How to Import *.p7s certificate chain into keystore?

tls certificate http java

17,943

In your case, as you already have the private key in your keystore, you can import the PKCS#7 certificate chain (*.p7s / *.p7b ...) thanks to this command :

 keytool -import -alias <same alias as the key> -file <p7 filename> -keystore <keystore filename>

Whereas, if you want to import a certificate chain whitout having the key in the keystore, keytool does not accept to import it in one shot and so you have to follow this method (or if the previous method did not work):

To proceed, just create one pem file per certificate and import them in the keystore, setting the same alias for the certificate as the key alias.

(the content of each pem file is the base64 form of the certificate :

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

)

To import a certificate with keytool :

keytool -import -alias server -file server.pem -trustcacerts -keystore domain.jks

Sources :

personal experience
comments of this answer (thanks to David Hofmann and dave_thompson_085)
another question for a pkcs#7 problem : https://stackoverflow.com/questions/25983440/keytool-keytool-error-java-lang-exception-input-not-an-x-509-certificate

Note :
kse51 can be very useful when managing keystore. You can find it here : https://sourceforge.net/projects/keystore-explorer/ . (I have no relation with the software editor)

17,943

David Hofmann

15 years of coding since high-school and still enjoying it every single day. Oracle Certified Profesional Java Programmer. Certified Vaadin 8 Developer.

Updated on September 18, 2022

Comments

David Hofmann almost 2 years

I've used this commands to create my csr

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore domain.jks -dname "CN=*.domain.com,OU=Software Development, O=Company Name, L=Asuncion, ST=Central, C=PY"
keytool -certreq -alias server -keyalg RSA -sigalg SHA256withRSA -file domain.csr -keystore domain.jks

Then I've got my certificate signed

Web Server CERTIFICATE
-----------------
-----BEGIN CERTIFICATE-----
MIIFZjCCBE6gAwIBAgIQeg8KZmYMVuy/9w/yfpEWozANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE2MDMwNzAwMDAwMFoXDTE3MDQwNjIzNTk1
OVowFjEUMBIGA1UEAwwLKi5zZWdweS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCk2tfnkEN7n6Qtg7wt4lbFHyBN0UW19aSjwme5/zXbLp5S0TUN
MSwxilEGFumUE700oAyT0uQBakV9m/qwrljDdZNgrR2+4VSJfMTL+fRSNQh//pls
TFV8sc6czPxnSKeT8ufsCFF50aadRnK2+GdLC5Vpfhlwfknpu7d3RI5aMFwWzSfG
YNsqShm7sJtYnwA1y3o9eG2XiDuNt6Y5+5lHEafwGxwg8gaL5MpY5wNPDNfr6sYp
YOkJi/JdgRlLnEZn2nTawJRhkODb64vZ5arteN06fBMJjw+yrhfFqt/MEwy2Odiv
WOrWgi1ODft3QHO8jd2JCX4j/apBTEm/acmtAgMBAAGjggKCMIICfjAhBgNVHREE
GjAYggsqLnNlZ3B5LmNvbYIJc2VncHkuY29tMAkGA1UdEwQCMAAwKwYDVR0fBCQw
IjAgoB6gHIYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcmwwbwYDVR0gBGgwZjBk
BgZngQwBAgEwWjAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29t
L2xlZ2FsMCwGCCsGAQUFBwICMCAMHmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9s
ZWdhbDAfBgNVHSMEGDAWgBSXwidQnsLJ7AyIMsh8reKmAU/abzAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEB
BEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2dwLnN5bWNkLmNvbTAmBggrBgEFBQcw
AoYaaHR0cDovL2dwLnN5bWNiLmNvbS9ncC5jcnQwggEFBgorBgEEAdZ5AgQCBIH2
BIHzAPEAdgDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVNS3iEc
AAAEAwBHMEUCIQCWspEnkaLlNJNpPVDU1M0QnErjVSPI1pOQNGcXjpG03wIgCbjt
I9hCpywde6agjJyn7+nJ/TT0Bk35SLqkkYWwfm0AdwCkuQmQtBhYFIe7E6LMZ3AK
PDWYBPkb37jjd80OyA3cEAAAAVNS3iFaAAAEAwBIMEYCIQDB0lAOazP3u9pYPwEc
6VDu+PloTiKoju2Up9ANeR9qowIhAPcUsiayPGVWMuLwb842w9oCkiASjWlGj9CL
Gbadpg3AMA0GCSqGSIb3DQEBCwUAA4IBAQCuujNCOo8z69IYcQFEJkbXwcUJDEWZ
9rP7IbOY1/P9GicK//lR/RMpoZqCujsMVOrq3baAdOb27n08sD7qi9uPeCNcpAeK
EeKEXrppcG9qD6zy+yx1K6GZW4GY0iSJ5U0+ad26t0ShkH0hzPmvNv5rHe8LEAU1
sxwTuKBhyf41+6MCMbdpex0Id17IWqUpb7ZSNq2n1ilJyEeuO5gQ64XXctc6MWzF
NfhcYcaL9kSS1ENRXvLcotbuLCUg/zu1WThUm3a/6QvpWRMUCcqyBehVVNa69Av0
aq4cMMrjJ9Qtt1tZN0dXNXsZPP9rPyv+KAY3Fa15M9rHZAgfBSuNjeGG
-----END CERTIFICATE-----

INTERMEDIATE CA:
---------------------------------------
-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgIDAjpxMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQK
Ew1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTMxMjExMjM0
NTUxWhcNMjIwNTIwMjM0NTUxWjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5j
LjEbMBkGA1UEAxMSUmFwaWRTU0wgU0hBMjU2IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAu1jBEgEul9h9GKrIwuWF4hdsYC7JjTEFORoGmFbdVNcRjFlbPbFUrkshhTIWX1SG5tmx
2GCJa1i+ctqgAEJ2sSdZTM3jutRc2aZ/uyt11UZEvexAXFm33Vmf8Wr3BvzWLxmKlRK6msrVMNI4
/Bk7WxU7NtBDTdFlodSLwWBBs9ZwF8w5wJwMoD23ESJOztmpetIqYpygC04q18NhWoXdXBC5VD0t
A/hJ8LySt7ecMcfpuKqCCwW5Mc0IW7siC/acjopVHHZDdvDibvDfqCl158ikh4tq8bsIyTYYZe5Q
Q7hdctUoOeFTPiUs2itP3YqeUFDgb5rE1RkmiQF1cwmbOwIDAQABo4IBSjCCAUYwHwYDVR0jBBgw
FoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4wHQYDVR0OBBYEFJfCJ1CewsnsDIgyyHyt4qYBT9pvMBIG
A1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6
Ly9nMS5zeW1jYi5jb20vY3Jscy9ndGdsb2JhbC5jcmwwLwYIKwYBBQUHAQEEIzAhMB8GCCsGAQUF
BzABhhNodHRwOi8vZzIuc3ltY2IuY29tMEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsG
AQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMCkGA1UdEQQiMCCk
HjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTU2OTANBgkqhkiG9w0BAQsFAAOCAQEANevhiyBW
lLp6vXmp9uP+bji0MsGj21hWID59xzqxZ2nVeRQb9vrsYPJ5zQoMYIp0TKOTKqDwUX/N6fmS/Zar
RfViPT9gRlATPSATGC6URq7VIf5Dockj/lPEvxrYrDrK3maXI67T30pNcx9vMaJRBBZqAOv5jUOB
8FChH6bKOvMoPF9RrNcKRXdLDlJiG9g4UaCSLT+Qbsh+QJ8gRhVd4FB84XavXu0R0y8TubglpK9Y
Ca81tGJUheNI3rzSkHp6pIQNo0LyUcDUrVNlXWz4Px8G8k/Ll6BKWcZ40egDuYVtLLrhX7atKz4l
ecWLVtXjCYDqwSfC2Q7sRwrp0Mr82A==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----

I also received a p7s file (domain.com.p7s)

I've tried in many different ways to import it properly to the keystore but I get the error that shows in this page https://thedomain.com/ > ERR_CERT_AUTHORITY_INVALID

What is the command to import this chain ? this is not the first time I am doing this but this time I just can't get it to work.

Admin over 8 years

The .p7s file is a certificate for digital signed emails.

David Hofmann over 8 years

this actually solves the problem, and yes, keytool does work with p7s files, at least on my case stackoverflow.com/a/35857320/39998
dave_thompson_085 over 8 years

@DavidHofmann specifically, keytool accepts a pkcs7 chain of certs for your privatekey (or exactly, for a privatekey entry in your keystore), but not one with certs that are for (an)other key(s), including (a) key(s) belonging to (an)other party(ies).
zr_ifrit over 8 years

thanks for those informations @dave_thompson_085 , I updated my answer