From time to time you have to update your SSL keys and certificates. In some cases you may have a mixed infrastructure e.g. “normal” http servers and tomcat or other java based servers. In the latter case you’ll have to import your shiny new certificate and key into your java keystore.
There are several methods that you can use but I found the following the most simple:
- Export your key, certificate and ca-certificate into a PKCS12 bundle via
openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile my-ca-file.crt -name "my-domain.com" -out my.p12 - Be sure to set an export password! (see further below for an explanation)
- If you get the following error message “Error unable to get issuer certificate getting chain.” then you should concatenate the openssl ca-certs with your own ca-cert into one file and use that as parameter for
-CAfile. Example:cat /etc/ssl/cert.pem my-ca-file.crt > ca-certs.pemopenssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile ca-certs.pem -name "my-domain.com" -out my.p12 - Import the PKCS12 file into a new java keystore via
keytool -importkeystore -deststorepass MY-KEYSTORE-PASS -destkeystore my-keystore.jks -srckeystore my.p12 -srcstoretype PKCS12
1. Suppose you have a certificate and key in PEM format. The key is named host.key and the certificate host.crt.
2. The first step is to convert them into a single PKCS12 file using the command: openssl pkcs12 -export -in host.crt -inkey host.key > host.p12. You will be asked for various passwords (the password to access the key (if set) and then the password for the PKCS12 file being created).
3. Then import the PKCS12 file into a keystore using the command: keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks -srcstoretype pkcs12. You now have a keystore named host.jkscontaining the certificate/key you need.
For the sake of completeness here’s the output of a full session I performed:
$ openssl pkcs12 -export -in host.crt -inkey host.key > host.p12 Enter pass phrase for host.key: Enter Export Password: Verifying - Enter Export Password: $ keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks -srcstoretype pkcs12 Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed
Recent Comments