{"id":5013,"date":"2015-08-04T09:09:11","date_gmt":"2015-08-04T01:09:11","guid":{"rendered":"http:\/\/rmohan.com\/?p=5013"},"modified":"2015-08-04T09:09:44","modified_gmt":"2015-08-04T01:09:44","slug":"import-private-key-and-certificate-into-java-keystore","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5013","title":{"rendered":"Import private key and certificate into java keystore"},"content":{"rendered":"<p>From time to time you have to update your SSL keys and certificates. In some cases you may have a mixed infrastructure e.g. \u201cnormal\u201d http servers and tomcat or other java based servers. In the latter case you\u2019ll have to import your shiny new certificate and key into your java keystore.<\/p>\n<p>There are several methods that you can use but I found the following the most simple:<\/p>\n<ol>\n<li>Export your key, certificate and ca-certificate into a PKCS12 bundle via<code>openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile my-ca-file.crt -name \"my-domain.com\" -out my.p12<\/code><\/li>\n<li><strong>Be sure to set an export password!<\/strong> (see further below for an explanation)<\/li>\n<li>If you get the following error message <strong>\u201cError unable to get issuer certificate getting chain.\u201d<\/strong> then you should concatenate the openssl ca-certs with your own ca-cert into one file and use that as parameter for <code>-CAfile<\/code>. Example:<code>cat \/etc\/ssl\/cert.pem my-ca-file.crt &gt; ca-certs.pem<\/code>\n<p><code>openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile ca-certs.pem -name \"my-domain.com\" -out my.p12<\/code><\/li>\n<li>Import the PKCS12 file into a new java keystore via<code>keytool -importkeystore -deststorepass MY-KEYSTORE-PASS -destkeystore my-keystore.jks -srckeystore my.p12 -srcstoretype PKCS12<\/code><\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>1. Suppose you have a certificate and key in PEM format. The key is named <tt>host.key<\/tt> and the certificate <tt>host.crt<\/tt>.<\/p>\n<p>2. The first step is to convert them into a single <a href=\"http:\/\/en.wikipedia.org\/wiki\/PKCS12\">PKCS12<\/a> file using the command: <tt>openssl pkcs12 -export -in host.crt -inkey host.key &gt; host.p12<\/tt>. You will be asked for various passwords (the password to access the key (if set) and then the password for the PKCS12 file being created).<\/p>\n<p>3. Then import the PKCS12 file into a keystore using the command: <tt>keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks -srcstoretype pkcs12<\/tt>. You now have a keystore named <tt>host.jks<\/tt>containing the certificate\/key you need.<\/p>\n<p>For the sake of completeness here&#8217;s the output of a full session I performed:<\/p>\n<pre>$ openssl pkcs12 -export -in host.crt -inkey host.key &gt; host.p12\r\nEnter pass phrase for host.key:\r\nEnter Export Password:\r\nVerifying - Enter Export Password:\r\n$ keytool -importkeystore -srckeystore host.p12 -destkeystore host.jks\r\n-srcstoretype pkcs12\r\nEnter destination keystore password:  \r\nRe-enter new password: \r\nEnter source keystore password:  \r\nEntry for alias 1 successfully imported.\r\nImport command completed:  1 entries successfully imported, 0 entries failed<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>From time to time you have to update your SSL keys and certificates. In some cases you may have a mixed infrastructure e.g. \u201cnormal\u201d http servers and tomcat or other java based servers. In the latter case you\u2019ll have to import your shiny new certificate and key into your java keystore.<\/p>\n<p>There are several methods [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5013"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5013"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5013\/revisions"}],"predecessor-version":[{"id":5015,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5013\/revisions\/5015"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}