How to Import *.p7s certificate chain into keystore?
In your case, as you already have the private key in your keystore, you can import the PKCS#7 certificate chain (*.p7s / *.p7b ...) thanks to this command :
keytool -import -alias <same alias as the key> -file <p7 filename> -keystore <keystore filename>
Whereas, if you want to import a certificate chain whitout having the key in the keystore, keytool does not accept to import it in one shot and so you have to follow this method (or if the previous method did not work):
To proceed, just create one pem file per certificate and import them in the keystore, setting the same alias for the certificate as the key alias.
(the content of each pem file is the base64 form of the certificate :
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
)
To import a certificate with keytool :
keytool -import -alias server -file server.pem -trustcacerts -keystore domain.jks
Sources :
- personal experience
- comments of this answer (thanks to David Hofmann and dave_thompson_085)
- another question for a pkcs#7 problem : https://stackoverflow.com/questions/25983440/keytool-keytool-error-java-lang-exception-input-not-an-x-509-certificate
Note :
kse51 can be very useful when managing keystore. You can find it here : https://sourceforge.net/projects/keystore-explorer/ . (I have no relation with the software editor)
Related videos on Youtube
![David Hofmann](https://i.stack.imgur.com/Riurn.jpg?s=256&g=1)
David Hofmann
15 years of coding since high-school and still enjoying it every single day. Oracle Certified Profesional Java Programmer. Certified Vaadin 8 Developer.
Updated on September 18, 2022Comments
-
David Hofmann almost 2 years
I've used this commands to create my csr
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore domain.jks -dname "CN=*.domain.com,OU=Software Development, O=Company Name, L=Asuncion, ST=Central, C=PY" keytool -certreq -alias server -keyalg RSA -sigalg SHA256withRSA -file domain.csr -keystore domain.jks
Then I've got my certificate signed
Web Server CERTIFICATE ----------------- -----BEGIN CERTIFICATE----- MIIFZjCCBE6gAwIBAgIQeg8KZmYMVuy/9w/yfpEWozANBgkqhkiG9w0BAQsFADBC MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE2MDMwNzAwMDAwMFoXDTE3MDQwNjIzNTk1 OVowFjEUMBIGA1UEAwwLKi5zZWdweS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCk2tfnkEN7n6Qtg7wt4lbFHyBN0UW19aSjwme5/zXbLp5S0TUN MSwxilEGFumUE700oAyT0uQBakV9m/qwrljDdZNgrR2+4VSJfMTL+fRSNQh//pls TFV8sc6czPxnSKeT8ufsCFF50aadRnK2+GdLC5Vpfhlwfknpu7d3RI5aMFwWzSfG YNsqShm7sJtYnwA1y3o9eG2XiDuNt6Y5+5lHEafwGxwg8gaL5MpY5wNPDNfr6sYp YOkJi/JdgRlLnEZn2nTawJRhkODb64vZ5arteN06fBMJjw+yrhfFqt/MEwy2Odiv WOrWgi1ODft3QHO8jd2JCX4j/apBTEm/acmtAgMBAAGjggKCMIICfjAhBgNVHREE GjAYggsqLnNlZ3B5LmNvbYIJc2VncHkuY29tMAkGA1UdEwQCMAAwKwYDVR0fBCQw IjAgoB6gHIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0gBGgwZjBk BgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29t L2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9s ZWdhbDAfBgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEB BEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAmBggrBgEFBQcw AoYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggEFBgorBgEEAdZ5AgQCBIH2 BIHzAPEAdgDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVNS3iEc AAAEAwBHMEUCIQCWspEnkaLlNJNpPVDU1M0QnErjVSPI1pOQNGcXjpG03wIgCbjt I9hCpywde6agjJyn7+nJ/TT0Bk35SLqkkYWwfm0AdwCkuQmQtBhYFIe7E6LMZ3AK PDWYBPkb37jjd80OyA3cEAAAAVNS3iFaAAAEAwBIMEYCIQDB0lAOazP3u9pYPwEc 6VDu+PloTiKoju2Up9ANeR9qowIhAPcUsiayPGVWMuLwb842w9oCkiASjWlGj9CL Gbadpg3AMA0GCSqGSIb3DQEBCwUAA4IBAQCuujNCOo8z69IYcQFEJkbXwcUJDEWZ 9rP7IbOY1/P9GicK//lR/RMpoZqCujsMVOrq3baAdOb27n08sD7qi9uPeCNcpAeK EeKEXrppcG9qD6zy+yx1K6GZW4GY0iSJ5U0+ad26t0ShkH0hzPmvNv5rHe8LEAU1 sxwTuKBhyf41+6MCMbdpex0Id17IWqUpb7ZSNq2n1ilJyEeuO5gQ64XXctc6MWzF NfhcYcaL9kSS1ENRXvLcotbuLCUg/zu1WThUm3a/6QvpWRMUCcqyBehVVNa69Av0 aq4cMMrjJ9Qtt1tZN0dXNXsZPP9rPyv+KAY3Fa15M9rHZAgfBSuNjeGG -----END CERTIFICATE----- INTERMEDIATE CA: --------------------------------------- -----BEGIN CERTIFICATE----- MIIETTCCAzWgAwIBAgIDAjpxMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQK Ew1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTMxMjExMjM0 NTUxWhcNMjIwNTIwMjM0NTUxWjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5j LjEbMBkGA1UEAxMSUmFwaWRTU0wgU0hBMjU2IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAu1jBEgEul9h9GKrIwuWF4hdsYC7JjTEFORoGmFbdVNcRjFlbPbFUrkshhTIWX1SG5tmx 2GCJa1i+ctqgAEJ2sSdZTM3jutRc2aZ/uyt11UZEvexAXFm33Vmf8Wr3BvzWLxmKlRK6msrVMNI4 /Bk7WxU7NtBDTdFlodSLwWBBs9ZwF8w5wJwMoD23ESJOztmpetIqYpygC04q18NhWoXdXBC5VD0t A/hJ8LySt7ecMcfpuKqCCwW5Mc0IW7siC/acjopVHHZDdvDibvDfqCl158ikh4tq8bsIyTYYZe5Q Q7hdctUoOeFTPiUs2itP3YqeUFDgb5rE1RkmiQF1cwmbOwIDAQABo4IBSjCCAUYwHwYDVR0jBBgw FoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4wHQYDVR0OBBYEFJfCJ1CewsnsDIgyyHyt4qYBT9pvMBIG A1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6 Ly9nMS5zeW1jYi5jb20vY3Jscy9ndGdsb2JhbC5jcmwwLwYIKwYBBQUHAQEEIzAhMB8GCCsGAQUF BzABhhNodHRwOi8vZzIuc3ltY2IuY29tMEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsG AQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMCkGA1UdEQQiMCCk HjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTU2OTANBgkqhkiG9w0BAQsFAAOCAQEANevhiyBW lLp6vXmp9uP+bji0MsGj21hWID59xzqxZ2nVeRQb9vrsYPJ5zQoMYIp0TKOTKqDwUX/N6fmS/Zar RfViPT9gRlATPSATGC6URq7VIf5Dockj/lPEvxrYrDrK3maXI67T30pNcx9vMaJRBBZqAOv5jUOB 8FChH6bKOvMoPF9RrNcKRXdLDlJiG9g4UaCSLT+Qbsh+QJ8gRhVd4FB84XavXu0R0y8TubglpK9Y Ca81tGJUheNI3rzSkHp6pIQNo0LyUcDUrVNlXWz4Px8G8k/Ll6BKWcZ40egDuYVtLLrhX7atKz4l ecWLVtXjCYDqwSfC2Q7sRwrp0Mr82A== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -----END CERTIFICATE-----
I also received a p7s file (domain.com.p7s)
I've tried in many different ways to import it properly to the keystore but I get the error that shows in this page https://thedomain.com/ > ERR_CERT_AUTHORITY_INVALID
What is the command to import this chain ? this is not the first time I am doing this but this time I just can't get it to work.
-
Admin over 8 yearsThe .p7s file is a certificate for digital signed emails.
-
-
David Hofmann over 8 yearsthis actually solves the problem, and yes, keytool does work with p7s files, at least on my case stackoverflow.com/a/35857320/39998
-
dave_thompson_085 over 8 years@DavidHofmann specifically,
keytool
accepts a pkcs7 chain of certs for your privatekey (or exactly, for a privatekey entry in your keystore), but not one with certs that are for (an)other key(s), including (a) key(s) belonging to (an)other party(ies). -
zr_ifrit over 8 yearsthanks for those informations @dave_thompson_085 , I updated my answer