How to Create a KeyStore in PKCS12 Format

In my last post, I explained how to create a self-signed SSL certificate. You can go to the previous article and generate the certificate and private key as we’ll be needing it for creating a KeyStore.

In this article, I’ll be explaining how one can create a KeyStore in PKCS12 Format using OpenSSL.

Let’s start with “What is PKCS12 Format ?”

A PKCS12(Public-Key Cryptography Standards) defines an archive-file format for storing server certificates, intermediate certificate if any, and private key into a single encryptable file.

Now, let’s see how we can create a KeyStore.

For generating a KeyStore, one should already have an existing private key and certificate (self-signed or signed by CA). The following are the steps required for creating a KeyStore:

Step 1: Create private key and certificate.

After Step 1, you’ll have a key (server.key), a CSR (server.csr), and a certificate (server.crt). We’ll be using server.key and server.crt files in our next step.

Step 2: Create a .pem file. Run the following commands from your terminal:

cat server.key > server.pem
cat server.crt >> server.pem

“A .pem (Privacy Enhanced Mail) file is a container format that may just include the public certificate or the entire certificate chain (private key, public key, root certificates).”

The existing key and the certificate would be there in your server.pem file. The Structure of .pem file looks like this:

(Private Key: domain_name.key contents)
(Primary SSL certificate: domain_name.crt contents)

Step 3: Create .pkcs12 file.

openssl pkcs12 -export -in server.pem -out keystore.pkcs12

This command will generate the KeyStore with the name keystore.pkcs12. You can use the KeyStore for configuring your server.

So this is how we can generate a KeyStore in PKCS12.