• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Junilu Lacar
  • Liutauras Vilda
  • Paul Clapham
  • Jeanne Boyarsky
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Piet Souris
  • Carey Brown
  • Jesse Duncan
  • Frits Walraven
  • Mikalai Zaikin

PFX file not getting imported into keystore

Ranch Hand
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am trying to establish a client side authentication using client certificates issued by IIS 5.0
The certificates are in the PFX format(pkcs12). However, when I try to load the certificate into the keystore using the keytool I get a message which says that the import was not a valid X.509 format.
What could be the problem?
I saw some posts on the net which mentioned that the PFX format is not imported by the Java keystore. In this case, is there any mechanism to convert pfx into a format compatible with JDK?
Posts: 80
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
PKCS12 is a format for a keystore and not a certificate. You can list the contents of PKCS12 file using keytool:
keytool -list keystore <pkcs12_file> -storetype PKCS12 -storepass <password>
However, if you want to import the certificate into a JKS or JCEKS keystore, you will have to do some work. First you need to export the certificate from the PKCS12 file and then import the exported certificate into the JKS or JCEKS keystore. Both can be done using keytool.
For the export, you would need the alias of the certificate entry within the PKCS12 file. Unfortunately, PKCS12 keystore doesn't use the default "mykey" alias. Instead, it is "1". I found this out by executing the following program:

Hope, this helps.
pie. tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
    Bookmark Topic Watch Topic
  • New Topic