Skip to content

Converting a Java Keystore (JKS) to a Certificate Format That Salesforce Can Understand

Salesforce SSL Certificates

Salesforce requires SSL certificates to be in the PEM (Privacy Enhanced Mail) format for various features such as Single Sign-On, outbound messaging, and other integrations. If you have your certificate in a Java Keystore (JKS) format, you’ll need to convert it to the PEM format for Salesforce to understand and use it. Here’s a step-by-step guide on how to achieve this conversion using the OpenSSL tool and the Java keytool.


  1. Java Development Kit (JDK) – This will provide the keytool command.
  2. OpenSSL – A robust toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

Steps to Convert JKS to PEM for Salesforce:

  1. Export the Certificate from the Keystore:First, you need to export the certificate from the JKS file.
    keytool -export -keystore [path-to-your-keystore.jks] -alias [your-alias-name] -file exported-cert.crt

    Replace [path-to-your-keystore.jks] with the path to your keystore file and [your-alias-name] with the alias name used in the keystore for the certificate. This will produce a file named exported-cert.crt.

  2. Export the Private Key:Java keytool doesn’t allow exporting the private key directly. However, you can convert the JKS to a PKCS12 format, which can then be used with OpenSSL to export the private key.
    keytool -importkeystore -srckeystore [path-to-your-keystore.jks] -destkeystore keystore.p12 -deststoretype PKCS12

    This will produce a .p12 file.

  3. Extract the Private Key from the PKCS12 File Using OpenSSL:Now, use OpenSSL to extract the private key from the PKCS12 file.
    openssl pkcs12 -in keystore.p12 -nocerts -nodes -out privatekey.pem

    This command will produce a privatekey.pem file containing the private key.

  4. Convert the Certificate to PEM Format:Although the exported-cert.crt is in a readable format, it’s best to ensure it’s in the correct PEM format for Salesforce.
    openssl x509 -inform der -in exported-cert.crt -out certificate.pem

    This command will produce a certificate.pem file.

  5. Bundle Certificate and Private Key:For some Salesforce applications, you might need the certificate and the private key bundled together in a single PEM file.This will produce a combined.pem file.
  6. Upload to Salesforce:
    • Log into your Salesforce instance.
    • Navigate to Setup.
    • In the Quick Find box, type “Certificate and Key Management”.
    • Click on Certificate and Key Management.
    • Click on Import from Keystore and select the combined.pem file.
    • Provide the required details, save, and your certificate will be uploaded.


Converting a JKS to a PEM format suitable for Salesforce requires a combination of Java’s keytool and OpenSSL. Once converted, you can easily use the certificate within Salesforce for various features and integrations. Always ensure that you handle certificates and especially private keys with utmost care, ensuring that they don’t get exposed or compromised.

Join the conversation

Your email address will not be published. Required fields are marked *

error: Content is protected !!