Creating a Java keystore

When working with WebLogic server you will inevitably have to create some Java keystores along the way. The Java keytool or OpenSSL can accomplish most everything you would need to do but sometimes I like using something UI based to do some of the tasks. That is where a tool like KeyStore Explorer can come in quite handy.

You can download KeyStore Explorer from Another common task is converting certificates from the Windows PFX format. Here are some simple steps to create a Java keystore from a certificate that is already in place on a Windows system. The first step is to export the certificate out of the Windows certificate store. To do this:

  • Launch the MMC.


  • Add the Certificates Snap-in.
    • File -> Add/Remove Snap-in
    • Select Certificates from the left and click Add


  • Navigate through the wizard

image004 image005

  • Select OK when done


  • In the MMC, navigate to PersonalCertificates.


  • Select the Certificate you will want in your Java keystore, right-click to select All Tasks -> Export.
  • Navigate through the Export wizard to get a copy of the certificate in PFX format.

image010image011 image012 image013 image014 image015

With the PFX file you can create a java keystore and convert the certificate in one step using the java keytool.

  • To keep this simple, I copied the PFX into the directory keytool.exe is located, in my case this is C:javabin.
  • In a command window execute the following:
    • keytool -importkeystore -srckeystore Certificate.pfx -srcstoretype pkcs12 -destkeystore server.jks -deststoretype JKS
    • When prompted enter the password for the new keystore and the password you set when exporting out the PFX


  • You now have a Java keystore. However, this is when something like KeyStore Explorer can come in handy.
  • Launch the KeyStore Explorer application and open the newly created keystore.


  • You’ll notice that the alias has become something that isn’t very useful. To change it:
    • Right-click on the entry
    • Select Rename
    • Enter the keystore password
    • Specify the new alias


  •  You now have a Java keystore that you can use to lock down your WebLogic server.


I could have changed the entry name using the java keytool but I use KeyStore Explorer for many other things and it comes in quite useful.

John Linehan
Senior Systems Engineer
ImageSource, Inc.