Reputation: 631
keytool: import certificate chain from several .cer files
Our IT dept gave me 4 .cer files, that constitute certificate chain: thawte_root.cer->intermediate1_pem.cer->intermediate2_pem.cer->our_company.cer.
I need to sign some code (via jarsigner) using our_company.cer.
Therefore, I have to create a keystore, containing our_company.cer and the chain-to-the-root.
I've tried to simply concatenate these 4 files into one using notepad and then import the resulting file, but keystore imports only the first one and when I try to launch jarsigner, I get
"jarsigner: Certificate chain not found for: our_company. our_company must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain."
I get the same message when I import only our_company.cer or when I import each certificate one-by-one.
So the question is: how can I import 4 certificates as one chain?
Thanks in advance. Vitaly.
Upvotes: 1
Views: 9504
Answers (2)
Reputation: 4330
- Chain all certificates into one file (order is sub to root)
cat intermediate2_pem.cer intermediate1_pem.cer thawte_root.cer > chain.cer - Run this openssl command
openssl pkcs12 -export -in our_company.cer -inkey private.key -out company.p12 -name company -CAfile chain.pem -caname sub2 -caname sub1 -caname root -chain - Create keystore
keytool -importkeystore -destkeystore company.keystore -srckeystore company.p12 -srcstoretype PKCS12 -alias company
Your keystore will be ready (pick a password and type it in for all circumstances). You will also need to have your private.key ready.
See this link for more detailed information.
Upvotes: 2
Reputation: 3982
As you probably know, code signing works using public-key encryption. To sign code you need to have a private key, and clients wanting to use your code must trust the corresponding public key.
The CER files that you have are certificate files corresponding to the public keys. When you import them with keytool -importcert without the corresponding private keys, they are imported as trusted certificates. (See the documentation for more details. Depending on your system setup, you probably don't need to import them all - you probably already trust the Thawte certificate, for example.)
Since you want to sign code as YourCompany, you will need the private key corresponding to our_company.cer - I suppose your IT department can provide this, since it will have been used to generate the Certificate Signing Request sent to Thawte. If they are not willing to pass this on to you you will need to generate your own private/public key pair using keytool -genkeypair, generate a CSR with keytool -certreq and send it to your IT department who can then issue you a certificate. The final chain of trust in this case would be thawte_root.cer->intermediate1_pem.cer->intermediate2_pem.cer->our_company.cer->your_department.cer
Upvotes: 0
Related Questions
- Programmatically Import CA trust cert into existing keystore file without using keytool
- keytool importing multiple certificates in single file
- programmatically import .cer certificate into keystore
- Keytool unable to import certificate
- Import Certificates into keystore, certificate chain is null
- Importing SSL Certificate to Java
- How to load multiple certificate files in Java?
- How to import and trust a webserver certificate in java using keytool in a single command?
- How to import a self signed certificate into keytool?
- How do I import a certificate chain and it's certificate into a java keystore?