How to add certificate chain to keystore?
Solution 1
From the keytool man - it imports certificate chain, if input is given in PKCS#7 format, otherwise only the single certificate is imported. You should be able to convert certificates to PKCS#7 format with openssl, via openssl crl2pkcs7 command.
Solution 2
I solved the problem by cat'ing all the pems together:
cat cert.pem chain.pem fullchain.pem >all.pem
openssl pkcs12 -export -in all.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root -password MYPASSWORD
keytool -importkeystore -deststorepass MYPASSWORD -destkeypass MYPASSWORD -destkeystore MyDSKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass MYPASSWORD -alias tomcat
keytool -import -trustcacerts -alias root -file chain.pem -keystore MyDSKeyStore.jks -storepass MYPASSWORD
(keytool didn't know what to do with a PKCS7 formatted key)
I got all the pems from letsencrypt
Volodymyr Bezuglyy
Updated on November 02, 2020Comments
-
Volodymyr Bezuglyy over 3 years
I have file with chain of certificates - certificate.cer:
subject=/C... issuer=/C=US/O=VeriSign, Inc... -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=/C=US/O=VeriSign, Inc... issuer=/C=US/O=VeriSign, Inc... -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=/C=US/O=VeriSign, Inc... issuer=/C=US/O=VeriSign, Inc... -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----I need to add this chain of certificates to keystore.
What I do:openssl x509 -outform der -in certificate.cer -out cert.der keytool -v -importcert -alias mykey -file cert.der -keypass <passwd> -keystore keystore -storepass <passwd> -alias <myalias>In result I have only 1 certificate in keystore.
But should have 3.
What could be wrong?SOLUTION:
CA sent me certificates in PKCS#7 format.
I stored them in certificate.p7b file and then successfully added them to keystore by following command:keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass <mypasswd> -alias "myalias" -
Volodymyr Bezuglyy about 11 yearsI already have certificates in PKCS#7 format. CA have sent me them in email. Certificates were successfully added to keystore by following command: keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass <mypasswd> -alias "myalias" Thank you!
-
My-Name-Is almost 9 yearsDidn't work for me. I'm getting the error:
keytool error: java.lang.Exception: Input not an X.509 certificate. The p7p file was created via:openssl crl2pkcs7 -nocrl -certfile cacert.pem -certfile client-cert.pem -out outfile.p7b -
My-Name-Is almost 9 yearsThe post here:
http://stackoverflow.com/a/22028156/1817029tells that keytool can't import p7p files! -
mecabpazzo95 over 7 yearsI also could not get keytool to import a p7b file
-
Raul Santelices about 7 yearsWorked for me too. To obtain that private key, this other answer was useful: security.stackexchange.com/a/66865/141918 -
Marcus about 6 yearsNote that cat will create a broken pem if there is a newline missing at the end of a cert (happened to me). So better checkall.pemcontent afterwards. -
Mathieu Diepman over 4 yearsWorked for me. Note that MYPASSWORD is not necessarily the same for the store, source- and destination certificate key.
-
FerdTurgusen over 2 yearsI have been searching for days for this answer. This is what works if you have the cert chain, key, and the certificate itself all in .pem format. Thank you! -
danisupr4 about 2 yearsthanks a lot, it works for me, but in my case I modify this: -deststoretype JCEKS, because in my code it cannot recognize PKCS12 format
