Option 1: Importing certificates into an existing Java keystore
The CA's reply will provide one PKCS file or multiple PEM files. Import them into your keystore as follows:
If the CA sent a PKCS file, use the command below, after substituting your values for two variables:
<your.domain.com> : The complete domain name of your server.
<CAreply.pkcs> : The name of the PKCS file provided by the CA.
keytool -importcert -alias <your.domain.com> -file <CAreply.pkcs> -keystore <your.domain.com>.jks -trustcacerts
If the CA sent PEM files, there may be one file, but most often there are two or three. Import the files to your keystore with commands in the order shown below, after substituting your values for four variables:
<root.cert.pem> : The name of the root certificate file
<intermediate.cert.pem> : The name of the intermediate certificate file
The root and intermediate files link the CA's signature to a widely trusted root certificate that is known to web browsers. Most, but not all, CA replies include roots and intermediates.
<your.domain.com> : The complete domain name of your server
<server.cert.pem> : The name of the server certificate file
The file links your domain name with your public key and the CA's signature.
keytool -importcert -alias root -file <root.cert.pem> -keystore <your.domain.com>.jks -trustcacerts keytool -importcert -alias intermediate -file <intermediate.cert.pem> -keystore <your.domain.com>.jks -trustcacerts keytool -importcert -alias intermediat2 -file <intermediat2.cert.pem> -keystore <your.domain.com>.jks -trustcacerts keytool -importcert -alias <your.domain.com> -file <server.cert.pem> -keystore <your.domain.com>.jks -trustcacerts
Troubleshoot
If you import certificates in the wrong order, the above commands return an error message. To resolve the error, you can:
Consult your CA.
Re-arrange the order of certificates and try again.
Read each certificate with the following command:
keytool -printcert -file <filename.cert.pem>
In the output, note the Owner and Issuer (signer) of each certificate. Order your import commands so that the Issuer of each certificate matches the Owner in the previous command.
Option 2: Importing certificates into an existing Java keystore
If you have an existing private key and certificates for your server's domain, in PEM format, importing them into a Java keystore requires the OpenSSL tool. OpenSSL can package the PEM files in a PKCS keystore. Java keytool can then convert the PKCS keystore to a Java keystore.
Install OpenSSL:
Windows: Download and install OpenSSL.
Linux: Verify that OpenSSL is installed by issuing the command openssl version
If that returns an error, install OpenSSL with a command like sudo apt-get install openssl
Gather your private key, server certificate, and intermediate certificate into one directory.
Package the key and certificates into a PKCS keystore with the command below, after substituting your values for four variables
(The command will prompt you for your keystore password):
<server.cert.pem>: The name of the server certificate file
The file links your domain name with your public key and CA's signature.
<private.key.pem>: The private counterpart to the public key in <server.cert.pem>
<intermediate.cert.pem>: The name of the intermediate certificate file
The file links the CA's signature to a widely trusted root certificate that is known to web browsers.
<your.domain.com> : The complete domain name of your Code42 server
openssl pkcs12 -export -in <server.cert.pem> -inkey <private.key.pem> -certfile <intermediate.cert.pem> -name "<your.domain.com>" -out <your.domain.com>.p12
Issue the command below, after substituting your values for two variables
(The command will prompt you for keystore passwords):
<your.domain.com.p12> : The existing keystore file.
<your.domain.com> : The complete domain name of your Code42 server
keytool -importkeystore -srckeystore <your.domain.com.p12> -srcstoretype PKCS12 -destkeystore <your.domain.com>.jks -deststoretype jks
You can also use the command above to convert a PFX keystore to a Java keystore