CODEWITHSUNDEEP
javatomcatsslhttpsopenssl
AmitG
AmitG

Reputation: 10553

SSL : CSR file created with openSSL and installing with keytool

I have created CSR with the command openSSL and purchased crt files.

openssl genrsa -out private-key.pem 2048 
openssl req -new -key private-key.pem -out csr.pem

Will it be OK to install this by using keystore command as I have not created CSR file by using keytool (but created using openSSL) ?

Another question is I have got three files from the trusted certificate generation company. So how to indentify which one is primary, root, intermediate crt files ? File type(root,intermediate) is not mentioned in the filename itself. I have to run following commands on the basis of crt file type.

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file [name of the root certificate]

keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file [name of the intermediate certificate]

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file [name of the certificate]

Upvotes: 2

Views: 1570

Answers (1)

Omikron
Omikron

Reputation: 4143

Will it be OK to install this by using keystore command as I have not created CSR file by using keytool (but created using openSSL) ?

You will have to import the private key into the keystore as well. Otherwise the keystore will be useless.

There are two ways to do this:

  1. Create a PKCS#12 file with OpenSSL first and then convert this file to JKS with keytool (see here).
  2. Use KeyStore Explorer, it has import/export features for OpenSSL formats. Instructions can be found here.

Another question is I have got three files from the trusted certificate generation company. So how to indentify which one is primary, root, intermediate crt files ?

You have to take a look at the content of the certificates, especially their distinguished names (DNs).

  • The root CA certificate always has identical SubjectDN and IssuerDN.
  • The intermediate CA has root CA's SubjectDN as its IssuerDN and a different SubjectDN.
  • The SSL certificate has the intermediate CA's SubjectDN as its IssuerDN and the domain name as part of its SubjectDN.

The OpenSSL command for printing out the SubjectDN and IssuerDN depends on the format of the certificate file (DER or PEM). DER is a binary format, PEM is a ASCII format. If you are not sure, try both:

openssl x509 -noout -subject -issuer -nameopt RFC2253 -inform DER -in <cert-file>

or

openssl x509 -noout  -subject -issuer -nameopt RFC2253 -inform PEM -in <cert-file>

Upvotes: 1

Related Questions