0.1 If do not have a certificate, could create a self-signed certificate:

openssl genrsa -des3 -out server.key 2048

openssl req -new -key server.key -out server.csr

(you may add -sha256 to get SHA256 signarure)

openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt


1. If there is no a keystore then create one:

keytool -genkey -alias some_dumb_alias -keyalg RSA -keystore keystore.jks

2. Concat two pem files:

cat secret.key.pem certificate.pem > key.certificate.pem

3. Convert pem certificate into pkcs12 format:

openssl pkcs12 -export -in key.certificate.pem -out certificate.pkcs12 -name alias_to_be_used -noiter -nomaciter

3.1 If there are additional certificates for the trusted chain, then we need some extra steps:
3.1.1 Convert the certificate back to pem:
openssl pkcs12 -in certificate.pkcs12 -out certificate-2.pem -nodes -clcerts
3.1.2 Compose the certificate chain:
cat certificate-2.pem imtermediate1.pem intermediate2.pem root.pem > chain.pem

(need to ensure that every concatenated certificate starts on a new line)

3.1.3. Convert the chain to pkcs12

openssl pkcs12 -export -in chain.pem -out certificate.pkcs12 -name alias-to-be-used

4. Import pkcs12 keystore into jks:

keytool -v -importkeystore -srckeystore certificate.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks

Initial dumb key entry may be deleted now:

keytool -delete -alias some_dumb_alias -keystore keystore.jks

5. check that the resulting jks contains the certificate:

keytool -list -v -keystore keystore.jks

6. change alias if needed

 keytool -changealias -keystore chain.jks -alias current_alias -destalias new_alias