Loading

Generate a Salesforce Compatible JKS From PFX or P12

Дата публикации: Jun 26, 2026
Описание

Sometimes certificate signing authorities return a signed certificate in a format that Salesforce does not support — specifically PFX or P12 format — rather than a supported format such as CRT, CER, or JKS (Java KeyStore). In these cases, you cannot upload the signed certificate directly as a match to the Salesforce certificate signing request. This article explains how to break a PFX or P12 certificate into its component parts and reassemble them into a Salesforce-compatible JKS (Java KeyStore) file using OpenSSL and the Java keytool utility.

Решение

Prerequisites

Before starting, install OpenSSL and the Java Development Kit (JDK), which includes the keytool utility, on your local machine. Move the PFX or P12 file into the OpenSSL directory, and open the OpenSSL command prompt or terminal as an administrator.

Steps to Generate a JKS File from PFX or P12

Step 1: Export the private key from the PKCS12 file. Use the OpenSSL pkcs12 command with the -nocerts flag to extract only the private key into a PEM file. Replace certname.p12 with your actual file name. This produces a password-protected private key file named privateKey.pem.

openssl pkcs12 -in certname.p12 -nocerts -out privateKey.pem -nodes

Step 2: Export the public certificate from the PKCS12 file. Use the OpenSSL pkcs12 command with the -clcerts -nokeys flags to extract only the public certificate (the leaf certificate) into a PEM file named publicCertNew.pem.

openssl pkcs12 -in certname.p12 -clcerts -nokeys -out publicCertNew.pem

Step 3: Convert the private key to PKCS8 format. Salesforce and Java keystores require the private key in PKCS8 format. Use the OpenSSL pkcs8 command with the -topk8 flag to convert privateKey.pem to privateKey-pkcs8.pem.

openssl pkcs8 -topk8 -in privateKey.pem -out privateKey-pkcs8.pem

Step 4: Import the public certificate and PKCS8 private key into a new PKCS12 file. Use the OpenSSL pkcs12 -export command to combine the public certificate and private key into a new PKCS12 file. Specify an alias name (e.g., demotest1) that will identify this key entry in the keystore.

openssl pkcs12 -export -in publicCertNew.pem -inkey privateKey-pkcs8.pem -name demotest1 -out demotest1.p12

Step 5: Import the PKCS12 file into a Java KeyStore (JKS) file. Use the Java keytool utility with the -importkeystore flag, specifying the source as PKCS12 and the destination as JKS format. The resulting .jks file is in the format Salesforce accepts.

keytool -v -importkeystore -srckeystore demotest1.p12 -srcstoretype PKCS12 -destkeystore demotest1.jks -deststoretype JKS

Upload to Salesforce

After generating the JKS file, upload it to Salesforce by navigating to Setup > Security > Certificate and Key Management > Import from Keystore.

Номер статьи базы знаний

000381987

 
Загрузка
Salesforce Help | Article