Create a PKCS#12 keystore from a private key and certificate

OpenSSL is an open source software library that provides the pkcs12 command for generating PKCS#12 files from a private key and a certificate.

The private key and certificate must be in Privacy Enhanced Mail (PEM) format (for example, base64-encoded with ----BEGIN CERTIFICATE---- and ----END CERTIFICATE---- headers and footers).

Use these OpenSSL commands to create a PKCS#12 file from your private key and certificate:

openssl pkcs12 -export \
-in <signed_cert_filename> \
-inkey <private_key_filename> \
-name ‘tomcat’ \
-out keystore.p12

If you have a chain of certificates, combine the certificates into a single file and use it for the input file, as shown below. The order of certificates must be from server certificate to the CA root certificate.

See RFC 2246 section 7.4.2 for more information about this order.

cat <signed_cert_filename> \
<intermediate.cert> [<intermediate2.cert>]
... \
> cert-chain.txt

openssl pkcs12 -export \
-in cert-chain.txt \
-inkey <private_key_filename> \
-name ‘tomcat’ \
-out keystore.p12

When prompted, provide a password for the new keystore. This password is required for importing the keystore into the Web Help Desk Java keystore.