Convert your wildcard SSL to JKS (Java Keystore) Format

Edit: this post was originally posted in May of 2014 and it unfortunately did not make it in the move over when we updated the web site. Sorry about that! We noticed several folks have still been linking to it and since it is still relevant we have restored it. Thank you for reading!

So you got a wildcard SSL certificate and you need to get it into a Java Keystore format. You can spend a lot of time looking for how to do it in several tutorials that kinda-of get it right or you can follow these instructions.

This is the process we use for generating Java Keystore files for our ThinkFree Office distributions.

First copy everything you need to a folder on your Desktop. Call it STAR_mydomain_com or something. Make sure this folder contains the certificate files you received from your CA (Certificate Authority) and the original key file generated when you generated your CSR.

If you received your certificate from Comodo in “other” format you will have a bunch of files in there and they need to be assembled in the right order.

Now, open a terminal window and go to your directory. Concatenate these files:

cat STAR_domain_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > ca_bundle.pem

The first file is your certificate. After that are intermediate certificates that provide validation up to the root certificate. All of them are now in a nice bundle named ca_bunlde.pem

Run the following to convert your SSL bundle into PKCS12 format:

openssl pkcs12 -export -name -in ca_bundle.pem -inkey -out keystore.p12


-name ( is the domain you are going to be using the key on. Don’t use your * address. Use or

-in is your signed certificate

– inkey is the key file from the server that generated your CSR (certificate signing request)

-out is just a name I picked

You will be asked to generate a password. Don’t forget it!

Now run this to generate your JKS:

keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias

-destkeystore is the name of the keystore (you are creating it)

-srckeystore is the PCKS12 keystore created above

-alias is the domain from above – make sure it matches the domain from above!

You will be asked to enter the password again. Do so and select a new password (or use the same one as before) when prompted.

That’s it! Now you can verify it:

keytool -list -v -keystore keystore.jks

If you are generating this for ThinkFree Office there is one more step.

Go to the System tab > Https Certification

Next to KeyStore (JKS) File click Browse and select the keystore.jks file we just created.

In Password enter the password you chose when generating the keystore (which may be the same as the one used when generating the pkcs12 file)

In Alias Name enter the domain name you entered above (, for example) – not the wildcard domain of the certificate.

Click Apply and wait for the message “Certificate applied successfully” to appear.

At this point log on to your ThinkFree server and restart it:


Followed by


Now test it to make sure it works:

telnet localhost 443

You should be able to connect.

Don’t forget to undeploy your ThinkFree zimlets in Zimbra (if you use them), edit the xml configurations to change the sting to https and port to 443, re-zip them from within the folder:

zip -r .

And redeploy them:

zmzimletctl deploy /tmp/

You should now be able to connect from your secure Zimbra webmail with your secure ThinkFree server.

Leave a Comment