Build Java keystore using PEM certificate chain and key

Published on Mar 20 2025 in Java SSL

To generate a keystore.p12 file containing a PEM certificate (optionally with an intermediate and CA certificates) and a private key that was generated elsewhere, follow these steps:

1. Prerequisites

You need the following files: - Private key: private.key - Certificate: certificate.pem (signed by a CA) - Intermediate CA certificate (optional): intermediate.pem - Root CA certificate (optional): ca.pem

Ensure certificate.pem is the end-entity certificate corresponding to private.key.

2. Combine Certificates into a Full Chain

If you have intermediate and root CA certificates, concatenate them into a single file:

cat certificate.pem intermediate.pem ca.pem > fullchain.pem

3. Convert the Private Key and Certificate to PKCS12 Format

Use OpenSSL to create a .p12 (PKCS12) keystore:

openssl pkcs12 -export \
    -inkey private.key \
    -in fullchain.pem \
    -out keystore.p12 \
    -name mykey \
    -password pass:your_keystore_password

-inkey private.key: Specifies the private key.
-in fullchain.pem: Includes the certificate and intermediate CA certificates.
-out keystore.p12: Specifies the output PKCS12 keystore file.
-name mykey: Assigns an alias (mykey) for the key entry in the keystore.
-password pass:your_keystore_password: Sets the keystore password.

4. Verify the Keystore Contents

You can verify that the keystore contains the key and certificates using:

openssl pkcs12 -info -in keystore.p12 -noout -password pass:your_keystore_password

If needed, you can also check the list of entries in the keystore using Java’s keytool:

keytool -list -keystore keystore.p12 -storepass your_keystore_password -storetype PKCS12

5a. Use the Keystore in Spring Boot

Update application.properties:

server.ssl.enabled=true
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=your_keystore_password
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=mykey
server.port=8443

Or pass it as a command-line argument:

java -jar your-app.jar --server.ssl.key-store=keystore.p12 --server.ssl.key-store-password=your_keystore_password --server.ssl.key-store-type=PKCS12 --server.ssl.key-alias=mykey --server.port=8443

5b. Configure Tomcat’s `server.xml`

Edit conf/server.xml in your Tomcat installation directory and modify or add the <Connector> element for HTTPS:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="200"
           SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="/etc/tomcat/keystore.p12"
                     type="PKCS12"
                     certificateKeystorePassword="your_keystore_password"/>
    </SSLHostConfig>
</Connector>

Replace /etc/tomcat/keystore.p12 with your actual keystore path.
Replace "your_keystore_password" with the password you used when generating the keystore.
After saving the changes, restart Tomcat to apply the configuration.

This setup ensures your Tomcat or Spring Boot application uses a valid SSL certificate for HTTPS connections. 🚀

Articles