Import PEM into Java Key Store

java

key-store

java-security

cryptography

byAlex Kataev·Dec 21, 2024

Here's the quick and dirty way to import a PEM certificate into a Java Key Store (JKS): convert the certificate to DER format, then use keytool to do the import.

# Convert PEM to DER (like ordering a burger without the bun)
openssl x509 -outform der -in yourCert.pem -out yourCert.der

# Import this burger, uh, I mean DER, into your JKS 
keytool -importcert -alias burgerAlias -keystore burgerStore.jks -file yourCert.der

And for importing a PEM private key:

# Wrap the private key into a PKCS#12 kebab
openssl pkcs12 -export -in yourCert.pem -inkey yourKey.pem -out keystore.p12 -name kebabAlias

# Stick this delicious kebab into your JKS
keytool -importkeystore -destkeystore kebabStore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -alias kebabAlias

Remember to replace the 'burgerAlias', 'burgerStore.jks', 'yourCert.pem', 'yourKey.pem', 'kebabAlias', 'kebabStore.jks' with your actual filename/alias.

Pain relief with third-party libraries

Now, if you're juggling with multiple PEMs or facing a bundle of certificates (like touching a porcupine), Keyutil comes with a soothing balm. This brilliant library simplifies the import process dramatically avoiding all the porcupine quills. It's available right here.

Handling out-of-the-ordinary scenarios

If your PEM is like a Rubik's cube, non-standard and tricky, then you need to get into the realm of Java security APIs. Generate RSAPrivateKey and X509Certificate objects from DER bytes, manipulate DER-encoded byte arrays and navigate through Java's cryptography jungle with confidence!

Keeping your secrets, secret

Passwords are the keys to your castle. Ensure your private key has a strong password both during conversion and while resting in the Java Key Store (so no 'password123'). Use keytool -list to pat yourself on the back for successful import, and a quick tests against an SSL/TLS server never hurts.

Dealing with exceptions & errors like a Pro

Errors are like uninvited guests, they pop-in unexpectedly. Tricky file paths, temperamental aliases, moody key/certificate formats, empty or fickle passwords, and of course, classic syntax errors. So let's be hosts with the most by handling these exceptions, configuring Java's security components like SSLServerSocketFactory and validating our parameters.

Registering certificates: Let's get formal

After the ceremony (import), you need to register certificates from the JKS with HttpsURLConnection or similar APIs (like sending formal wedding announcements). This is like a stamp of approval for SSL connections in your application.

explain-codes / Java / Import PEM into Java Key Store

Linked

How to import an existing X.509 certificate and private key in Java keystore to use in SSL?



Java HTTPS Client Certificate Authentication



Accept server's self-signed SSL certificate in Java client



How do I find out what keystore my JVM is using?



Unable to find valid certification path to requested target - error even after cert imported



How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default?



Problems using Maven and SSL behind proxy



Pain relief with third-party libraries Handling out-of-the-ordinary scenarios Keeping your secrets, secret Dealing with exceptions & errors like a Pro Registering certificates: Let's get formal