How to Import an Existing X.509 Certificate and Private Key in Java Keystore to Use in Ssl

How to import an existing X.509 certificate and private key in Java keystore to use in SSL?

Believe or not, keytool does not provide such basic functionality like importing private key to keystore. You can try this workaround with merging PKSC12 file with private key to a keystore:

keytool -importkeystore \
  -deststorepass storepassword \
  -destkeypass keypassword \
  -destkeystore my-keystore.jks \
  -srckeystore cert-and-key.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass p12password \
  -alias 1

Or just use more user-friendly KeyMan from IBM for keystore handling instead of keytool.

Importing the private-key/public-certificate pair in the Java KeyStore

With your private key and public certificate, you need to create a PKCS12 keystore first, then convert it into a JKS.

# Create PKCS12 keystore from private key and public certificate.
openssl pkcs12 -export -name myservercert -in selfsigned.crt -inkey server.key -out keystore.p12

# Convert PKCS12 keystore into a JKS keystore
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias myservercert

To verify the contents of the JKS, you can use this command:

keytool -list -v -keystore mykeystore.jks

If this was not a self-signed certificate, you would probably want to follow this step with importing the certificate chain leading up to the trusted CA cert.

How to use certificate.crt and certificate.key with SSLServerSocket

SUGGESTION:

Look at this link: How to import an existing x509 certificate and private key in Java keystore to use in SSL?

1. Convert the existing cert to a PKCS12 using OpenSSL. A password is required when asked or the 2nd step will complain.

   openssl pkcs12 -export 
     -in [my_certificate.crt] -inkey [my_key.key] 
     -out [keystore.p12] 
     -name [new_alias] 
     -CAfile [my_ca_bundle.crt] -caname root
   

2. Convert the PKCS12 to a Java Keystore File.

   keytool -importkeystore 
     -deststorepass [new_keystore_pass] -destkeypass [new_key_pass] -destkeystore [keystore.jks] 
     -srckeystore [keystore.p12] -srcstoretype PKCS12 -srcstorepass [pass_used_in_p12_keystore] 
     -alias [alias_used_in_p12_keystore]
   

adding private key to a keystore

1. You can eliminate the -changealias steps by using -name long and -name short on the pkcs12 -export steps

2. For both keystore.p12 and keystore2.p12 your inputs are key.pem and (cert) alias.short.pem. Did you intend to use (cert) alias.long.pem for one of them?

3. Among free Oracle Javas, only later versions of j8 (with keystore.compat set in java.security) can read both JKS and P12 keystores without specifying the type. By default j7 and lower only do JKS, j9 and higher only P12.

4. FWIW, if you convert the original JKS (with trustedCert's) to P12 (with j8+ only) then openssl pkcs12 -nokeys will output all the trustedcerts in one operation -- but since you need to do differing things with them, you need to split that into separate files or else do on-demand like:

    awk '/friendlyName: short/,/-END CERT/' allcerts.pem | \
      openssl pkcs12 -export -inkey key.pem -name short -out file -passout pass:PW
    # similar for long -- or make loop
    # combine the p12s as before
    awk '/friendlyName: root/,/-END CERT/' allcerts.pem | \
      keytool -keystore file -storepass PW -importcert -file root.pem -alias root -noprompt
    # similar for ca3 -- or make loop

... which I'm not sure is really an improvement

Alternatively, since this is SO, you could write a program that does this more directly:

char[] pw = "PASSWORD".toCharArray(); // or whatever as appropriate
KeyStore ks1 = KeyStore.getInstance("JKS"); ks1.load (new FileInputStream ("certs",pw));
KeyStore ks2 = KeyStore.getInstance("PKCS12"); 
try( InputStream is = new FileInputStream("oldp12") ){ ks2.load(is,pw); }
String alias = ks2.getAliases().nextElement(); // assume only one
PrivateKey key = (PrivateKey) ks2.getKey(alias,pw); 
ks2.deleteAlias(alias); 
ks2.setKeyEntry("short",key,pw,new Certificate[]{ ks1.getCertificate("short") });
ks2.setKeyEntry("long" ,key,pw,new Certificate[]{ ks1.getCertificate("long" ) });
// assuming those combinations are what you intended, see above
ks2.setCertificateEntry("root", ks1.getCertificate("root") );
ks2.setCertificateEntry("ca3" , ks1.getCertificate("ca3" ) );
try( OutputStream os = new FileOutputStream ("newp12") ){ ks2.store(os,pw); }

How to import a .cer certificate into a java keystore?

• If you want to authenticate you need the private key - there is no other option.
• A certificate is a public key with extra properties (like company name, country,...) that is signed by some Certificate authority that guarantees that the attached properties are true.
• .CER files are certificates and don't have the private key. The private key is provided with a .PFX keystore file normally.
  If you really authenticate is because you already had imported the private key.

• You normally can import .CER certificates without any problems with

  keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias" 
  

Import key and SSL Certificate into java keystore

It is possible but not without using third-party libraries.

Java does not use pem format for keystore containers as OpenSSL does so you will have to convert these into a keystore either PKCS12 or JKS.

You can do the conversion by code using bouncy castle or you could use a tool to create a keystore from the pem file and use the keystore in your application.

Try this java application Certificate Helper to do the conversion to keystore

---

Related Topics