Importing P7B File to Java Keystore Using Keytool in Java
Last updated: May 5, 2026
Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Refactor Java code safely — and automatically — with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
1. Introduction
When working with production applications in Java, we often find ourselves configuring HTTPS, enabling secure outbound communication, or managing trust stores. Keytool is the standard tool for working with the required keys and certificates and thus managing Java keystores.
In this tutorial, we’ll focus on a specific task: importing a p7b certificate file into a Java keystore using keytool.
2. Understanding the P7B (PKCS#7) Format
Before we dive into the steps to import a P7B file, it’s worth reviewing and understanding the PKCS#7 format.
In cryptography, PKCS#7 is a standard syntax for storing cryptographically signed or encrypted data.
One common use for this format is to store SSL certificates. Often, certificate bundles are stored and shared as a .p7b file format.
2.1. Certificate Bundle
When creating self signed certificates for development use, it’s usually sufficient to have a private key and a self-signed certificate containing the public key. However, when working with production applications that are expected to be available over the internet, we typically need our certificates to be validated by a known Certificate Authority (CA).
Browsers validate a site by validating the site’s certificate. Each site presents its own certificate along with information to a chain of intermediate certificates, eventually leading to the root certificate of a CA. Since the browsers trust the CA, any site presenting a validated certificate with a clear chain of certificates leading to a root CA certificate is considered valid.
Once a certificate is validated by a CA, they typically provide a certificate chain consisting of its own root certificate and zero or more intermediate certificates. This certificate chain is provided as a bundle of certificates, sometimes as a .p7b file.
2.2. The P7B Format
A P7B file is a PKCS#7 container that can store one or more certificates. It may be encoded either in the binary DER format or in the Base64 PEM format.
When working with Java servers (such as Tomcat), we need to ensure that all the certificates in the bundle are imported into our keystore to prove the validity of our certificate.
Browsers on all modern devices recognise certificates validated by a CA. During the process of certificate validation, a CA will typically share the signed public certificate for our site along with a certificate chain, aka certificate bundle.
Sometimes, the certificate bundle comes as a file with a .p7b extension. We note that depending on the encoding, the contents may not be easily readable in a plain text editor. Therefore, we need a few tools to work with these certificates and import them into our keystore.
3. Preparing a P7B File
Now that we’ve understood the P7B format, let’s dive into the process.
Before we can import a certificate bundle, we need a file containing the certificate bundle. Since we don’t have a .p7b provided by a CA, we’ll use the public certificate from Baeldung.com.
First, we’ll download the chain and convert it into the P7B file format.
3.1. Downloading the Certificate Bundle
Most modern browsers allow exporting of certificates to PKCS#7 format encoded files. However, we’ll do a full command-line interface version using the openssl command on a Linux terminal:
$ openssl s_client -connect www.baeldung.com:443 -showcerts </dev/nullThis command prints out several certificates along with some other information about each certificate. Each certificate can be identified easily because of the beginning and ending markers:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----We can now copy each of those certificates (including the markers) and store them as a separate .pem file. So now we have three files site.pem, intermediate.pem and root.pem.
Now let’s use them to create a .p7b bundle:
$ openssl crl2pkcs7 -nocrl -certfile site.pem -certfile intermediate.pem \
-certfile root.pem -out site-chain.p7bFinally, we can verify that all certificates of interest are present in the bundle:
$ openssl pkcs7 -print_certs -in site-chain.p7b -nooutWe see three certificates printed clearly as expected.
3.2. The Problem Importing P7B File
Now that we have a valid certificate bundle in the .p7b file format, let’s check it with keytool:
$ keytool -printcert -file site-chain.p7bThis command prints information about the three certificates clearly.
Let’s attempt to import this as-is:
$ keytool -importcert -file site-chain.p7b -keystore test-keystore.jks -alias siteThe output presents an error:
keytool error: java.lang.Exception: Input not an X.509 certificateThe certificate import fails because the keytool -importcert expects the input file to contain exactly one X.509 PEM or DER encoded certificate.
4. Importing the P7B File
We observe that the direct import of a certificate bundle using keytool can be problematic. The solution is to break down the bundle into its individual certificates and then import those certificates one by one.
4.1. Converting to PEM Encoding
To break the bundle into individual PEM files, first, we’ll convert the bundle from the PKCS #7 to a PEM encoded bundle:
$ openssl pkcs7 -print_certs -in site-chain.p7b -out site-chain.pemThis produces a PEM file containing one or more X.509 certificates:
-----BEGIN CERTIFICATE-----
.......
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.......
-----END CERTIFICATE-----We’re now ready to use keytool to import the certificates.
4.2. Importing the PEM Bundle
Now that the file is in a format compatible with the keytool import option, we can perform the input:
$ keytool -importcert -file site-chain.pem -keystore test-keystore.jks -alias siteThis command requires us to set a keystore password and asks us if we trust the certificate. Then the output shows success:
Trust this certificate? [no]: yes
Certificate was added to keystoreThis imports the site’s certificate under the alias site.
If we need the intermediate and root certificates as well in the same keystore, then we need to import them individually. From site-chain.pem we can copy each of those certificates (including the begin and end markers) and store them as a separate .pem file. So now we have two more files, intermediate.pem and root.pem.
We can use the same command with different input files and aliases to import the root and intermediate certificates as well:
$ keytool -importcert -file root.pem -keystore test-keystore.jks -alias root
$ keytool -importcert -file intermediate.pem -keystore test-keystore.jks -alias intermediate4.3. Verifying the Import
Now we have all certificates imported, let’s verify them:
$ keytool -list -v -keystore test-keystore.jksThis command requests the previously set password and then shows us detailed information about all the imported certificates. At the beginning of the output, we see:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 3 entries
That’s it. Our keystore is now ready to use.
5. Conclusion
In this article, we explored how keytool works with certificate bundles in the PKCS#7 (.p7b) format. While these files can contain complete certificate chains, they’re not always directly supported for import.
We learnt that keytool expects X.509 certificates in DER or PEM format, not container formats like PKCS#7. Converting the .p7b bundle into individual certificates ensures a successful and predictable import process.
