CODEWITHSUNDEEP
javaopensslcertificatekeystorekeytool
Volodymyr Bezuglyy
Volodymyr Bezuglyy

Reputation: 16795

How to add certificate chain to keystore?

I have file with chain of certificates - certificate.cer: 

subject=/C...
issuer=/C=US/O=VeriSign, Inc...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=VeriSign, Inc...
issuer=/C=US/O=VeriSign, Inc...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=VeriSign, Inc...
issuer=/C=US/O=VeriSign, Inc...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

I need to add this chain of certificates to keystore.
What I do: 

openssl x509 -outform der -in certificate.cer -out cert.der
keytool -v -importcert -alias mykey -file cert.der -keypass <passwd> -keystore keystore -storepass <passwd> -alias <myalias>

In result I have only 1 certificate in keystore.
But should have 3.
What could be wrong?

SOLUTION:
CA sent me certificates in PKCS#7 format.
I stored them in certificate.p7b file and then successfully added them to keystore by following command: 

keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass <mypasswd> -alias "myalias"

Upvotes: 47

Views: 218301

Answers (3)

Greg
Greg

Reputation: 1067

I used below to solve my keystore chain issue Thanks @nont

echo -e 'Concat certs'
cat "${DIR_PATH}/tls/server/public/server.cert.pem" "${DIR_PATH}/tls/intermediate/certs/ca-chain-bundle.cert.pem" > "${DIR_PATH}/tls/server/tomcat/all.cert.pem"
echo -e "Creating new tomcat keystore"
openssl pkcs12 -inkey "${DIR_PATH}/tls/server/private/server.key.pem" -in "${DIR_PATH}/tls/server/tomcat/all.cert.pem" -export -out "${DIR_PATH}/tls/server/tomcat/tomcat.pfx" -password pass:changeit

Upvotes: 2

nont
nont

Reputation: 9519

I solved the problem by cat'ing all the pems together:

cat cert.pem chain.pem fullchain.pem >all.pem
openssl pkcs12 -export -in all.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root -password MYPASSWORD
keytool -importkeystore -deststorepass MYPASSWORD -destkeypass MYPASSWORD -destkeystore MyDSKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass MYPASSWORD -alias tomcat
keytool -import -trustcacerts -alias root -file chain.pem -keystore MyDSKeyStore.jks -storepass MYPASSWORD

(keytool didn't know what to do with a PKCS7 formatted key)

I got all the pems from letsencrypt

Upvotes: 45

Nickolay Olshevsky
Nickolay Olshevsky

Reputation: 14160

From the keytool man - it imports certificate chain, if input is given in PKCS#7 format, otherwise only the single certificate is imported. You should be able to convert certificates to PKCS#7 format with openssl, via openssl crl2pkcs7 command.

Upvotes: 11

Related Questions