1

I'm trying to import a CA-signed certificate into a Java keystore. All the instructions I can find for this tell me to first create a keystore and a signing request (CSR) using the Java keytool, then have the CSR signed by the CA, and then import the signed certificate back into the keystore.

Well, stupid me didn't read the fine manual and had the CA create the certificate online for me instead of uploading my own CSR. Now I've got:

  • ca.pem root certificate of the CA
  • sub.class1.server.ca.pem intermediate certificate of the CA
  • mydomain.crt signed certificate for my domain, created by the CA
  • mydomain.key private key file for my certificate, created by the CA

I tried to import the certificate to my keystore like this:

keytool -import -trustcacerts -alias root -file ca.pem -keystore mykeystore.jks
keytool -import -trustcacerts -alias intermediate -file sub.class1.server.ca.pem -keystore mykeystore.jks
keytool -import -alias mydomain mydomain.crt -keystore mykeystore.jks

So the content of the keystore now looks like this:

intermediate, Jul 16, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 0A:D3:...
root, Jul 16, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 3E:2B:...
mydomain, Jul 16, 2015, trustedCertEntry, 
Certificate fingerprint (SHA1): 18:F2:...
selfsigned, Feb 4, 2015, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 2B:74:...

Unfortunately, the service I'm trying to secure (a JIRA server) is not reachable when using the „mydomain“ alias. When I use the „selfsigned“ alias, which is a self-signed certificate I created from the keystore earlier, with all other settings being identical, the service can be reached just fine (except for the warning about the self-signed certificate, of course); so I figure that the problem is the CA-generated certificate.

I tried concatenating the mydomain.crt and mydomain.key files as suggested in this thread without success: Import of PEM certificate chain and key to Java Keystore

Is there something I might be doing wrong? Is it possible to import a certificate created by a third party into an existing Java keystore at all? Or do I need to revoke that certificate and go through the process again with a selfmade CSR extracted from my keystore?

Joe7
  • 143
  • 1
  • 6

1 Answers1

0

I did this in the past by using a PKCS12 keystore:

cat ca.pem sub.class1.server.ca.pem > chain.pem
openssl pkcs12 -export -inkey mydomain.key -certfile chain.pem \
      -out mydomain.p12 -in mydomain.pem -name mydomain

After that, use it directly by specifying keystore type as PKCS12 or convert to JKS with keytool:

keytool -importkeystore -srckeystore mydomain.p12 \
      -srcstoretype PKCS12 -deststoretype JKS -destkeystore mydomain.jks
fuero
  • 9,413
  • 1
  • 35
  • 40