I am trying to import a certificate and a key file into the keystore but I'm unable to do that.
How can I create a keystore by importing both an existing certificate (abc.crt) and abc.key files?
Add a comment |
7 Answers
The easiest is probably to create a PKCS#12 file using OpenSSL:
openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12 You should be able to use the resulting file directly using the PKCS12 keystore type.
If you really need to, you can convert it to JKS using keytool -importkeystore (available in keytool from Java 6):
keytool -importkeystore -srckeystore abc.p12 \ -srcstoretype PKCS12 \ -destkeystore abc.jks \ -deststoretype JKS 
10 Comments
Ravi Jain
Thanks Bruno, Can you please let me know from where I can get openssl utility?
Ravi Jain
One more question here, is generated keystore platform specific? Means will it work if I create keystore in windows and use it in unix?
Bruno
I should also point out that with a
PKCS12 keystore, the keys password is the same as the store's password (whereas they may be different for other types of stores, especially JKS).Bruno
@HenningMakholm, it's possible that your private key file isn't password-protected, you'll have to set one up when you create he PKCS#12 file.
|
You must use OpenSSL and keytool.
OpenSSL for CER & PVK file > P12
openssl pkcs12 -export -name servercert -in selfsignedcert.crt -inkey serverprivatekey.key -out myp12keystore.p12
Keytool for p12 > JKS
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercert
6 Comments
Sequoya
where is the private key?
Sequoya
that's what i don't understand!!
vikingsteve
How is this different from the other earlier answer??
Abel Jojo
Thanks. I have s pkcs #7 certificate. Should I have to use pkcs12 or 7 ?
Vijayanand
Please note the options which we are passing -name ( for PKCS) -alias (for Jks).
|
Adding to @MK Yung and @Bruno's answer.. Do enter a password for the destination keystore. I saw my console hanging when I entered the command without a password.
openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12 -name localhost -passout pass:changeit 
1 Comment
Sergey Ch
Thanks! I've also got hanged console and it helped to tackle it
Ideally you should have received 3 files: ca_bundle.crt yourname.crt yourname.key
Use the following command to create the pk cs 12 version of it with:
openssl pkcs12 -export -out yourname.pfx -inkey yourname.key -in yourname.crt -certfile ca_bundle.crt Then you will need to import it into key store that is easy to configure in Apache
keytool -importkeystore -srckeystore yourname.pfx -srcstorepass yourpassword -srcstoretype pkcs12 -destkeystore yourkeystore.jks -deststoretype jks -deststorepass yourkeystorepassword 
Comments
In addition to @Bruno's answer, you need to supply the -name for alias, otherwise Tomcat will throw Alias name tomcat does not identify a key entry error
Sample Command: openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.p12 -name localhost
Comments
If the keystore is for tomcat then, after creating the keystore with the above answers, you must add a final step to create the "tomcat" alias for the key:
keytool -changealias -alias "1" -destalias "tomcat" -keystore keystore-file.jks You can check the result with:
keytool -list -keystore keystore-file.jks -v 
Comments
Creating a java keystore given a certificate and private key
A java keystore can be created by importing a pkcs12 keystore into a new java keystore
Step 1: create a pkcs12 keystore
certificate.crt - type in your actual certificate file name (if its in a different location type in the location - /path/to/certificate.crt)
privatekey.key - type in your privatekey (if its in a different location type in the location - /path/to/privatekey.key)
keystore-name.p12 - replace it with your desired keystore name (i.e., example-com.p12)
some-alias - how your certificate and key are recognized in the store I recommend using the name of the domain (e.g. example.com)
-CAfile ca.crt -caname root - The command is optional ca.crt - contains root and intermediate certificates for your certificate authority some certificates (i.e., certificate.crt) define the whole certificate chain hence specifying the -CAfile is optional
Or rather append the ca_bundle.crt into certificate.crt to avoid specifying the -CAfile cat ca_bundle.crt >> certificate.crt
finally input a unique keystore password for your pkcs12 keystore and ought to remember it
openssl is not preinstalled in windows. You can use git for windows. C:\Program Files\Git\usr\bin\openssl.exe
openssl pkcs12 -export -in certificate.crt -inkey privatekey.key \ -out keystore-name.p12 -name some-alias \ -CAfile ca.crt -caname root Step 2: import the pkcs12 keystore, creating a new javakeystore
keystorepassword - a unique keystore password that you ought to remember for your keystore
keypass - a unique key password that you ought to remember for your key
javakeystore.jks - replace it with your desired keystore name (e.g., example-com.jks)
keystore-name.p12 - the pkcs12 keystore that you've just created (if its in a different location type in the location - /path/to/keystore-name.p12)
keystorepassword - the keystorepassword that you created
some-alias - how your certificate and key are recognized in the store I recommend using the name of the domain (e.g. example.com)
keytool -importkeystore \ -deststorepass keystorepassword -destkeypass keypassword \ -destkeystore javakeystore.jks \ -srckeystore keystore-name.p12 -srcstoretype PKCS12 -srcstorepass keystore-password \ -alias some-alias 