Last Updated: March 02, 2016
· jan0sch

Import private key and certificate into java keystore

From time to time you have to update your SSL keys and certificates. In some cases you may have a mixed infrastructure e.g. "normal" http servers and tomcat or other java based servers. In the latter case you'll have to import your shiny new certificate and key into your java keystore.

There are several methods that you can use but I found the following the most simple:

  1. Export your key, certificate and ca-certificate into a PKCS12 bundle via
% openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile my-ca-file.crt -name "my-domain.com" -out my.p12
  1. Be sure to set an export password! (see further below for an explanation)
  2. If you get the following error message "Error unable to get issuer certificate getting chain." then you should concatenate the openssl ca-certs with your own ca-cert into one file and use that as parameter for -CAfile. Example:
% cat /etc/ssl/cert.pem my-ca-file.crt > ca-certs.pem
% openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile ca-certs.pem -name "my-domain.com" -out my.p12
  1. Import the PKCS12 file into a new java keystore via
% keytool -importkeystore -deststorepass MY-KEYSTORE-PASS -destkeystore my-keystore.jks -srckeystore my.p12 -srcstoretype PKCS12


If you don't set an export password in the first step the import via keytool will most likely bail out with an NullPointerException.

Filed Under