Import of PEM certificate chain and key to Java Keystore

Question

There are plenty of resources out there about this topic, but none I found which covers this slightly special case.

I have 4 files;

privatekey.pem
certificate.pem
intermediate_rapidssl.pem
ca_geotrust_global.pem

And I wish to import them into a fresh keystore.

Some site suggest to use DER-format, and import them one by one, but this failed because the key is not recognized.

Another site suggested a special "ImportKey"-class to run for import, and this worked until I saw that the chain is broken. I.e. the chain length on the certificate is 1, ignoring the intermediate and ca.

Some sites suggest PKCS7, but I can't even get a chain from that. Other suggest PKCS12 format, but as far as my tests go that failed as well for getting the whole chain.

Any advice or hints are much welcome.

score 57 · Answer 1 · edited May 25 '16 at 07:45

57

Concatenate all *.pem files into one pem file, like all.pem Then create keystore in p12 format with private key + all.pem

openssl pkcs12 -export -inkey private.key -in all.pem -name test -out test.p12

Then export p12 into jks

keytool -importkeystore -srckeystore test.p12 -srcstoretype pkcs12 -destkeystore test.jks

edited May 25 '16 at 07:45

Lennart Schedin

115
5

answered Dec 24 '15 at 13:51

senanqerib

671
5
2

Thank you. This is the only complete and correct answer. As you suggested, it's far easier to just concatenate together the certs into one file. – Steve Sether Feb 22 '16 at 17:03
This worked like a treat for me!! I used these instructions to convert a chain of keys used in nodejs-self-signed-certificate-example repository to talk to a Java based TLS server. Thanks a million! – Galder Zamarreño Nov 11 '16 at 13:56
1

This is the correct answer. – sfThomas Jun 12 '17 at 10:24
Does "all.pem" also contain the private key? – JustAGuy Sep 10 '20 at 14:56
1

JustAGuy, all.pem does not contain private.key. Private key file (above: private.key) is stored in a separate file. – senanqerib Sep 15 '20 at 11:13
How to get the private.key file?, I donwloaded the .pem chain file from the website I'm trying to connect using firefox explorer – Kevin Valdez Sep 08 '21 at 05:35

Aaron Copley · Accepted Answer · 2013-03-01T16:48:00.557

30

This may not be perfect, but I had some notes on my use of keytool that I've modified for your scenario.

Import a root or intermediate CA certificate to an existing Java keystore:

keytool -import -trustcacerts -alias root -file ca_geotrust_global.pem -keystore yourkeystore.jks
keytool -import -trustcacerts -alias root -file intermediate_rapidssl.pem -keystore yourkeystore.jks

Combine the certificate and private key into one file before importing.
```
cat certificate.pem privatekey.pem > combined.pem
```
This should result in a file resembling the below format.

BEGIN CERTIFICATE
...
END CERTIFICATE
BEGIN RSA PRIVATE KEY
...
END RSA PRIVATE KEY

Import a signed primary certificate & key to an existing Java keystore:

keytool -import -trustcacerts -alias yourdomain -file combined.pem -keystore yourkeystore.jks

edited Mar 01 '13 at 16:48

answered Feb 28 '13 at 17:38

Aaron Copley

12,345
5
46
67

2

What version of keytool allows you to chain like this? This syntax gives "keytool error: java.lang.Exception: Certificate not imported, alias already exists" with both -import and -importcert – ctpenrose Dec 03 '14 at 00:01
Hard to say, exactly. But given the year/month it was likely to be Java 6? (No idea the minor release.) What version are you using? The error reads like the problem could be with the keystore itself. (`alias already exists`) Can you try with a new, empty keystore? – Aaron Copley Dec 03 '14 at 14:42
1

Keytool will not let me import a certificate using an already existing alias 'root'. But i think it was a typo. Interesting to note that keytool creates a chain for your certificate itself when it finds the signers' certificates in the keystore (under any alias). Java tool ["Portecle"](http://portecle.sourceforge.net/) is handy for managing the java keystore. – Houtman Dec 10 '14 at 13:42
Keytool doesn't work like this, and doesn't allow you to import an alias more than once as described. (And yes, I've tried). See senajqerib's answer below for something that works properly. – Steve Sether Feb 22 '16 at 17:06
1

It's a three year old answer. It is entirely possible that things have changed, but I assure you it worked (or was close to working as I indicated it may not be perfect) as of Feb. 2013. Please feel free to submit an edit or flag it for moderator attention. – Aaron Copley Feb 22 '16 at 18:08
And what if you have multiple domains? – chx101 Jul 24 '19 at 01:12
In step 1 you've given the same alias: `root` to two different CAs. This alias should be applied to the `ca_geotrust_global.pem` cert only, I think and you can alias the other one e.g. `intermediary` or similar. – The Dude Jul 24 '20 at 14:21
This doesn't work! You need to generate a PKCS12 store first, and then import it using the keytool cli. See: https://www.wowza.com/docs/how-to-import-an-existing-ssl-certificate-and-private-key – camposer Sep 21 '20 at 14:27
Perhaps that's what I meant by importing to an *existing Java keystore* in step 1. I don't know because I wrote it 7 years ago. Please feel free to add your own answer with an missing or additional helpful steps. – Aaron Copley Sep 28 '20 at 12:02

score 11 · Answer 3 · edited Nov 18 '15 at 13:18

keytool doesn't provide a way to import certificate + private key from a single (combined) file, as proposed above. It runs fine, but only certificate is imported, while private key is ignored. You can check it by keytool -list -v -keystore yourkeystore.jks - yourdomain entry type is TrustedCertEntry, not PrivateKeyEntry.

So to solve the initial problem, one should first create a PKCS#12 keystore using openssl (or similar tool), then import the keystore with keytool -importkeystore.

Import of PEM certificate chain and key to Java Keystore

3 Answers3

Linked