Getting error when trying to update the PFX cert in CACERTS

Question

I am trying to enable SSL in my application for which i have to update the PFX cert in CACERTS. Below are the steps I did but I am getting below error when trying to import the PFX in CACERTS.

"keytool error: java.lang.Exception: Input not an X.509 certificate"

1. Create a jks file and generate a CSR from that JKS

   keytool -genkeypair -alias abc03.dc.abc.com -keyalg RSA -keystore /opt/logo/certificates/abc03.dc.abc.com.jks -keysize 2048 -dname "CN=abc03.dc.abc.com,O=DT,L=xxx,ST=xxx,C=xxx" -ext san=dns:abc03.dc.abc.com

   keytool -certreq -alias abc03.dc.abc.com -keystore /opt/logo/certificates/abc03.dc.abc.com.jks -file /opt/logo/certificates/abc03.dc.abc.com.csr -ext san=dns:abc03.dc.abc.com -ext EKU=serverAuth,clientAuth

2. Get it signed by CA

3. Import the root , Intermediate & server cert into the jks that i created

   keytool -import -keystore abc03.dc.abc.com.jks -alias root -file root.cer keytool -import -keystore abc03.dc.abc.com.jks -alias intermediate -file intermediate.cer keytool -import -keystore abc03.dc.abc.com.jks -alias mykey -file abc03.dc.abc.com.cer

4. convert the JKS to PKCS12

   keytool -importkeystore -srckeystore abc03.dc.abc.com.jks -destkeystore abc03.dc.abc.com.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass password

5. Importing the PKCS12 into CACERTS (this is where i get the error)

   keytool -importkeystore -deststorepass MY-KEYSTORE-PASS -destkeystore cacerts -srckeystore abc03.dc.abc.com.p12 -srcstoretype PKCS12 keytool -importkeystore -deststorepass MY-KEYSTORE-PASS -destkeystore cacerts -srckeystore abc03.dc.abc.com.p12 -srcstoretype PKCS12

Can you advise me on how to fix this or is there another way of doing it. Thanks for your help :)

Answer 1

There are two tools that might help:

• http://portecle.sourceforge.net/
• https://keystore-explorer.org/index.html