Not able to load P7B file into keystore file
When importing a certificate chain, keytool expects the certificates to be loaded in DER form. You can create such a bundle with openssl:
1 - Convert all certificates in DER format
openssl x509 -in certificate.pem -outform DER -out certificate.crt
2 - Concat all DER certificates into one single file
cat cert1.crt cert2.crt ... > chain.der
3 - Now you can import the chain into your keystore with keytool
keytool -importcert -trustcacerts -alias <myalias> -file chain.der -keystore keystore.jks -storepass <mypassword>
Note that myalias
MUST be the same as the one used when the key was generated.
4 - verify that the chain was successfully imported
keytool -list -v -keystore keystore.jks
Mark Veenstra
I love to work with XML, XSLT and ofcourse XPath. Also interested in bash (scripting) and some of it tools like awk, sed, find and grep. Currently working on a project with Laravel, AngularJS, Ionic & Apache Cordova.
Updated on October 29, 2020Comments
-
Mark Veenstra over 3 years
I received a new certificate in
crt
/cert
format. When I open this file in a text editor they added the complete certificate chain to this file. Each certificate starts with:-----BEGIN CERTIFICATE-----
And ends with:
-----END CERTIFICATE-----
There are no empty lines in between. Since I am not keen with
openssl
, I opened up the certificate into Windows and exported the certificate with the complete chain inPKCS#7
format (test.p7b). When I open this file all looks fine in Windows and the root, intermediate and the certificate are all their in the chain.When I put the file
test.p7b
on the server and try to import this withkeytool
as follows:keytool -import -trustcacerts -alias my.domain.com -keystore my.domain.keystore -keypass changeme -storepass changeme -file test.p7b
I get the following error:
keytool error: java.lang.Exception: Input not an X.509 certificate
When I test the P7B file I also get errors:
bash-4.1$ openssl x509 -in test.p7b -text unable to load certificate 140009984849736:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
or:
bash-4.1$ openssl x509 -in test.p7b -inform DER -text unable to load certificate 140396587853640:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320: 140396587853640:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509_CINF 140396587853640:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:752:Field=cert_info, Type=X509
Can someone help me out?
-
Mark Veenstra over 10 yearsThis certificate is not our own certificate, but a certificate received from our client. Should I than ask our client which alias they used when the created the key? And with the key created question you mean the certificate signing request (CSR)?
-
Mark Veenstra over 10 yearsAlso when I verify I get the following output:
Your keystore contains 1 entry
. Would that be correct? -
Jcs over 10 yearsYou can find the alias with the keytool list command
keytool -list -keystore keystore.jks
.Your keystore contains 1 entry
is fine. The alias should be printed on the next line:<alias>, Oct 28, 2013, PrivateKeyEntry,
-
Mark Veenstra over 10 yearsThat would be the alias I gave it. That would not be the alias that is the same when the key was generated. I am confused here
-
gtrig over 10 yearsIt sounds like your keystore contains only the certificate and not the original corresponding private key. If that's true, you don't need the key entry alias. You can use whatever alias you want to specify the certificate entry in the keystore.
-
Pavel Laskov about 9 years"openssl -in" expects a .pem file and throws an error on .p7b
-
uh_big_mike_boi over 8 yearsI don't see how this solves the problem the OP asked. The command provided here doesn't even work with pb7 files, which is the whole point of the first question