Loading
Salesforce now sends email only from verified domains. Read More

Generate a Salesforce Compatible JKS From PFX or P12

Publish Date: Feb 20, 2025
Description

Sometimes Certificate signing authorities send back a certificate signing request not in a format Salesforce supports (CRT, CER, JKS), but as PFX or P12.  In these cases, you cannot upload the signed certificate as a match to the certificate signing request.

This article shows how to break up the PFX or P12 certificate into its single parts, and stack them together as Salesforce-supported JKS (JavaKeystore) file.

Resolution

You'll perform the various steps based on the notes below if you have a signed certificate as PFX or PF12.

  1. Install OpenSSL and Java Keystore locally 
  2. Move the PFX to the OpenSSL folder
  3. Open OpenSSL as an admin 
  4. Run below command to export private key from pkcs12 file:
openssl pkcs12 -in certname.p12 -nocerts -out privateKey.pem -nodes

This returns a password-protected private key.

      5. Run the below command to export the public key from the pkcs12 file:

openssl pkcs12 -in certname.p12 -clcerts -nokeys -out publicCertNew.pem

   

    6. Convert the private key into pkcs8 format:

openssl pkcs8 -topk8 -in privateKey.pem -out privateKey-pkcs8.pem



   7. Import the private key and certificate chain into a new pkcs12 file for each certificate:

openssl pkcs12 -export -in publicCertNew.pem -inkey privateKey-pkcs8.pem -name demotest1 -out demotest1.p12

 

  8. Import those pkcs12 files into a Java keystore file:

keytool -v -importkeystore -srckeystore demotest1.p12 -srcstoretype PKCS12 -destkeystore demotest1.jks -deststoretype JKS


 9. Upload the JKS file to Salesforce (Setup | Security | Certificate and Key Management | Import from Keystore).


Knowledge Article Number

000381987

 
Loading
Salesforce Help | Article