Microsoft pfx


Microsoft Visual Studio 2005 provides utilities (in the Common7\Tools\Bin directory) which can be used to generate a certificate for use with Google Apps. Follow the steps below to create the public and private key pair and certificate in .NET:

1. makecert -r -pe -n "CN=Test Certificate" -sky exchange -sv testcert.pvk testcert.cer
2. pvk2pfx -pvk testcert.pvk -spc testcert.cer -pfx testcert.pfx

By default the RSA algorithm is used in the commands above. Step 1 uses the Certificate Creation Tool (makecert.exe) to create a self signed X.509 certificate called testcert.cer and the corresponding private key. Step 2 uses the pvk2pfx Tool (pvk2pfx.exe) to create a Personal Information Exchange (PFX) file from a CER and PVK file. The PFX contains both your public and private key.

2) get public certificate and private key from pfx file

If you want to extract private key from a pfx file and write it to PEM file

openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem

If you want to extract the certificate file (the signed public key) from the pfx file

openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem

To remove the password from the private key file.

openssl.exe rsa -in privateKey.pem -out private.pem

This is required as, at the time of exporting privateKey, you have added a password to the private key to secure it. If you left the password with it, it will keep asking the password as any application tries to access it.

3) convert both public certificate and private key into DER format that can be understood by java keytool and keystore

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

then use the program to create a brand new keystore default @ ~/keystore.ImportKey and import both public certificate and private key into keystore as alias foo.

java ImportKey key.der cert.der foo

change store password or key password

keytool -storepasswd -storepass oldstorepasswd -new newstorepasswd -keystore keystore.ks
keytool -keypasswd -alias screenpop -keypass oldkeypass -new newkeypass -keystore keystore.ks -storepass storepasswd
jarsigner -keystore keystore.ks -storepass newstorepasswd Hello.jar fooalias
jarsigner -verify -verbose -certs Hello.jar

create an empty keystore

keypass and storepass

people are so confused key store stuff. let me elaborate in details

private key and public key

suppose you use the alias duke to generate a new public/private key pair and wrap the public key into a self-signed certificate (see Certificate Chains) via the following command:

  keytool -genkey -alias duke -keypass dukekeypasswd

This specifies an inital password of "dukekeypasswd" required by subsequent commands to access the private key assocated with the alias duke. **so
keypass is a password used to protect the private key of the generated key pair. ** If no password is provided, the user is prompted for it. If you press RETURN at the prompt, the key password is set to the same password as that used for the keystore.

If you later want to change duke's private key password, you use a command like the following:

    keytool -keypasswd -alias duke -keypass dukekeypasswd -new newpass

This changes the password from "dukekeypasswd" to "newpass".


A keystore is created whenever you use a -genkey, -import, or -identitydb command to add data to a keystore that doesn't yet exist.

    keytool -genkey -alias duke -keypass dukekeypasswd -keystore protected.jks -storetype jks -keyalg RSA -keysize 1024 -storepass dukestorepassword

The storepass is used to protect the integrity of the keystore.

so keypass and storepass is two things for different purposes. however, there is a common connection:
In order to access the private key, the appropriate password must be provided, since private keys are protected in the keystore with a password.
If keypass is not provided at the command line, and is different from the password used to protect the integrity of the keystore, the user is prompted for it.

Import private key and certificate in Java keystore

I believe the terminology is kind of confusing in the article step 3:

3. Change password certificate:
keytool -keypasswd -keypass importkey -new -alias importkey -keystore

I believe the above step is to change the private key password. there is no such certificate password thing.

java and ssl example

submit CA cert requests.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License