Creating a Java Keystore from existing SSL certificate

Follow these instructions if you have an existing SSL certificate from a registered CA (I am using Godaddy in this example) and wish to store these in a Keystore file to be used for Javascript applications. In this instance this was required by Logstash (Part of the ELK Stack). This guide assumes you have already completed the registration of the SSL certificate and are ready to download the files to your machine.

Downloading your SSL certificate

  • Download your SSL certificate using type “Other” (Eg rather than Apache, IIS etc)
  • Ensure you have the following files in your directory:
    • Your SSL Private Key (This will be named ssl.key in this guide)
    • Your SSL key from your CA in crt format (This will be named ssl.crt in this guide)
    • Your SSL Bundle from your CA (This will be named ssl-bundle.crt in this guide)

Creating your Keystore

The first stage will be to combine your certificate and bundle from your CA into one pem file

cat ssl.crt ssl-bundle.crt > ssl-all.pem

Now we must use openssl to convert this pem file into p12 ready to be converted to jks using Java. When prompted, set a secure password for your p12 export. ENSURE TO WRITE THIS DOWN.

openssl pkcs12 -export -name [The FQDN for your Server] -in ssl-all.pem -inkey ssl.key -out keystore.p12

Now we must use the Java tool keytool to convert this p12 file into jks. When prompted, I would suggest using the same password for the keystore as you use for the p12 file just for ease of use:

keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias [The FQDN for your Server]

You should now have a jks file with keystore password ready to be used in your environment

Any comments or questions? Get in touch here or Email me at [email protected]