Using JDK 1.6 or later

使用 JDK 1.6 或更高版本

It has been pointed out by Justin in the comments below that keytool alone is capable of doing this using the following command (although only in JDK 1.6 and later):

Justin 在下面的评论中指出，仅 keytool 就可以使用以下命令执行此操作（尽管仅在 JDK 1.6 及更高版本中）：

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 
-destkeystore clientcert.jks -deststoretype JKS

Using JDK 1.5 or below

使用 JDK 1.5 或以下

OpenSSL can do it all. This answer on JGuruis the best method that I've found so far.

OpenSSL 可以做到这一切。JGuru上的这个答案是迄今为止我找到的最好的方法。

Firstly make sure that you have OpenSSLinstalled. Many operating systems already have it installed as I found with Mac OS X.

首先确保你已经安装了OpenSSL。正如我在 Mac OS X 中发现的那样，许多操作系统已经安装了它。

The following two commands convert the pfx file to a format that can be opened as a Java PKCS12 key store:

以下两个命令将 pfx 文件转换为可以作为 Java PKCS12 密钥库打开的格式：

openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "MyCert"

NOTE that the name provided in the second command is the alias of your key in the new key store.

请注意，第二个命令中提供的名称是新密钥库中密钥的别名。

You can verify the contents of the key store using the Java keytool utility with the following command:

您可以使用 Java keytool 实用程序通过以下命令验证密钥库的内容：

keytool -v -list -keystore mykeystore.p12 -storetype pkcs12

Finally if you need to you can convert this to a JKS key store by importing the key store created above into a new key store:

最后，如果您需要，您可以通过将上面创建的密钥库导入新的密钥库来将其转换为 JKS 密钥库：

keytool -importkeystore -srckeystore mykeystore.p12 -destkeystore clientcert.jks -srcstoretype pkcs12 -deststoretype JKS

Your PFX file should contain the private key within it. Export the private key and certificate directly from your PFX file (e.g. using OpenSSL) and import them into your Java keystore.

您的 PFX 文件中应包含私钥。直接从您的 PFX 文件（例如使用 OpenSSL）导出私钥和证书并将它们导入您的 Java 密钥库。

Edit

编辑

Further information:

更多信息：

• Download OpenSSL for Windows here.
• Export private key: openssl pkcs12 -in filename.pfx -nocerts -out key.pem
• Export certificate: openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
• Import private key and certificate into Java keystore using keytool.

• 在此处下载适用于 Windows 的 OpenSSL 。
• 导出私钥： openssl pkcs12 -in filename.pfx -nocerts -out key.pem
• 出口证明： openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
• 使用 将私钥和证书导入 Java 密钥库keytool。

jarsigner can use your pfx file as the keystore for signing your jar. Be sure that your pfx file has the private key and the cert chain when you export it. There is no need to convert to other formats. The trick is to obtain the Aliasof your pfx file:

jarsigner 可以使用您的 pfx 文件作为密钥库来签署您的 jar。确保您的 pfx 文件在导出时具有私钥和证书链。无需转换为其他格式。诀窍是获取pfx 文件的别名：

 keytool -list -storetype pkcs12 -keystore your_pfx_file -v | grep Alias

Once you have your alias, signing is easy

有了别名后，签名就很容易了

jarsigner.exe -storetype pkcs12 -keystore pfx_file jar_file "your alias"

The above two commands will prompt you for the password you specified at pfx export. If you want to have your password hang out in clear text use the -storepassswitch before the -keystoreswitch

以上两个命令将提示您输入您在 pfx 导出时指定的密码。如果您想以明文形式显示密码，请在-keystore开关之前使用-storepass开关

Once signed, admire your work:

签名后，欣赏您的作品：

jarsigner.exe -verify -verbose -certs  yourjarfile

I found thispage which tells you how to import a PFX to JKS (Java Key Store):

我找到了这个页面，它告诉您如何将 PFX 导入 JKS（Java 密钥库）：

keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass PFX_P12_FILE -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass PASSWORD -destalias ALIAS_NAME

If you work with JDK 1.5 or below the keytool utility will not have the -importkeystoreoption (see JDK 1.5 keytool documentation) and the solution by MikeD will be available only by transferring the .pfxon a machine with a newer JDK (1.6 or above).

如果您使用 JDK 1.5 或更低版本，keytool 实用程序将没有该-importkeystore选项（请参阅JDK 1.5 keytool 文档），并且 MikeD 的解决方案只能通过.pfx在装有较新 JDK（1.6 或更高版本）的机器上传输。

Another option in JDK 1.5 or below (if you have Oracle WebLogic product), is to follow the instructions from this Oracle document: Using PFX and PEM Certificate Formats with Keystores. It describes the conversion into .pemformat, how to extract certificates information from this textual format, and import it into .jksformat with java utils.ImportPrivateKeyutility (this is an utility included with WebLogic product).

JDK 1.5 或更低版本（如果您有 Oracle WebLogic 产品）中的另一个选项是按照此 Oracle 文档中的说明进行操作：使用 PFX 和 PEM 证书格式与密钥库。它描述了.pem格式的转换，如何从这种文本格式中提取证书信息，并.jks使用java utils.ImportPrivateKey实用程序（这是WebLogic 产品附带的实用程序）将其导入格式。

Justin(above) is accurate. However, keep in mind that depending on who you get the certificate from (intermediate CA, root CA involved or not) or how the pfx is created/exported, sometimes they could be missing the certificate chain. After Import, You would have a certificate of PrivateKeyEntry type, but with a chain of length of 1.

贾斯汀（上图）是准确的。但是，请记住，根据您从谁获得证书（中间 CA、是否涉及根 CA）或 pfx 的创建/导出方式，有时他们可能会丢失证书链。导入后，您将拥有 PrivateKeyEntry 类型的证书，但链长度为 1。

To fix this, there are several options. The easier option in my mind is to import and export the pfx file in IE(choosing the option of Including all the certificates in the chain). The import and export process of certificates in IE should be very easy and well documented elsewhere.

要解决此问题，有多种选择。我认为更简单的选择是在 IE 中导入和导出 pfx 文件（选择包括链中的所有证书的选项）。IE 中证书的导入和导出过程应该非常简单，并且在其他地方有详细记录。

Once exported, import the keystore as Justin pointed above. Now, you would have a keystore with certificate of type PrivateKeyEntry and with a certificate chain length of more than 1.

导出后，按照 Justin 上面的指示导入密钥库。现在，您将拥有一个证书类型为 PrivateKeyEntry 且证书链长度大于 1 的密钥库。

Certain .Net based Web service clients error out(unable to establish trust relationship), if you don't do the above.

如果不执行上述操作，某些基于 .Net 的 Web 服务客户端会出错（无法建立信任关系）。