Import a CA-signed certificate into a keystore
- Adelmo Rodriguez
Option 1: Importing certificates into an existing Java keystore
The CA's reply will provide one PKCS file or multiple PEM files. Import them into your keystore as follows:
If the CA sent a PKCS file, use the command below, after substituting your values for two variables:
<your.domain.com> : The complete domain name of your server.
<CAreply.pkcs> : The name of the PKCS file provided by the CA.
keytool -importcert -alias <your.domain.com> -file <CAreply.pkcs> -keystore <your.domain.com>.jks -trustcacertsIf the CA sent PEM files, there may be one file, but most often there are two or three. Import the files to your keystore with commands in the order shown below, after substituting your values for four variables:
<root.cert.pem> : The name of the root certificate file
<intermediate.cert.pem> : The name of the intermediate certificate file
The root and intermediate files link the CA's signature to a widely trusted root certificate that is known to web browsers. Most, but not all, CA replies include roots and intermediates.
<your.domain.com> : The complete domain name of your server
<server.cert.pem> : The name of the server certificate file
The file links your domain name with your public key and the CA's signature.
keytool -importcert -alias root -file <root.cert.pem> -keystore <your.domain.com>.jks -trustcacerts
keytool -importcert -alias intermediate -file <intermediate.cert.pem> -keystore <your.domain.com>.jks -trustcacerts
keytool -importcert -alias intermediat2 -file <intermediat2.cert.pem> -keystore <your.domain.com>.jks -trustcacerts
keytool -importcert -alias <your.domain.com> -file <server.cert.pem> -keystore <your.domain.com>.jks -trustcacertsTroubleshoot
If you import certificates in the wrong order, the above commands return an error message. To resolve the error, you can:
Consult your CA.
Re-arrange the order of certificates and try again.
Read each certificate with the following command:
keytool -printcert -file <filename.cert.pem>
In the output, note the Owner and Issuer (signer) of each certificate. Order your import commands so that the Issuer of each certificate matches the Owner in the previous command.
Option 2: Package existing PEM-format key and certificates in a new Java keystore
If you have an existing private key and certificates for your server's domain, in PEM format, importing them into a Java keystore requires the OpenSSL tool. OpenSSL can package the PEM files in a PKCS keystore. Java keytool can then convert the PKCS keystore to a Java keystore.
Install OpenSSL:
Windows: Download and install OpenSSL.
Linux: Verify that OpenSSL is installed by issuing the command openssl version
If that returns an error, install OpenSSL with a command like sudo apt-get install openssl
Gather your private key, server certificate, and intermediate certificate into one directory.
Package the key and certificates into a PKCS keystore with the command below, after substituting your values for four variables
(The command will prompt you for your keystore password):
<server.cert.pem>: The name of the server certificate file
The file links your domain name with your public key and CA's signature.
<private.key.pem>: The private counterpart to the public key in <server.cert.pem>
<intermediate.cert.pem>: The name of the intermediate certificate file
The file links the CA's signature to a widely trusted root certificate that is known to web browsers.
<your.domain.com> : The complete domain name of your Code42 server
openssl pkcs12 -export -in <server.cert.pem> -inkey <private.key.pem> -certfile <intermediate.cert.pem> -name "<your.domain.com>" -out <your.domain.com>.p12Issue the command below, after substituting your values for two variables
(The command will prompt you for keystore passwords):
<your.domain.com.p12> : The existing keystore file.
<your.domain.com> : The complete domain name of your Code42 server
Convert the resulting PKCS keystore file, <your.domain.com>.p12 into a Java keystore
You can also use the command above to convert a PFX keystore to a Java keystore