If you are not familiar with the Java keytool command, check out our Getting Started article.

Before importing a certificate into a keystore file, you will want to determine the keystore type, which is typically JKS or PKCS12. The Java keytool command with the -list option can be used to determine the keystore type.

keytool -list -keystore /path/to/keystore

Which should return output that includes the keystore type (typically JKS or PKCS12).

Keystore type: PKCS12

The -import option can be used to import a certificate in a .cer or .crt or .pem file into a keystore. In this example, the *.example.com certificate in the example.com.crt file is imported into the keystore. Notice in this example that the -storetype is PKCS12.

keytool -import -file /path/to/example.com.cer -alias "*.example.com" -keystore /path/to/keystore.p12 -storetype pkcs12 -storepass keystore_password

If the certificate is successfully imported into the keystore, the following should be displayed.

Certificate was added to keystore

When importing a single server certificate, the certificate should be listed as a trustedCertEntry in the keystore, not a PrivateKeyEntry.

• PrivateKeyEntry contains a private key and typically the public certificates that make up the certificate chain (the root certificate authority (CA) certificate, the intermediate certificate authority (CA) certifiate, and the server certificate).
• trustedCertEntry typically contains only the root certificate authority (CA) certificate but may contain the public certificates that make up the certificate chain (the root certificate authority (CA) certificate, the intermediate certificate authority (CA) certifiate, and the server certificate). A trustedCertEntry does not contain a private key.

*.example.com, Mar 3, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): F3:3F:06:A8:86:95:6A:01:C8:2C:C2:52:FC:58:3F:46:8E:1B:0F:5A:67:12:7A:51:46:71:55:7E:B3:9A:03:13

The -importkeystore option can be used to import a certificate in a JKS or PKCS12 keystore into another JKS or PKCS keystore. In this example, the *.example.com certificate in the keystore1.p12 file is imported into keystore2.p12. 

keytool 
-importkeystore
-srckeystore "/path/to/keystore1.p12"
-srcstoretype pkcs12
-srcalias "*.example.com"
-srcstorepass "password to view the contents of the keystore1.p12 file"
-destkeystore "/path/to/keystore2.p12"
-deststoretype pkcs12
-deststorepass "password to view the contents of the keystore2.p12 file"
-destalias "*.example.com"

It's important to recognize that there are two different passwords at play here.

• The password for the keystore file
• The password for the key in the keystore file

If the password for the keystore file and the key in the keystore file is different, and the -destkeypass option is not used, the following will be returned.

keytool error: java.lang.Exception: The destination pkcs12 keystore has different storepass and keypass. Please retry with -destkeypass specified

The -destkeypass option can be included to resolve this issue.

-destkeypass "password"

If the desitnation keystore already contains a certificate with the same alias as being imported, the following will be displayed.

Existing entry alias *.example.com exists, overwrite? [no]:

echo yes can be used to pass the text "yes" onto the import so that the certificate is imported into the destination keystore.

echo yes | keytool -importkeystore -srckeystore "/path/to/keystore1.p12" -srcstoretype pkcs12 -srcalias "*.example.com" -srcstorepass "keystore_password" -destkeystore "/path/to/keystore2.p12" -deststoretype pkcs12 -deststorepass "keystore_password" -destalias "*.example.com"