39

There are plenty of resources out there about this topic, but none I found which covers this slightly special case.

I have 4 files;

  • privatekey.pem
  • certificate.pem
  • intermediate_rapidssl.pem
  • ca_geotrust_global.pem

And I wish to import them into a fresh keystore.

Some site suggest to use DER-format, and import them one by one, but this failed because the key is not recognized.

Another site suggested a special "ImportKey"-class to run for import, and this worked until I saw that the chain is broken. I.e. the chain length on the certificate is 1, ignoring the intermediate and ca.

Some sites suggest PKCS7, but I can't even get a chain from that. Other suggest PKCS12 format, but as far as my tests go that failed as well for getting the whole chain.

Any advice or hints are much welcome.

Trollbane
  • 493

3 Answers3

59

Concatenate all *.pem files into one pem file, like all.pem Then create keystore in p12 format with private key + all.pem

openssl pkcs12 -export -inkey private.key -in all.pem -name test -out test.p12

Then export p12 into jks 

keytool -importkeystore -srckeystore test.p12 -srcstoretype pkcs12 -destkeystore test.jks
Lennart Schedin
  • 115
  • 5
senanqerib
  • 691
31

This may not be perfect, but I had some notes on my use of keytool that I've modified for your scenario.

  1. Import a root or intermediate CA certificate to an existing Java keystore:

    keytool -import -trustcacerts -alias root -file ca_geotrust_global.pem -keystore yourkeystore.jks
keytool -import -trustcacerts -alias root -file intermediate_rapidssl.pem -keystore yourkeystore.jks

  2. Combine the certificate and private key into one file before importing.

    cat certificate.pem privatekey.pem > combined.pem

    This should result in a file resembling the below format.

    BEGIN CERTIFICATE
    ...
    END CERTIFICATE
    BEGIN RSA PRIVATE KEY
    ...
    END RSA PRIVATE KEY

  3. Import a signed primary certificate & key to an existing Java keystore:

    keytool -import -trustcacerts -alias yourdomain -file combined.pem -keystore yourkeystore.jks
Aaron Copley
  • 12,954
11

keytool doesn't provide a way to import certificate + private key from a single (combined) file, as proposed above. It runs fine, but only certificate is imported, while private key is ignored. You can check it by keytool -list -v -keystore yourkeystore.jks - yourdomain entry type is TrustedCertEntry, not PrivateKeyEntry.

So to solve the initial problem, one should first create a PKCS#12 keystore using openssl (or similar tool), then import the keystore with keytool -importkeystore.

HBruijn
  • 84,206
  • 24
  • 145
  • 224
Ixmal
  • 111