Pete Freitag Pete Freitag

Signing Jar Files (converting pvk to p12)


We recently renewed our code signing certificate for signing java applets, this is the first year we have had to renew it, and the process is a bit different from when we generated it. When we first received the key we did it with a CSR, and the java keytool. So when their renewal process had us generate a Microsoft Authenticode pvk private key, I was a bit confused as to what to do with it. It takes a bit of work to generate a PKCS12 file that java's jarsigner can use, so I'm blogging this so I will remember what to do next year, and also to help out anyone else in this situation.

You will need two files:

  • pvk file (generated by IE, and stored in c:\mykey.pvk by default)
  • spc file (the cert)

Now to generate a PKCS12 pfx file you need Microsoft's pvkimprt tool (If I could have found this tool sooner, I could have saved myself a lot of time playing with openssl, and the ported pvk tool!). So install and run the tool:

pvkimprt c:\mycert.spc c:\mykey.pvk

Import it into your personal keystore, so we can export it as a pfx file:

  • Start-Run: mmc.exe
  • Add Snapin: Certificates
  • Properties: Add a friendly name to the cert (this will be the alias)
  • Export a pfx file

Now that you have your pfx file, your going to need to guess what import and export it again (the docs state that the pfx file will only work on jdk 1.4, I had no luck, so I generated a p12 file as shown below).

  • Open up Netscape/Mozilla/Firefox Certificate Manager (Tools-Options-Advanced-Certificates in Firefox)
  • Import your pfx file
  • Export a p12 file

And after that process you will have a certificate you can use to sign jar files, and possibly start your own import/export business.

Here's the KB article from Thawte, that had I been able to find on my own would have saved me lots of time:

And here's the ant task I use to sign jar files:

<target name="signjar" depends="jar">
    message="Please enter keystore password:"
    addproperty="keypass" />
 <signjar jar="${lib}/yourJar.jar" storetype="pkcs12"
   keystore="${keystore}/yourkey.p12" alias="Your Alias" 

This process should be a lot easier, I always hate dealing with certificates. I must say however that aside from having a name I can neither pronounce, nor spell consistently Thawte has always been helpful when I contact them.

Like this? Follow me ↯

Signing Jar Files (converting pvk to p12) was first published on March 29, 2004.

If you like reading about crypto, jar, java, signing, or certificates then you might also like:


I tried using a pkcs12 keystore on java 1.3.0 and it doesn't like it. It seems that the pkcs12 keystore type doesn't come by default. However, I did find a way to import a pkcs12 store into a jks store. You will need java 1.4 to perform the operation, but the resulting keystore is 1.3 compatible.
by pzarecta on 03/28/2005 at 4:54:26 PM UTC
Very useful - and comforting since i thought i was the only one who thought the process had changed out from under me! Thanks for recording this.
by Richard J. Pennenga on 04/15/2005 at 6:26:38 PM UTC
This was a great article, saved me a fair amount of time. Our signing process is invoked using Ant as well.
by JWill on 05/02/2007 at 2:36:53 PM UTC
Great article and really helpful comments. Saved me from toying with openssl(which isn't that complicated after all).
by Vash on 09/01/2009 at 6:02:52 AM UTC