Not able to load P7B file into keystore file

openssl certificate keystore keytool pkcs#7
28,657

When importing a certificate chain, keytool expects the certificates to be loaded in DER form. You can create such a bundle with openssl:

1 - Convert all certificates in DER format 

openssl x509 -in certificate.pem -outform DER -out certificate.crt

2 - Concat all DER certificates into one single file

cat cert1.crt cert2.crt ... > chain.der

3 - Now you can import the chain into your keystore with keytool 

keytool -importcert -trustcacerts -alias <myalias> -file chain.der -keystore keystore.jks -storepass <mypassword>

Note that myalias MUST be the same as the one used when the key was generated.

4 - verify that the chain was successfully imported

keytool -list -v -keystore keystore.jks
Share:
28,657
Mark Veenstra
Author by

Mark Veenstra

I love to work with XML, XSLT and ofcourse XPath. Also interested in bash (scripting) and some of it tools like awk, sed, find and grep. Currently working on a project with Laravel, AngularJS, Ionic &amp; Apache Cordova.

Updated on October 29, 2020

Comments

  • Mark Veenstra
    Mark Veenstra over 3 years

    I received a new certificate in crt / cert format. When I open this file in a text editor they added the complete certificate chain to this file. Each certificate starts with:

    -----BEGIN CERTIFICATE-----

    And ends with:

    -----END CERTIFICATE-----

    There are no empty lines in between. Since I am not keen with openssl, I opened up the certificate into Windows and exported the certificate with the complete chain in PKCS#7 format (test.p7b). When I open this file all looks fine in Windows and the root, intermediate and the certificate are all their in the chain.

    When I put the file test.p7b on the server and try to import this with keytool as follows:

    keytool -import -trustcacerts -alias my.domain.com -keystore my.domain.keystore -keypass changeme -storepass changeme -file test.p7b

    I get the following error:

    keytool error: java.lang.Exception: Input not an X.509 certificate

    When I test the P7B file I also get errors:

    bash-4.1$ openssl x509 -in test.p7b -text
unable to load certificate
140009984849736:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE

    or:

    bash-4.1$ openssl x509 -in test.p7b -inform DER -text
unable to load certificate
140396587853640:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320:
140396587853640:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509_CINF
140396587853640:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:752:Field=cert_info, Type=X509

    Can someone help me out?

  • Mark Veenstra
    Mark Veenstra over 10 years
    This certificate is not our own certificate, but a certificate received from our client. Should I than ask our client which alias they used when the created the key? And with the key created question you mean the certificate signing request (CSR)?
  • Mark Veenstra
    Mark Veenstra over 10 years
    Also when I verify I get the following output: Your keystore contains 1 entry. Would that be correct?
  • Jcs
    Jcs over 10 years
    You can find the alias with the keytool list command keytool -list -keystore keystore.jks. Your keystore contains 1 entry is fine. The alias should be printed on the next line: <alias>, Oct 28, 2013, PrivateKeyEntry,
  • Mark Veenstra
    Mark Veenstra over 10 years
    That would be the alias I gave it. That would not be the alias that is the same when the key was generated. I am confused here
  • gtrig
    gtrig over 10 years
    It sounds like your keystore contains only the certificate and not the original corresponding private key. If that's true, you don't need the key entry alias. You can use whatever alias you want to specify the certificate entry in the keystore.
  • Pavel Laskov
    Pavel Laskov about 9 years
    "openssl -in" expects a .pem file and throws an error on .p7b
  • uh_big_mike_boi
    uh_big_mike_boi over 8 years
    I don't see how this solves the problem the OP asked. The command provided here doesn't even work with pb7 files, which is the whole point of the first question

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSL connection issue with s_client
How to add certificate chain to keystore?
Generate CSR with 2 OU Names
Android Development: Keytool, creating a keystore?
Getting Certificates from Java Keystore
Import of PEM certificate chain and key to Java Keystore
Import PKCS7 (Chained Certificate) using KeyTool command to JKS
Error while Importing public certificate to a keystore
Convert CA-signed JKS keystore to PEM
keytool -genkey error: Keystore file does not exist