Keystore Explorer

Keystore Explorer is a graphical user interface with the same powers as OpenSSL, and used for many certificate conversions. This manual describes the most often used functions, like creating a keypair and CSR, importing your certificate into the keystore, exporting the keypair as PFX or PEM format, and importing a PEM key to convert to PFX.

To start from scratch and with a PFX as end result, please follow the items below;

  • Create a new KeyStore
  • Generate a Key Pair
  • Generate a CSR
  • (order your certificate and wait for issuance)
  • Import a trusted certificate
  • Import the CA certificates
  • Export a certificate as PFX

Create a new KeyStore

  1. From the File menu, choose New. Alternatively click on the New tool bar button.
  2. The New KeyStore Type dialog is displayed. Select the 'PKCS #12 Public-Key Cryptography Standards #12 KeyStore'. Type using the radio buttons.
  3. Press the OK button.
  4. The new KeyStore will appear as an additional Untitled tab.

Generate a Key Pair

  1. From the Tools menu, choose Generate Key Pair.
  2. The Generate Key Pair dialog will be displayed. Select the RSA Algorithm and a Key Size of 4096 and press the OK button.
  3. The Generating Key Pair dialog will be displayed and will remain visible until Key Pair generation has completed.
  4. The Generate Key Pair Certificate dialog will be displayed.
  5. Select Version 3 and Signature Algorithm SHA256 and enter a Validity Period, Serial Number and Name.
  6. Press the OK button.
  7. The New Key Pair Entry Alias dialog will be displayed.
  8. Enter the alias name for the new Key Pair entry and press the OK button.
  9. If required the New Key Pair Entry Password dialog will be displayed. Enter the password with which to protect the new Key Pair entry, confirm it and press the OK button.
  10. The new Key Pair entry will appear in the KeyStore Entries table.

Generate a CSR

  1. Right-click on the Key Pair entry in the KeyStore Entries table. Select Generate CSR from the pop-up menu.
  2. If required the Unlock Entry dialog will be displayed. Enter the Key Pair entry's password and press the OK button.
  3. The Generate CSR dialog is displayed. Select Format PKCS#10 and Signature Algorithm.
  4. For PKCS#10 format you can optionally enter a company name (which becomes an "unstructuredName" attribute in the request) and/or add the extensions from the certificate to the request. The latter is useful for SSL certificates with SubjectAlternativeName extensions.
  5. Use the Browse button to select a CSR File location.
  6. Press the OK button to commence generation and produce the CSR.
    Be aware that you need the created KeyStore later when the certificate has been issued to import.

Import a trusted certificate

  1. From the Tools menu, choose Import Trusted Certificate. Alternatively click on the Import Trusted Certificate tool bar button:
  2. The Import Trusted Certificate dialog will appear.
  3. Select the drive and folder where the certificate file is stored.
  4. Click on the required certificate file or type the filename into the File Name text box.
  5. Click on the Import button.
  6. The Trusted Certificate Alias dialog will appear.
  7. Enter the alias of the new Trusted Certificate and press OK.
  8. The new Trusted Certificate entry will appear in the KeyStore Entries table with the chosen alias.

Import the CA certificates

  1. Select the visible entry for your trusted certificate.
  2. Right-click on the entry and select 'Edit chain' and then 'Apend certificate'.
  3. Select the files in the unzipped ZIP file, from the folder 'Root certificates' to import.

Import key pair

  1. Create a new keystore.
  2. Right-click anywhere inside the new keystore.
  3. Select import key pair.
  4. Import key pair dialog is displayed.
  5. Select OpenSSL format from the list.
  6. If applicable, put in the decryption password. Otherwise uncheck the box 'Encrypted Private Key'.
  7. Use the browse options to select your key storage file and certificate file.
  8. The New Key Pair Entry Alias dialog will be displayed.
  9. Enter the alias name for the new Key Pair entry and press the OK button.
  10. If required the New Key Pair Entry Password dialog will be displayed. Enter the password with which to protect the new Key Pair entry, confirm it and press the OK button.
  11. The new Key Pair entry will appear in the KeyStore Entries table.

Export a certificate as PFX

  1. Right-click on the Trusted Certificate entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export Key Pair.
  2. Export Certificate dialog is displayed.
  3. Select PKCS #12 format from the list.
  4. Check the PEM checkbox if the exported certificate is to be PEM encoded. PEM encoding is not available for PKI Path and SPC format exports.
  5. Use the Browse button to select an export file.
  6. Press the Export button to commence the export.
  7. You have now successfully created a PKCS12 / PFX export of your trusted certificate.

Export private key in PEM format

  1. Right-click on the Trusted Certificate entry in the KeyStore Entries table. Select the Export sub-menu from the pop-up menu and from there choose Export private key.
  2. Export dialog is displayed, select OpenSSL and press ok.
  3. Uncheck the box 'encryption'.
  4. Use the Browse button to select an export file.
  5. Press the Export button to commence the export.
  6. You have now successfully exported a private key in PEM format.

SSLCheck

Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up