Generate a java keystore (for jetty) from standard apache ssl certs

Question

From Apache2's mod_ssl I have the following config files that work:

 SSLCertificateFile      x (certificate)
 SSLCertificateKeyFile   y (rsa private key)
 SSLCertificateChainFile z.crt

From these files, I would like to generate a java keystore that can be passed into jetty for SSL. I done a lot of reading, but I'm confused on what I actually have here, and what steps are needed to transform these files into a keystore.

Answer 1

Assuming that you want to use the alias "domain.com" to store the key and certificate in the keystore, you can use the following commands to get the job done:

keytool -keystore keystore.jks -import -alias root -file z.crt -trustcacerts

which will import your root certificate (or the chain file). Then you can import your certificate:

keytool -keystore keystore.jks -import -alias domain.com -file x -trustcacerts

Finally, you use openssl tool to convert the private key into pkcs12, and import it into the keystore.

openssl pkcs12 -export -in x -inkey y -out domain.pkcs12
keytool -importkeystore -srckeystore domain.pkcs12 -srcstoretype PKCS12 -destkeystore domain.com

Answer 2

You can't import a private key into a keystore directly. But you may use openssl to transform the key and the certificate into a pkcs#12 store. Then you can import the whole pkcs#12 into a default java keystore by using the option -importkeystore together with the option -srcstoretype pkcs12.

(You can also use the pkcs12 store directly by providing the storetype 'pkcs12')