java p12 一定要有jks,需要帮助将P12证书转换为JKS-CSDN博客

本文档描述了在尝试将P12证书文件转换为JKS密钥库时遇到的问题，即使用JKS文件通过SOAPUI访问WS端点时收到403.7错误。内容详细列出了使用Java keytool和openssl进行转换的步骤，但转换后仍无法成功访问。解决方案提供了正确的keytool命令行参数，包括源和目标文件路径、密码和别名，以正确导入并创建JKS密钥库。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

I need some help converting my .P12 certificate file into a JKS keystore. I've followed the standard commands using Java's keytool utility. However, when I try and use the resulting JKS file to access the WS endpoint via SOAPUI, I get a 403.7 error - Forbidden: SSL certificate is required. Using the P12 file with SOAPUI against the same endpoint produces a successful response.

Here is the standard command for importing a P12 keystore into a JKS keystore -

keytool -importkeystore -srckeystore src.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore target.jks

I also tried using openssl to convert the P12 -> PEM -> DER -> JKS:

openssl pkcs12 -in src.p12 -out src.pem -clcerts

(Edit src.pem into its two composite parts called src.key and src.cer)

openssl pkcs8 -topk8 -nocrypt -in src.key -out key.der -inform PEM -outform DER

openssl x509 -in src.cer -inform PEM -out cert.der -outform DER

(I ran a utility to combine the two keys into keystore.ImportKey )

keytool -importkeystore -srckeystore keystore.ImportKey -destkeystore target.JKS

and similiarly no dice.

Is there something I'm missing?

解决方案

If you do have Keytool application and your PKCS#12 file, launch the one-line command:

keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12

-srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]

-deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]

You'll need to modify these parameters:

MY_FILE.p12: indicate the path to the PKCS#12 file (.p12 or .pfx extension) to be converted.

MY_KEYSTORE.jks: path to the keystore in which you want to store your certificate. If it does not exist it will be created automatically.

PASSWORD_JKS: password that will be requested at the keystore opening.

ALIAS_SRC: name matching your certificate entry in the PKCS#12 file, "tomcat" for example.

In case you would export your certificate from a Windows server generating a .PFX file, you'll have to retrieve the "alias" name created by Windows. To do so, you can execute the following command:

keytool -v -list -storetype pkcs12 -keystore FILE_PFX

There, the "alias name" field indicates the storage name of your certificate you need to use in the command line.

ALIAS_DEST: name that will match your certificate entry in the JKS keystore, "tomcat" for example.