Using JDK 1.5 or below
OpenSSL can do it all. This answer on JGuru is the best method that I’ve found so far.
Firstly make sure that you have OpenSSL installed. Many operating systems already have it installed as I found with Mac OS X.
The following two commands convert the pfx file to a format that can be opened as a Java PKCS12 key store:
openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"
NOTE: that the name provided in the second command is the alias of your key in the new key store.
You can verify the contents of the key store using the Java keytool utility with the following command:
keytool -v -list -keystore mykeystore.p12 -storetype pkcs12
Finally if you need to you can convert this to a JKS key store by importing the key store created above into a new key store:
keytool -importkeystore -srckeystore mykeystore.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS
Using JDK 1.6 or later
keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass PFX_P12_FILE -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass PASSWORD -destalias ALIAS_NAME
NOTE for both above JDK Versions:
Your PFX file should contain the private key within it. To verify that your PFX certificate does have the requered key, you can try to extract it from the PFX as follows:
Export private key:
openssl pkcs12 -in filename.pfx -nodes -nocerts -out key.pem
FYI. To export the certificate:
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
To export the CA (if present):
Note: If the PKCS#12 file is a .pfx exported from MSIE Browser then the resulting file might be empty.:-(
openssl pkcs12 -in filename.pfx -nokeys -cacerts -out cacrt.pem