Signing Jar Files (converting pvk to p12)

March 29, 2004

We recently renewed our code signing certificate for signing java applets, this is the first year we have had to renew it, and the process is a bit different from when we generated it. When we first received the key we did it with a CSR, and the java keytool. So when their renewal process had us generate a Microsoft Authenticode pvk private key, I was a bit confused as to what to do with it. It takes a bit of work to generate a PKCS12 file that java's jarsigner can use, so I'm blogging this so I will remember what to do next year, and also to help out anyone else in this situation.

You will need two files:

  • pvk file (generated by IE, and stored in c:\mykey.pvk by default)
  • spc file (the cert)

Now to generate a PKCS12 pfx file you need Microsoft's pvkimprt tool (If I could have found this tool sooner, I could have saved myself a lot of time playing with openssl, and the ported pvk tool!). So install and run the tool:

pvkimprt c:\mycert.spc c:\mykey.pvk

Import it into your personal keystore, so we can export it as a pfx file:

  • Start-Run: mmc.exe
  • Add Snapin: Certificates
  • Properties: Add a friendly name to the cert (this will be the alias)
  • Export a pfx file

Now that you have your pfx file, your going to need to guess what import and export it again (the docs state that the pfx file will only work on jdk 1.4, I had no luck, so I generated a p12 file as shown below).

  • Open up Netscape/Mozilla/Firefox Certificate Manager (Tools-Options-Advanced-Certificates in Firefox)
  • Import your pfx file
  • Export a p12 file

And after that process you will have a certificate you can use to sign jar files, and possibly start your own import/export business.

Here's the KB article from Thawte, that had I been able to find on my own would have saved me lots of time:

And here's the ant task I use to sign jar files:

<target name="signjar" depends="jar">
    message="Please enter keystore password:"
    addproperty="keypass" />
 <signjar jar="${lib}/yourJar.jar" storetype="pkcs12"
   keystore="${keystore}/yourkey.p12" alias="Your Alias" 

This process should be a lot easier, I always hate dealing with certificates. I must say however that aside from having a name I can neither pronounce, nor spell consistently Thawte has always been helpful when I contact them.

Related Entries

25 people found this page useful, what do you think?


Thanks for this. Had a similar problem today and wasted a lot of time trying to create pkcs12 files with openssl. Wish I'd have come across this blog entry sooner...
Absolutely fantastic post - saved alot of time. Just out of interest - under 1.4.2_05 the ant script works fine - under 1.3.1_12 it fails with: [signjar] Signing JAR: C:\work\test.jar [signjar] jarsigner error: java.lang.RuntimeException: unable to instantiate keystore class: pkcs12 not found Has anyone seen/solved this issue?
If you try to do this and get a weird error about "Password is not in the correct format" when running pvkimprt then you are using WinXP or later and you pvk & spc files were generated on 2000 or earlier. All you need to do is use a 2000 or earlier box to create the PFX file.
I'm sorry the exact error message is: "The format of the specified password is invalid."
I tried using a pkcs12 keystore on java 1.3.0 and it doesn't like it. It seems that the pkcs12 keystore type doesn't come by default. However, I did find a way to import a pkcs12 store into a jks store. You will need java 1.4 to perform the operation, but the resulting keystore is 1.3 compatible.
Very useful - and comforting since i thought i was the only one who thought the process had changed out from under me! Thanks for recording this.
Thanks, that's very helpful
Thanks here is what I did: 0. You should have a .spc(Certificate) file and a .pvk(Key) file 1. Download pvkimprt.exe from 2. To generate a .pfx file run: pvkimprt -PFX <spc-file> <pvk-file> type in the password and give a pathname 3. Import this file from Firefox 4. Export the certificate from Firefox to a .p12 file 5. This file can be used with jarsigner 6. We also need to know the alias of the .p12 file, so copy the .p12 file to the Java bin directory and run: keytool -list -storetype pkcs12 -keystore mycert-p12.p12 7. type in the password 8. Then you will see output like this: Keystore type: pkcs12 Keystore provider: SunJSSE Your keystore contains 1 entry xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx, Apr 26, 2006, keyEntry, Certificate fingerprint (MD5): hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh:hh 9. The xxxx-xxx... number is the alias for the key 10. to sign a jar do: jarsigner -storetype pkcs12 -keystore mycert-p12.p12 myjar.jar "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"
Thanks! 2 years later this is still more helpful than Thawte's docs on this.
pvkimprt didn't work on my XP PC. Download the Windows Core SDK use pvk2pfx -pvk myprivatekey.pvk -spc mycredentials.spc -pfx output.pfx
Thanks for a great article. I have spent a couple of days researching this and your article seemed to fill in the missing pieces. I used these instructions and TJ's to sign XPI files for firefox.
Thank you! You probably saved me hours of noodling and fretting. I've been trying, and trying, to get SSL Explorer installed with an existing IIS key, and your "run it through Mozilla" trick saved the day! Thanks!
How to generate the pvk file ?
This was a great article, saved me a fair amount of time. Our signing process is invoked using Ant as well.
Thanks very much for this article. Even after 4 years most everything is still valid. The only thing I for which I had to go hunting was the pvkimprt tool. you can find it here: Thanks again!
Great article and really helpful comments. Saved me from toying with openssl(which isn't that complicated after all).
Thank you, saved many hours!!!
Just a note for anyone trying to run through this process. I was getting an error when running pvkimprt.exe:
Error: 00000002, The system cannot find the file specified.
This turned out to be a permissions thing. My company has recently put some kind of group policy in place and this seems to have stopped my domain account being able to run pvkimprt. I used the following command to run the import tool:
>runas /user:[machine]\administrator "pvkimprt c:\myCert.spc c:\myKey.pvk"

Thanks for the article Pete, as other have said, it's still very useful!

Thanks for the post. Couldn't have signed the files without the wealth of information here.

On WinXP, followed the post from Vivek (04/26/2006 at 2:12:05 PM EDT)
Warning balalumba here

Recent Entries