SSL certificate import into JKS file

Hi ,

I want to import private key , Public key and CA certificates as chain into JKS file to point on Integration Server. Do I need to convert all the cert files into .der format to make them working or .cer files also fine. IS will accept only .der files. Please clarify.


Hi Satish,

which wM Version are we talking about?

wM 7 (and maybe wM 8 (I am not quite sure for this one)) are using der-formatted certificates and keys.
There are 3 der neccessary:

  • Private Key for the certificate
  • The certificate itself
  • The CA against which the certifcate is signed.

MWS 7 is using a single JKS file for its own certificate containing PK, certificate and CA.
Additionally there are 2 JKS-formatted files for the Glue Subsystem: Keystore and Truststore

wM 9.x is using PKCS12/JKS-formatted certificates.

  • PKCS12 for the private key and the certificate (Keystore)
  • JKS for the CA (Truststore)

Can you describe your requirement more detailed please?


Hi Holger ,

I am using wM 8.2.1 ESB product suite. My requirement here is to secure our Integration Server with SSL to enable the users to make webservice calls. So we will give Server key , Decrypyion key and signing key. Do I need to convert all the keys into .DER format mandatorily before uploading onto JKS file.

Hi Satish,

you will only need an HTTPS-Port configured for your IS.

For this it is sufficient to provide the certificates under Security → Certificates in IS-Admin.
These files are der-formatted and are valid in the IS globally.

There is a possibility to provide different certificates on the Port-Config itself.

We have never been working with wM 8.2.
We are currently migrating from wM 7.1.3 to wM 9.5 SP1.

In 9.5 we have imported a PKCS12-Keystore and a JKS-Truststore under Security → Keystore and then have those assigned to the IS globally under Security → Certificates.
This is sufficient to enable HTTPS-TransportLayerSecurity.

We are not yet using signing and decryption keys.
These will apply only if you plan to encrypt the payload (the data) in addition to the secured transport layer.
As long as this is not really requested by our partner systems we avoid using this to keep testing efforts at a minimum.

About the question with the conversion:
There is no need to convert the files to DER before adding them to a JKS.

See “keytool -help” for details. This tool is part of the JDK.


.cer and .der both cert formats works in wM perspective.

Hope the above Holger info will help more using with keytool help!


Thank you for your posts …That will be helpful :slight_smile: