IBM Support

How to transform PEM and PFX keystore in Public Key Cryptography Standard #12 (PKCS12) keystore

Question & Answer


How can you import certificates in a PEM/PFX file into a Java™ KeyStore (JKS) keystore?


Keytool is the Java tool to manage keystores and certificates.
IKeyMan is the IBM tool to manage keystore and certificates. It is available in WebSphere Application Server.

Keytool and IKeyMan only recognize PKCS 12 keystores, so there is a need to transform the PFX/PEM files into PKCS12 files.

Additional information: PKCS#12 stands for Public Key Cryptography Standard #12. It is a standard that describes a portable format for storage and transportation of user private keys and certificates.

PEM encoded file contains a private key or a certificate.

PFX is a keystore format used by some application. It can contain private keys or public keys.


A PEM encoded file contains a private key or a certificate. PFX is a keystore format used by some applications. A PFX keystore can contain private keys or public keys. The information that follows explains how to transform your PFX or PEM keystore into a PKCS12 keystore.

PEM and PFX files usually carry the private and public key of a certificate. Both can be contained in one file or two distinct files.

When you have a PKCS12 keystore you can use it as is or you can import the certificates it contains into a JKS (Java KeyStore) file so you can use it in Rational Application Developer or WebSphere Studio Application Developer.

Use 'openssl' as in the OpenSSL Web site listed in the related link below:

  1. To Transform a PFX file into a PEM file:
    openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
  2. To Transform a PEM file into a PKCS12 file:
    openssl pkcs12 -export -out keystore.p12 -inkey myuserkey.pem -in myusercert.pem -name "FriendlyNameOfMyCertificate"
  3. To validate the PKCS12 file:
    keytool -v -list -keystore keystore.p12 -storetype pkcs12
  4. To import the certificates from a PKCS12 keystore into a JKS keystore:
    keytool -import -file keystore.p12 -pkcs12 -keystore theJKSKeystore.jks -storepass passwordOfTheJKSKeystore -storetype JKS

    You can also use IKeyman to import the certificate from the PKCS12 keystore into the JKS keystore.

Related Information

[{"Product":{"code":"SSRTLW","label":"Rational Application Developer for WebSphere Software"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Java Development","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0;;6.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018