How to import an existing X.509 certificate and private key in Java keystore to use in SSL?
Believe or not, keytool does not provide such basic functionality like importing private key to keystore. You can try this workaround with merging PKSC12 file with private key to a keystore:
keytool -importkeystore \
-deststorepass storepassword \
-destkeypass keypassword \
-destkeystore my-keystore.jks \
-srckeystore cert-and-key.p12 \
-srcstoretype PKCS12 \
-srcstorepass p12password \
-alias 1
Or just use more user-friendly KeyMan from IBM for keystore handling instead of keytool.
Importing the private-key/public-certificate pair in the Java KeyStore
With your private key and public certificate, you need to create a PKCS12 keystore first, then convert it into a JKS.
# Create PKCS12 keystore from private key and public certificate.
openssl pkcs12 -export -name myservercert -in selfsigned.crt -inkey server.key -out keystore.p12
# Convert PKCS12 keystore into a JKS keystore
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias myservercert
To verify the contents of the JKS, you can use this command:
keytool -list -v -keystore mykeystore.jks
If this was not a self-signed certificate, you would probably want to follow this step with importing the certificate chain leading up to the trusted CA cert.
How to use certificate.crt and certificate.key with SSLServerSocket
SUGGESTION:
Look at this link: How to import an existing x509 certificate and private key in Java keystore to use in SSL?
Convert the existing cert to a PKCS12 using OpenSSL. A password is required when asked or the 2nd step will complain.
openssl pkcs12 -export
-in [my_certificate.crt] -inkey [my_key.key]
-out [keystore.p12]
-name [new_alias]
-CAfile [my_ca_bundle.crt] -caname rootConvert the PKCS12 to a Java Keystore File.
keytool -importkeystore
-deststorepass [new_keystore_pass] -destkeypass [new_key_pass] -destkeystore [keystore.jks]
-srckeystore [keystore.p12] -srcstoretype PKCS12 -srcstorepass [pass_used_in_p12_keystore]
-alias [alias_used_in_p12_keystore]
adding private key to a keystore
You can eliminate the
-changealias
steps by using-name long
and-name short
on thepkcs12 -export
stepsFor both
keystore.p12
andkeystore2.p12
your inputs arekey.pem
and (cert)alias.short.pem
. Did you intend to use (cert)alias.long.pem
for one of them?Among free Oracle Javas, only later versions of j8 (with keystore.compat set in java.security) can read both JKS and P12 keystores without specifying the type. By default j7 and lower only do JKS, j9 and higher only P12.
FWIW, if you convert the original JKS (with trustedCert's) to P12 (with j8+ only) then
openssl pkcs12 -nokeys
will output all the trustedcerts in one operation -- but since you need to do differing things with them, you need to split that into separate files or else do on-demand like:
awk '/friendlyName: short/,/-END CERT/' allcerts.pem | \
openssl pkcs12 -export -inkey key.pem -name short -out file -passout pass:PW
# similar for long -- or make loop
# combine the p12s as before
awk '/friendlyName: root/,/-END CERT/' allcerts.pem | \
keytool -keystore file -storepass PW -importcert -file root.pem -alias root -noprompt
# similar for ca3 -- or make loop
... which I'm not sure is really an improvement
Alternatively, since this is SO, you could write a program that does this more directly:
char[] pw = "PASSWORD".toCharArray(); // or whatever as appropriate
KeyStore ks1 = KeyStore.getInstance("JKS"); ks1.load (new FileInputStream ("certs",pw));
KeyStore ks2 = KeyStore.getInstance("PKCS12");
try( InputStream is = new FileInputStream("oldp12") ){ ks2.load(is,pw); }
String alias = ks2.getAliases().nextElement(); // assume only one
PrivateKey key = (PrivateKey) ks2.getKey(alias,pw);
ks2.deleteAlias(alias);
ks2.setKeyEntry("short",key,pw,new Certificate[]{ ks1.getCertificate("short") });
ks2.setKeyEntry("long" ,key,pw,new Certificate[]{ ks1.getCertificate("long" ) });
// assuming those combinations are what you intended, see above
ks2.setCertificateEntry("root", ks1.getCertificate("root") );
ks2.setCertificateEntry("ca3" , ks1.getCertificate("ca3" ) );
try( OutputStream os = new FileOutputStream ("newp12") ){ ks2.store(os,pw); }
How to import a .cer certificate into a java keystore?
- If you want to authenticate you need the private key - there is no other option.
- A certificate is a public key with extra properties (like company name, country,...) that is signed by some Certificate authority that guarantees that the attached properties are true.
.CER
files are certificates and don't have the private key. The private key is provided with a.PFX keystore
file normally.
If you really authenticate is because you already had imported the private key.You normally can import
.CER
certificates without any problems withkeytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"
Import key and SSL Certificate into java keystore
It is possible but not without using third-party libraries.
Java does not use pem format for keystore containers as OpenSSL does so you will have to convert these into a keystore either PKCS12
or JKS
.
You can do the conversion by code using bouncy castle or you could use a tool to create a keystore from the pem file and use the keystore in your application.
Try this java application Certificate Helper to do the conversion to keystore
Related Topics
How to Parse Command Line Arguments in Java
Random Errors When Changing Series Using Jfreechart
Access Restriction on Class Due to Restriction on Required Library Rt.Jar
How to Convert from Int to String
Why Can't I Do Assignment Outside a Method
Java Runtime.Getruntime(): Getting Output from Executing a Command Line Program
What's the Difference Between @Component, @Repository & @Service Annotations in Spring
How to Initialize an Array in Java
Arrays.Aslist() Not Working as It Should
Take a Char Input from the Scanner
Catching Java.Lang.Outofmemoryerror