vault-name <vault name> --name <certificate name>

Then you can jump through a few hoops to add password protection (got this from here: http://www.1st-setup.nl/wordpress/howto-change-password-on-pfx-certificate-using-openssl/):

openssl pkcs12 -in mycert.pfx -out temppem.pem -nodes
openssl pkcs12 -export -out protectedcert.pfx -in temppem.pem
rm certs/mycert.pfx
rm certs/temppem.pem

Obviously you need to specify a password in the second openssl command to pw-protect the new PFX.