Free tools like openssl, keytool, and KeyStore Explorer can be used to transform common SSL certificate formats into archives that are compatible with web servers like Apache Tomcat.
Creating PKCS12 Files
PKCS #12 is a format for storing multiple cryptography objects in a single archive file. You can store arbitrarily complex objects within a PKCS #12 archive, but the most common use is to store a single private key and its certificate chain. Create a PKCS12 file from PEM files:
openssl pkcs12 -export -in ssl_cert.pem -inkey key.pem -certfile bundle.crt -name "*.example.com" -out example.com.p12
Depending on the product you’re working with, the documentation may call for a .pfx file instead of a .p12 file. PFX is an older format that was a predecessor to PKCS #12. In most modern systems, A PFX FILE AND A P12 FILE ARE EXACTLY THE SAME THING! You can just change the extension if needed and that will generally work. For example, the docs for ESET Security Management Center call for a pfx file, but a PKCS12 file will work just fine.
openssl can also extract a lot more information from certificate files. For example, for a PEM certificate:
openssl x509 -text -in ssl_cert.pem
Creating and Viewing Java Keystore Files
Create a JKS file from a PKCS12 file:
keytool -importkeystore -srckeystore _.hamlinandburton.com.p12 -srcstoretype PKCS12 -storetype PKCS12 -destkeystore test.hamlinandburton.com.jks
Many tutorials omit the flag
-storetype PKCS12. This flag is important, because there are multiple types of .jks keystore archives. For example, a .jks file could have type JKS, PKCS #12, JCEKS, BKS-V1, BKS, UBER, or BCFKS. Some applications are very picky about which type they will accept. If you omit this flag, keytool will use the default type for the system that’s generating the keystore file. You may get lucky and it will work, or it may not (I’m looking at you, Code42 Authority Server).
View a keystore file:
keytool -list -v -keystore _.hamlinandburton.com.jks
Note the type at the top of the output text.