Search code examples
javacertificateapkkeytooljarsigner

How to convert .pfx file to keystore with private key?


I need to sign Android application (.apk).
I have .pfx file. I converted it to .cer file via Internet Explorer and then converted .cer to .keystore using keytool. Then I've tried to sign .apk with jarsigner but it says that .keystore doesn't content a private key.

What I'm doing wrong?


Solution

  • Using JDK 1.6 or later

    It has been pointed out by Justin in the comments below that keytool alone is capable of doing this using the following command (although only in JDK 1.6 and later):

    keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 
    -destkeystore clientcert.jks -deststoretype JKS
    

    Using JDK 1.5 or below

    OpenSSL can do it all. This answer on JGuru is the best method that I've found so far.

    Firstly make sure that you have OpenSSL installed. Many operating systems already have it installed as I found with Mac OS X.

    The following two commands convert the pfx file to a format that can be opened as a Java PKCS12 key store:

    openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
    openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"
    

    NOTE that the name provided in the second command is the alias of your key in the new key store.

    You can verify the contents of the key store using the Java keytool utility with the following command:

    keytool -v -list -keystore mykeystore.p12 -storetype pkcs12
    

    Finally if you need to you can convert this to a JKS key store by importing the key store created above into a new key store:

    keytool -importkeystore -srckeystore mykeystore.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS