Edit: this post was originally posted in May of 2014 and it unfortunately did not make it in the move over when we updated the web site. Sorry about that! We noticed several folks have still been linking to it and since it is still relevant we have restored it. Thank you for reading!

At the bottom of this page Google recommends using this keytool command to create a keystore file: keytool -genkey -v -keystore foo.keystore -alias foo -keyalg RSA -keysize 2048 -validity 10000 I quote from their page, “This example prompts you for passwords for the keystore and key, and to provide the Distinguished Name fields for your key. Creating a KeyStore in JKS Format. This section explains how to create a KeyStore using the JKS format as the database format for both the private key, and the associated certificate or certificate chain. By default, as specified in the java.security file, keytool uses JKS as the format of the key and certificate databases (KeyStore and TrustStores). A CA must sign the certificate. Openssl pkcs12 -export -in cert.crt -inkey private.key -certfile cert.crt -name -out keystore.p12 Next this new generated keystore.p12 should be used to create new keystore in JKS format with the help of keytool from the JDK.

So you got a wildcard SSL certificate and you need to get it into a Java Keystore format. You can spend a lot of time looking for how to do it in several tutorials that kinda-of get it right or you can follow these instructions.

This is the process we use for generating Java Keystore files for our ThinkFree Office distributions.

First copy everything you need to a folder on your Desktop. Call it STAR_mydomain_com or something. Make sure this folder contains the certificate files you received from your CA (Certificate Authority) and the original key file generated when you generated your CSR.

If you received your certificate from Comodo in “other” format you will have a bunch of files in there and they need to be assembled in the right order.

Now, open a terminal window and go to your directory. Concatenate these files:

The first file is your certificate. After that are intermediate certificates that provide validation up to the root certificate. All of them are now in a nice bundle named ca_bunlde.pem

Run the following to convert your SSL bundle into PKCS12 format:

Where:

-name (my.domain.com) is the domain you are going to be using the key on. Don’t use your *.domain.com address. Use mail.domain.com or thinkfree.domain.com.

-in is your signed certificate

– inkey is the key file from the server that generated your CSR (certificate signing request)

-out is just a name I picked

You will be asked to generate a password. Don’t forget it!

Now run this to generate your JKS:

-destkeystore is the name of the keystore (you are creating it)

-srckeystore is the PCKS12 keystore created above

-alias is the domain from above – make sure it matches the domain from above!

Keytool View Jks

You will be asked to enter the password again. Do so and select a new password (or use the same one as before) when prompted.

That’s it! Now you can verify it:

If you are generating this for ThinkFree Office there is one more step.

Keytool Create Jks

Go to the System tab > Https Certification

Next to KeyStore (JKS) File click Browse and select the keystore.jks file we just created.

In Password enter the password you chose when generating the keystore (which may be the same as the one used when generating the pkcs12 file)

In Alias Name enter the domain name you entered above (thinkfree.domain.com, for example) – not the wildcard domain of the certificate.

Click Apply and wait for the message “Certificate applied successfully” to appear.

Keytool Jks Command

At this point log on to your ThinkFree server and restart it:

Followed by

Now test it to make sure it works:

You should be able to connect.

Don’t forget to undeploy your ThinkFree zimlets in Zimbra (if you use them), edit the xml configurations to change the sting to https and port to 443, re-zip them from within the folder:

And redeploy them:

How To Create Jks Keystore

You should now be able to connect from your secure Zimbra webmail with your secure ThinkFree server.