How to import an existing x509 certificate and private key in Java keystore to use in SSL?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







200















I have this in activemq config



<sslContext>
<sslContext keyStore="file:/home/alex/work/amq/broker.ks"
keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts"
trustStorePassword="password"/>
</sslContext>


I have a pair of x509 cert and a key file



How do I import those two to be used in ssl and ssl+stomp connectors? All examples i could google always generate the key themselves, but I already have a key.



I have tried



keytool -import  -keystore ./broker.ks -file mycert.crt


but this only imports the certificate and not the key file and results in



2009-05-25 13:16:24,270 [localhost:61612] ERROR TransportConnector - Could not accept connection : No available certificate or key corresponds to the SSL cipher suites which are enabled.



I have tried concatenating the cert and the key but got the same result



How do I import the key?










share|improve this question




















  • 1





    You actually have to write a bit of code to do this, and the details depend on the format of the private key you are trying to import. What format is your key? Can you explain what tools you used to generate the key and certificate that you have?

    – erickson
    May 25 '09 at 15:29


















200















I have this in activemq config



<sslContext>
<sslContext keyStore="file:/home/alex/work/amq/broker.ks"
keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts"
trustStorePassword="password"/>
</sslContext>


I have a pair of x509 cert and a key file



How do I import those two to be used in ssl and ssl+stomp connectors? All examples i could google always generate the key themselves, but I already have a key.



I have tried



keytool -import  -keystore ./broker.ks -file mycert.crt


but this only imports the certificate and not the key file and results in



2009-05-25 13:16:24,270 [localhost:61612] ERROR TransportConnector - Could not accept connection : No available certificate or key corresponds to the SSL cipher suites which are enabled.



I have tried concatenating the cert and the key but got the same result



How do I import the key?










share|improve this question




















  • 1





    You actually have to write a bit of code to do this, and the details depend on the format of the private key you are trying to import. What format is your key? Can you explain what tools you used to generate the key and certificate that you have?

    – erickson
    May 25 '09 at 15:29














200












200








200


151






I have this in activemq config



<sslContext>
<sslContext keyStore="file:/home/alex/work/amq/broker.ks"
keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts"
trustStorePassword="password"/>
</sslContext>


I have a pair of x509 cert and a key file



How do I import those two to be used in ssl and ssl+stomp connectors? All examples i could google always generate the key themselves, but I already have a key.



I have tried



keytool -import  -keystore ./broker.ks -file mycert.crt


but this only imports the certificate and not the key file and results in



2009-05-25 13:16:24,270 [localhost:61612] ERROR TransportConnector - Could not accept connection : No available certificate or key corresponds to the SSL cipher suites which are enabled.



I have tried concatenating the cert and the key but got the same result



How do I import the key?










share|improve this question
















I have this in activemq config



<sslContext>
<sslContext keyStore="file:/home/alex/work/amq/broker.ks"
keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts"
trustStorePassword="password"/>
</sslContext>


I have a pair of x509 cert and a key file



How do I import those two to be used in ssl and ssl+stomp connectors? All examples i could google always generate the key themselves, but I already have a key.



I have tried



keytool -import  -keystore ./broker.ks -file mycert.crt


but this only imports the certificate and not the key file and results in



2009-05-25 13:16:24,270 [localhost:61612] ERROR TransportConnector - Could not accept connection : No available certificate or key corresponds to the SSL cipher suites which are enabled.



I have tried concatenating the cert and the key but got the same result



How do I import the key?







java ssl jms activemq jks






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 22 '17 at 23:28









jww

54.2k41234515




54.2k41234515










asked May 25 '09 at 11:34









Aleksandar IvanisevicAleksandar Ivanisevic

1,275398




1,275398








  • 1





    You actually have to write a bit of code to do this, and the details depend on the format of the private key you are trying to import. What format is your key? Can you explain what tools you used to generate the key and certificate that you have?

    – erickson
    May 25 '09 at 15:29














  • 1





    You actually have to write a bit of code to do this, and the details depend on the format of the private key you are trying to import. What format is your key? Can you explain what tools you used to generate the key and certificate that you have?

    – erickson
    May 25 '09 at 15:29








1




1





You actually have to write a bit of code to do this, and the details depend on the format of the private key you are trying to import. What format is your key? Can you explain what tools you used to generate the key and certificate that you have?

– erickson
May 25 '09 at 15:29





You actually have to write a bit of code to do this, and the details depend on the format of the private key you are trying to import. What format is your key? Can you explain what tools you used to generate the key and certificate that you have?

– erickson
May 25 '09 at 15:29












14 Answers
14






active

oldest

votes


















66














Believe or not, keytool does not provide such basic functionality like importing private key to keystore. You can try this workaround with merging PKSC12 file with private key to a keystore.



Or just use more user-friendly KeyMan from IBM for keystore handling instead of keytool.exe.






share|improve this answer





















  • 11





    According to CoverosGene's answer keytool supports it since Java 6. This is the link he provided

    – Houtman
    Dec 8 '14 at 11:58













  • For what it's worth, for all the noise on this subject, the best link is @Matej's 'workaround' link to this 2008 post: cunning.sharp.fm/2008/06/importing_private_keys_into_a.html

    – cloudsurfin
    Feb 11 '16 at 0:44






  • 2





    I followed the answer provided by CoverosGene and it worked.

    – Robert3452
    Mar 20 '16 at 15:50






  • 1





    KeyMan doesn't seem all that user-friendly to me.

    – Miscreant
    Aug 10 '16 at 17:10






  • 3





    Broken link. Please include the details of the solution directly into the answer :-(

    – lilalinux
    Aug 9 '18 at 12:46



















481














I used the following two steps which I found in the comments/posts linked in the other answers:



Step one: Convert x509 Cert and Key to a pkcs12 file



openssl pkcs12 -export -in server.crt -inkey server.key 
-out server.p12 -name [some-alias]
-CAfile ca.crt -caname root


Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)



Note 2: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)



Step two: Convert the pkcs12 file to a java keystore



keytool -importkeystore 
-deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore
-srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password
-alias [some-alias]


Finished



OPTIONAL Step Zero, create self-signed certificate



openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


Cheers!






share|improve this answer





















  • 10





    Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache)

    – jocull
    Jun 5 '12 at 20:12






  • 9





    In my case at step one the option -CAfile ca.crt -caname root didn't correctly output the CA certificates. Instead I used -certfile concatenedCAFiles.pem

    – dcernahoschi
    Feb 9 '13 at 0:36






  • 11





    Don't forget to use the -chain argument with openssl to include the full certificate chain in your pfx/p12 file if you want that in your key store.

    – Mafuba
    Sep 24 '13 at 2:31








  • 3





    In a Windows environment, pvk2pfx (a standard VS tool available in the VS cmd prompt) will spit out a .pfx--equivalent to a .p12. @jocull's advice is still relevant; put a password on it. No openssl needed.

    – Ben Mosher
    Nov 21 '13 at 22:49








  • 6





    For Tomcat in particular it's imperative that the keystore and the key passwords are same. When you import a .p12 the key will have the password of the original .p12. Tomcat will fail with java.security.UnrecoverableKeyException: Cannot recover key. In other words: if you need to execute -deststorepass changeit -srcstorepass some-password with different passwords, then you must include -destkeypass changeit (with same password as -deststorepass)

    – Slav
    Oct 2 '14 at 15:14



















114














Keytool in Java 6 does have this capability: Importing private keys into a Java keystore using keytool



Here are the basic details from that post.





  1. Convert the existing cert to a PKCS12 using OpenSSL. A password is required when asked or the 2nd step will complain.



    openssl pkcs12 -export -in [my_certificate.crt] -inkey [my_key.key] -out [keystore.p12] -name [new_alias] -CAfile [my_ca_bundle.crt] -caname root



  2. Convert the PKCS12 to a Java Keystore File.



    keytool -importkeystore -deststorepass [new_keystore_pass] -destkeypass [new_key_pass] -destkeystore [keystore.jks] -srckeystore [keystore.p12] -srcstoretype PKCS12 -srcstorepass [pass_used_in_p12_keystore] -alias [alias_used_in_p12_keystore]







share|improve this answer





















  • 4





    The answer by @reto contains the contents of this link.

    – Mafuba
    Sep 24 '13 at 2:33






  • 4





    As stated by @Mafuba, you must still create a separate pkcs12 keystore with non-java tool like openssl - then this can be imported into a jks store by keytool as stated in the answer by reto.

    – Mister_Tom
    Dec 6 '13 at 21:09











  • One thing that makes this a good answer is the fact that the input certs are clearly specified in the brackets.

    – Mr.Budris
    May 3 '17 at 14:07



















9














And one more:



#!/bin/bash

# We have:
#
# 1) $KEY : Secret key in PEM format ("-----BEGIN RSA PRIVATE KEY-----")
# 2) $LEAFCERT : Certificate for secret key obtained from some
# certification outfit, also in PEM format ("-----BEGIN CERTIFICATE-----")
# 3) $CHAINCERT : Intermediate certificate linking $LEAFCERT to a trusted
# Self-Signed Root CA Certificate
#
# We want to create a fresh Java "keystore" $TARGET_KEYSTORE with the
# password $TARGET_STOREPW, to be used by Tomcat for HTTPS Connector.
#
# The keystore must contain: $KEY, $LEAFCERT, $CHAINCERT
# The Self-Signed Root CA Certificate is obtained by Tomcat from the
# JDK's truststore in /etc/pki/java/cacerts

# The non-APR HTTPS connector (APR uses OpenSSL-like configuration, much
# easier than this) in server.xml looks like this
# (See: https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html):
#
# <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
# SSLEnabled="true"
# maxThreads="150" scheme="https" secure="true"
# clientAuth="false" sslProtocol="TLS"
# keystoreFile="/etc/tomcat6/etl-web.keystore.jks"
# keystorePass="changeit" />
#

# Let's roll:

TARGET_KEYSTORE=/etc/tomcat6/foo-server.keystore.jks
TARGET_STOREPW=changeit

TLS=/etc/pki/tls

KEY=$TLS/private/httpd/foo-server.example.com.key
LEAFCERT=$TLS/certs/httpd/foo-server.example.com.pem
CHAINCERT=$TLS/certs/httpd/chain.cert.pem

# ----
# Create PKCS#12 file to import using keytool later
# ----

# From https://www.sslshopper.com/ssl-converter.html:
# The PKCS#12 or PFX format is a binary format for storing the server certificate,
# any intermediate certificates, and the private key in one encryptable file. PFX
# files usually have extensions such as .pfx and .p12. PFX files are typically used
# on Windows machines to import and export certificates and private keys.

TMPPW=$$ # Some random password

PKCS12FILE=`mktemp`

if [[ $? != 0 ]]; then
echo "Creation of temporary PKCS12 file failed -- exiting" >&2; exit 1
fi

TRANSITFILE=`mktemp`

if [[ $? != 0 ]]; then
echo "Creation of temporary transit file failed -- exiting" >&2; exit 1
fi

cat "$KEY" "$LEAFCERT" > "$TRANSITFILE"

openssl pkcs12 -export -passout "pass:$TMPPW" -in "$TRANSITFILE" -name etl-web > "$PKCS12FILE"

/bin/rm "$TRANSITFILE"

# Print out result for fun! Bug in doc (I think): "-pass " arg does not work, need "-passin"

openssl pkcs12 -passin "pass:$TMPPW" -passout "pass:$TMPPW" -in "$PKCS12FILE" -info

# ----
# Import contents of PKCS12FILE into a Java keystore. WTF, Sun, what were you thinking?
# ----

if [[ -f "$TARGET_KEYSTORE" ]]; then
/bin/rm "$TARGET_KEYSTORE"
fi

keytool -importkeystore
-deststorepass "$TARGET_STOREPW"
-destkeypass "$TARGET_STOREPW"
-destkeystore "$TARGET_KEYSTORE"
-srckeystore "$PKCS12FILE"
-srcstoretype PKCS12
-srcstorepass "$TMPPW"
-alias foo-the-server

/bin/rm "$PKCS12FILE"

# ----
# Import the chain certificate. This works empirically, it is not at all clear from the doc whether this is correct
# ----

echo "Importing chain"

TT=-trustcacerts

keytool -import $TT -storepass "$TARGET_STOREPW" -file "$CHAINCERT" -keystore "$TARGET_KEYSTORE" -alias chain

# ----
# Print contents
# ----

echo "Listing result"

keytool -list -storepass "$TARGET_STOREPW" -keystore "$TARGET_KEYSTORE"





share|improve this answer

































    8














    Yes, it's indeed a sad fact that keytool has no functionality to import a private key.



    For the record, at the end I went with the solution described here






    share|improve this answer

































      7














      First convert to p12:



      openssl pkcs12 -export -in [filename-certificate] -inkey [filename-key] -name [host] -out [filename-new-PKCS-12.p12]


      Create new JKS from p12:



      keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12





      share|improve this answer































        6














        In my case I had a pem file which contained two certificates and an encrypted private key to be used in mutual SSL authentication.
        So my pem file looked like this:



        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
        -----BEGIN RSA PRIVATE KEY-----
        Proc-Type: 4,ENCRYPTED
        DEK-Info: DES-EDE3-CBC,C8BF220FC76AA5F9
        ...
        -----END RSA PRIVATE KEY-----
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----


        Here is what I did:



        Split the file into three separate files, so that each one contains just one entry,
        starting with "---BEGIN.." and ending with "---END.." lines. Lets assume we now have three files: cert1.pem cert2.pem and pkey.pem



        Convert pkey.pem into DER format using openssl and the following syntax:



        openssl pkcs8 -topk8 -nocrypt -in pkey.pem -inform PEM -out pkey.der -outform DER



        Note, that if the private key is encrypted you need to supply a password( obtain it from the supplier of the original pem file )
        to convert to DER format,
        openssl will ask you for the password like this: "enter a pass phraze for pkey.pem: "
        If conversion is successful, you will get a new file called "pkey.der"



        Create a new java key store and import the private key and the certificates:



        String keypass = "password";  // this is a new password, you need to come up with to protect your java key store file
        String defaultalias = "importkey";
        KeyStore ks = KeyStore.getInstance("JKS", "SUN");

        // this section does not make much sense to me,
        // but I will leave it intact as this is how it was in the original example I found on internet:
        ks.load( null, keypass.toCharArray());
        ks.store( new FileOutputStream ( "mykeystore" ), keypass.toCharArray());
        ks.load( new FileInputStream ( "mykeystore" ), keypass.toCharArray());
        // end of section..


        // read the key file from disk and create a PrivateKey

        FileInputStream fis = new FileInputStream("pkey.der");
        DataInputStream dis = new DataInputStream(fis);
        byte bytes = new byte[dis.available()];
        dis.readFully(bytes);
        ByteArrayInputStream bais = new ByteArrayInputStream(bytes);

        byte key = new byte[bais.available()];
        KeyFactory kf = KeyFactory.getInstance("RSA");
        bais.read(key, 0, bais.available());
        bais.close();

        PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );
        PrivateKey ff = kf.generatePrivate (keysp);


        // read the certificates from the files and load them into the key store:

        Collection col_crt1 = CertificateFactory.getInstance("X509").generateCertificates(new FileInputStream("cert1.pem"));
        Collection col_crt2 = CertificateFactory.getInstance("X509").generateCertificates(new FileInputStream("cert2.pem"));

        Certificate crt1 = (Certificate) col_crt1.iterator().next();
        Certificate crt2 = (Certificate) col_crt2.iterator().next();
        Certificate chain = new Certificate { crt1, crt2 };

        String alias1 = ((X509Certificate) crt1).getSubjectX500Principal().getName();
        String alias2 = ((X509Certificate) crt2).getSubjectX500Principal().getName();

        ks.setCertificateEntry(alias1, crt1);
        ks.setCertificateEntry(alias2, crt2);

        // store the private key
        ks.setKeyEntry(defaultalias, ff, keypass.toCharArray(), chain );

        // save the key store to a file
        ks.store(new FileOutputStream ( "mykeystore" ),keypass.toCharArray());


        (optional) Verify the content of your new key store:



        keytool -list -keystore mykeystore -storepass password




        Keystore type: JKS Keystore provider: SUN



        Your keystore contains 3 entries



        cn=...,ou=...,o=.., Sep 2, 2014, trustedCertEntry, Certificate
        fingerprint (SHA1): 2C:B8: ...



        importkey, Sep 2, 2014, PrivateKeyEntry, Certificate fingerprint
        (SHA1): 9C:B0: ...



        cn=...,o=...., Sep 2, 2014, trustedCertEntry, Certificate fingerprint
        (SHA1): 83:63: ...




        (optional) Test your certificates and private key from your new key store against your SSL server:
        ( You may want to enable debugging as an VM option: -Djavax.net.debug=all )



                char passw = "password".toCharArray();
        KeyStore ks = KeyStore.getInstance("JKS", "SUN");
        ks.load(new FileInputStream ( "mykeystore" ), passw );

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(ks, passw);

        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
        TrustManager tm = tmf.getTrustManagers();

        SSLContext sclx = SSLContext.getInstance("TLS");
        sclx.init( kmf.getKeyManagers(), tm, null);

        SSLSocketFactory factory = sclx.getSocketFactory();
        SSLSocket socket = (SSLSocket) factory.createSocket( "192.168.1.111", 443 );
        socket.startHandshake();

        //if no exceptions are thrown in the startHandshake method, then everything is fine..


        Finally register your certificates with HttpsURLConnection if plan to use it:



                char passw = "password".toCharArray();
        KeyStore ks = KeyStore.getInstance("JKS", "SUN");
        ks.load(new FileInputStream ( "mykeystore" ), passw );

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(ks, passw);

        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
        TrustManager tm = tmf.getTrustManagers();

        SSLContext sclx = SSLContext.getInstance("TLS");
        sclx.init( kmf.getKeyManagers(), tm, null);

        HostnameVerifier hv = new HostnameVerifier()
        {
        public boolean verify(String urlHostName, SSLSession session)
        {
        if (!urlHostName.equalsIgnoreCase(session.getPeerHost()))
        {
        System.out.println("Warning: URL host '" + urlHostName + "' is different to SSLSession host '" + session.getPeerHost() + "'.");
        }
        return true;
        }
        };

        HttpsURLConnection.setDefaultSSLSocketFactory( sclx.getSocketFactory() );
        HttpsURLConnection.setDefaultHostnameVerifier(hv);





        share|improve this answer


























        • However, Bruno mentioned that this hostname verifier is wrong: "Your hostname verifier is wrong, session.getPeerHost() doesn't return the name in the certificate, but the name you connected with (i.e. the urlHostName here), so that's always going to be true. You're always returning true anyway. – Bruno". It worked for me though, but I would appreciate if somebody shows me how to write a good host name verifier.

          – Interkot
          Sep 4 '14 at 16:22








        • 1





          Of course it will "work" for you, since it will never produce an error, even when it should. Leave the default hostname verifier used by HttpsURLConnection instead of trying to writing your own. (Another problem with your example is that you're using the same keystore as a keystore and a truststore, which isn't always a good idea...)

          – Bruno
          Sep 4 '14 at 16:31





















        5














        Based on the answers above, here is how to create a brand new keystore for your java based web server, out of an independently created Comodo cert and private key using keytool (requires JDK 1.6+)




        1. Issue this command and at the password prompt enter somepass - 'server.crt' is your server's cert and 'server.key' is the private key you used for issuing the CSR:
          openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name www.yourdomain.com -CAfile AddTrustExternalCARoot.crt -caname "AddTrust External CA Root"


        2. Then use keytool to convert the p12 keystore into a jks keystore:
          keytool -importkeystore -deststorepass somepass -destkeypass somepass -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass somepass



        Then import the other two root/intermediate certs you received from Comodo:




        1. Import COMODORSAAddTrustCA.crt:
          keytool -import -trustcacerts -alias cert1 -file COMODORSAAddTrustCA.crt -keystore keystore.jks


        2. Import COMODORSADomainValidationSecureServerCA.crt:
          keytool -import -trustcacerts -alias cert2 -file COMODORSADomainValidationSecureServerCA.crt -keystore keystore.jks







        share|improve this answer

































          4














          Here are the steps I followed to import the key to an existing keystore - combined instructions from answers here and other places to get these steps that worked for my java keystore:




          1. Run


          openssl pkcs12 -export -in yourserver.crt -inkey yourkey.key -out server.p12 -name somename -certfile yourca.crt -caname root



          (If required put the -chain option. Putting that failed for me).
          This will ask for the password - you must give the correct password else you will get an error
          (heading error or padding error etc).




          1. It will ask you to enter a new password - you must enter a password here - enter anything but remember it. (Let us assume you enter Aragorn).

          2. This will create the server.p12 file in the pkcs format.

          3. Now to import it into the *.jks file run:


          keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12
          -destkeystore yourexistingjavakeystore.jks -deststoretype JKS -deststorepass existingjavastorepassword -destkeypass existingjavastorepassword



          (Very important - do not leave out the deststorepass and the destkeypass parameters.)

          5. It will ask you for the src key store password. Enter Aragorn and hit enter.
          The certificate and key is now imported into your existing java keystore.






          share|improve this answer

































            3














            Previous answers point out correctly that you can only do this with the standard JDK tools by converting the JKS file into PKCS #12 format first. If you're interested, I put together a compact utility to import OpenSSL-derived keys into a JKS-formatted keystore without having to convert the keystore to PKCS #12 first: http://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art049



            You would use the linked utility like this:



            $ openssl req -x509 -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/CN=localhost"


            (sign the CSR, get back localhost.cer)



            $ openssl rsa -in localhost.key -out localhost.rsa
            Enter pass phrase for localhost.key:
            writing RSA key
            $ java -classpath . KeyImport -keyFile localhost.rsa -alias localhost -certificateFile localhost.cer -keystore localhost.jks -keystorePassword changeit -keystoreType JKS -keyPassword changeit





            share|improve this answer


























            • Just linking to your own library (or utility) is not a good answer. Linking to it, explaining why it solves the problem, providing code using it to do so and disclaiming makes for a better answer. See: How can I link to an external resource in a community-friendly way?

              – Mogsdad
              Mar 2 '16 at 19:40











            • Not sure what you mean by "disclaim", but I added an example.

              – Joshua Davies
              Mar 3 '16 at 18:48











            • Great! That's a canned comment, so part didn't apply - disclaim means to report your affiliation with the linked product or service, which you did with "I put together..."

              – Mogsdad
              Mar 3 '16 at 20:17



















            2














            If you have a PEM file (e.g. server.pem) containing:




            • the trusted certificate

            • the private key


            then you can import the certificate and key into a JKS keystore like this:



            1) Copy the private key from the PEM file into an ascii file (e.g. server.key)



            2) Copy the cert from the PEM file into an ascii file (e.g. server.crt)



            3) Export the cert and key into a PKCS12 file:



            $ openssl pkcs12 -export -in server.crt -inkey server.key 
            -out server.p12 -name [some-alias] -CAfile server.pem -caname root




            • the PEM file can be used as the argument to the -CAfile option.

            • you are prompted for an 'export' password.

            • if doing this in git bash then add winpty to the start of the command so the export password can be entered.


            4) Convert the PKCS12 file to a JKS keystore:



            $ keytool -importkeystore -deststorepass changeit -destkeypass changeit 
            -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12
            -srcstorepass changeit



            • the srcstorepass password should match the export password from step 3)






            share|improve this answer































              1














              What I was trying to achieve was using already provided private key and certificate to sign message that was going someplace that needed to make sure that the message was coming from me (private keys sign while public keys encrypt).



              So if you already have a .key file and a .crt file?



              Try this:



              Step1: Convert the key and cert to .p12 file



              openssl pkcs12 -export -in certificate.crt -inkey privateKey.key -name alias -out yourconvertedfile.p12


              Step 2: Import the key and create a .jsk file with a single command



              keytool -importkeystore -deststorepass changeit -destkeystore keystore.jks -srckeystore umeme.p12 -srcstoretype PKCS12


              Step 3: In your java:



              char keyPassword = "changeit".toCharArray();

              KeyStore keyStore = KeyStore.getInstance("JKS");
              InputStream keyStoreData = new FileInputStream("keystore.jks");

              keyStore.load(keyStoreData, keyPassword);
              KeyStore.ProtectionParameter entryPassword = new KeyStore.PasswordProtection(keyPassword);
              KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry)keyStore.getEntry("alias", entryPassword);

              System.out.println(privateKeyEntry.toString());


              If you need to sign some string using this key do the following:



              Step 1: Convert the text you want to encrypt



              byte data = "test".getBytes("UTF8");


              Step 2: Get base64 encoded private key



              keyStore.load(keyStoreData, keyPassword);

              //get cert, pubkey and private key from the store by alias
              Certificate cert = keyStore.getCertificate("localhost");
              PublicKey publicKey = cert.getPublicKey();
              KeyPair keyPair = new KeyPair(publicKey, (PrivateKey) key);

              //sign with this alg
              Signature sig = Signature.getInstance("SHA1WithRSA");
              sig.initSign(keyPair.getPrivate());
              sig.update(data);
              byte signatureBytes = sig.sign();
              System.out.println("Signature:" + Base64.getEncoder().encodeToString(signatureBytes));

              sig.initVerify(keyPair.getPublic());
              sig.update(data);

              System.out.println(sig.verify(signatureBytes));


              References:




              1. How to import an existing x509 certificate and private key in Java keystore to use in SSL?

              2. http://tutorials.jenkov.com/java-cryptography/keystore.html

              3. http://www.java2s.com/Code/Java/Security/RetrievingaKeyPairfromaKeyStore.htm

              4. How to sign string with private key


              Final program



              public static void main(String args) throws Exception {

              byte data = "test".getBytes("UTF8");

              // load keystore
              char keyPassword = "changeit".toCharArray();

              KeyStore keyStore = KeyStore.getInstance("JKS");
              //System.getProperty("user.dir") + "" < for a file in particular path
              InputStream keyStoreData = new FileInputStream("keystore.jks");
              keyStore.load(keyStoreData, keyPassword);

              Key key = keyStore.getKey("localhost", keyPassword);

              Certificate cert = keyStore.getCertificate("localhost");

              PublicKey publicKey = cert.getPublicKey();

              KeyPair keyPair = new KeyPair(publicKey, (PrivateKey) key);

              Signature sig = Signature.getInstance("SHA1WithRSA");

              sig.initSign(keyPair.getPrivate());
              sig.update(data);
              byte signatureBytes = sig.sign();
              System.out.println("Signature:" + Base64.getEncoder().encodeToString(signatureBytes));

              sig.initVerify(keyPair.getPublic());
              sig.update(data);

              System.out.println(sig.verify(signatureBytes));
              }





              share|improve this answer































                0














                Just make a PKCS12 keystore, Java can use it directly now. In fact, if you list a Java-style keystore, keytool itself alerts you to the fact that PKCS12 is now the preferred format.



                openssl pkcs12 -export -in server.crt -inkey server.key 
                -out server.p12 -name [some-alias]
                -CAfile ca.crt -caname root -chain


                You should have received all three files (server.crt, server.key, ca.crt) from your certificate provider. I am not sure what "-caname root" actually means, but it seems to have to be specified that way.



                In the Java code, make sure to specify the right keystore type.



                KeyStore.getInstance("PKCS12")


                I got my comodo.com-issued SSL certificate working fine in NanoHTTPD this way.






                share|improve this answer































                  0














                  in a case of Elliptic Curve and answer the question import an existing x509 certificate and private key in Java keystore, you may want to have a look also to this thread How to read EC Private key in java which is in .pem file format






                  share|improve this answer






















                    protected by Robert Harvey Jul 13 '14 at 18:40



                    Thank you for your interest in this question.
                    Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



                    Would you like to answer one of these unanswered questions instead?














                    14 Answers
                    14






                    active

                    oldest

                    votes








                    14 Answers
                    14






                    active

                    oldest

                    votes









                    active

                    oldest

                    votes






                    active

                    oldest

                    votes









                    66














                    Believe or not, keytool does not provide such basic functionality like importing private key to keystore. You can try this workaround with merging PKSC12 file with private key to a keystore.



                    Or just use more user-friendly KeyMan from IBM for keystore handling instead of keytool.exe.






                    share|improve this answer





















                    • 11





                      According to CoverosGene's answer keytool supports it since Java 6. This is the link he provided

                      – Houtman
                      Dec 8 '14 at 11:58













                    • For what it's worth, for all the noise on this subject, the best link is @Matej's 'workaround' link to this 2008 post: cunning.sharp.fm/2008/06/importing_private_keys_into_a.html

                      – cloudsurfin
                      Feb 11 '16 at 0:44






                    • 2





                      I followed the answer provided by CoverosGene and it worked.

                      – Robert3452
                      Mar 20 '16 at 15:50






                    • 1





                      KeyMan doesn't seem all that user-friendly to me.

                      – Miscreant
                      Aug 10 '16 at 17:10






                    • 3





                      Broken link. Please include the details of the solution directly into the answer :-(

                      – lilalinux
                      Aug 9 '18 at 12:46
















                    66














                    Believe or not, keytool does not provide such basic functionality like importing private key to keystore. You can try this workaround with merging PKSC12 file with private key to a keystore.



                    Or just use more user-friendly KeyMan from IBM for keystore handling instead of keytool.exe.






                    share|improve this answer





















                    • 11





                      According to CoverosGene's answer keytool supports it since Java 6. This is the link he provided

                      – Houtman
                      Dec 8 '14 at 11:58













                    • For what it's worth, for all the noise on this subject, the best link is @Matej's 'workaround' link to this 2008 post: cunning.sharp.fm/2008/06/importing_private_keys_into_a.html

                      – cloudsurfin
                      Feb 11 '16 at 0:44






                    • 2





                      I followed the answer provided by CoverosGene and it worked.

                      – Robert3452
                      Mar 20 '16 at 15:50






                    • 1





                      KeyMan doesn't seem all that user-friendly to me.

                      – Miscreant
                      Aug 10 '16 at 17:10






                    • 3





                      Broken link. Please include the details of the solution directly into the answer :-(

                      – lilalinux
                      Aug 9 '18 at 12:46














                    66












                    66








                    66







                    Believe or not, keytool does not provide such basic functionality like importing private key to keystore. You can try this workaround with merging PKSC12 file with private key to a keystore.



                    Or just use more user-friendly KeyMan from IBM for keystore handling instead of keytool.exe.






                    share|improve this answer















                    Believe or not, keytool does not provide such basic functionality like importing private key to keystore. You can try this workaround with merging PKSC12 file with private key to a keystore.



                    Or just use more user-friendly KeyMan from IBM for keystore handling instead of keytool.exe.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Oct 24 '12 at 10:58

























                    answered May 25 '09 at 17:42









                    MatejMatej

                    4,05111922




                    4,05111922








                    • 11





                      According to CoverosGene's answer keytool supports it since Java 6. This is the link he provided

                      – Houtman
                      Dec 8 '14 at 11:58













                    • For what it's worth, for all the noise on this subject, the best link is @Matej's 'workaround' link to this 2008 post: cunning.sharp.fm/2008/06/importing_private_keys_into_a.html

                      – cloudsurfin
                      Feb 11 '16 at 0:44






                    • 2





                      I followed the answer provided by CoverosGene and it worked.

                      – Robert3452
                      Mar 20 '16 at 15:50






                    • 1





                      KeyMan doesn't seem all that user-friendly to me.

                      – Miscreant
                      Aug 10 '16 at 17:10






                    • 3





                      Broken link. Please include the details of the solution directly into the answer :-(

                      – lilalinux
                      Aug 9 '18 at 12:46














                    • 11





                      According to CoverosGene's answer keytool supports it since Java 6. This is the link he provided

                      – Houtman
                      Dec 8 '14 at 11:58













                    • For what it's worth, for all the noise on this subject, the best link is @Matej's 'workaround' link to this 2008 post: cunning.sharp.fm/2008/06/importing_private_keys_into_a.html

                      – cloudsurfin
                      Feb 11 '16 at 0:44






                    • 2





                      I followed the answer provided by CoverosGene and it worked.

                      – Robert3452
                      Mar 20 '16 at 15:50






                    • 1





                      KeyMan doesn't seem all that user-friendly to me.

                      – Miscreant
                      Aug 10 '16 at 17:10






                    • 3





                      Broken link. Please include the details of the solution directly into the answer :-(

                      – lilalinux
                      Aug 9 '18 at 12:46








                    11




                    11





                    According to CoverosGene's answer keytool supports it since Java 6. This is the link he provided

                    – Houtman
                    Dec 8 '14 at 11:58







                    According to CoverosGene's answer keytool supports it since Java 6. This is the link he provided

                    – Houtman
                    Dec 8 '14 at 11:58















                    For what it's worth, for all the noise on this subject, the best link is @Matej's 'workaround' link to this 2008 post: cunning.sharp.fm/2008/06/importing_private_keys_into_a.html

                    – cloudsurfin
                    Feb 11 '16 at 0:44





                    For what it's worth, for all the noise on this subject, the best link is @Matej's 'workaround' link to this 2008 post: cunning.sharp.fm/2008/06/importing_private_keys_into_a.html

                    – cloudsurfin
                    Feb 11 '16 at 0:44




                    2




                    2





                    I followed the answer provided by CoverosGene and it worked.

                    – Robert3452
                    Mar 20 '16 at 15:50





                    I followed the answer provided by CoverosGene and it worked.

                    – Robert3452
                    Mar 20 '16 at 15:50




                    1




                    1





                    KeyMan doesn't seem all that user-friendly to me.

                    – Miscreant
                    Aug 10 '16 at 17:10





                    KeyMan doesn't seem all that user-friendly to me.

                    – Miscreant
                    Aug 10 '16 at 17:10




                    3




                    3





                    Broken link. Please include the details of the solution directly into the answer :-(

                    – lilalinux
                    Aug 9 '18 at 12:46





                    Broken link. Please include the details of the solution directly into the answer :-(

                    – lilalinux
                    Aug 9 '18 at 12:46













                    481














                    I used the following two steps which I found in the comments/posts linked in the other answers:



                    Step one: Convert x509 Cert and Key to a pkcs12 file



                    openssl pkcs12 -export -in server.crt -inkey server.key 
                    -out server.p12 -name [some-alias]
                    -CAfile ca.crt -caname root


                    Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)



                    Note 2: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)



                    Step two: Convert the pkcs12 file to a java keystore



                    keytool -importkeystore 
                    -deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore
                    -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password
                    -alias [some-alias]


                    Finished



                    OPTIONAL Step Zero, create self-signed certificate



                    openssl genrsa -out server.key 2048
                    openssl req -new -out server.csr -key server.key
                    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


                    Cheers!






                    share|improve this answer





















                    • 10





                      Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache)

                      – jocull
                      Jun 5 '12 at 20:12






                    • 9





                      In my case at step one the option -CAfile ca.crt -caname root didn't correctly output the CA certificates. Instead I used -certfile concatenedCAFiles.pem

                      – dcernahoschi
                      Feb 9 '13 at 0:36






                    • 11





                      Don't forget to use the -chain argument with openssl to include the full certificate chain in your pfx/p12 file if you want that in your key store.

                      – Mafuba
                      Sep 24 '13 at 2:31








                    • 3





                      In a Windows environment, pvk2pfx (a standard VS tool available in the VS cmd prompt) will spit out a .pfx--equivalent to a .p12. @jocull's advice is still relevant; put a password on it. No openssl needed.

                      – Ben Mosher
                      Nov 21 '13 at 22:49








                    • 6





                      For Tomcat in particular it's imperative that the keystore and the key passwords are same. When you import a .p12 the key will have the password of the original .p12. Tomcat will fail with java.security.UnrecoverableKeyException: Cannot recover key. In other words: if you need to execute -deststorepass changeit -srcstorepass some-password with different passwords, then you must include -destkeypass changeit (with same password as -deststorepass)

                      – Slav
                      Oct 2 '14 at 15:14
















                    481














                    I used the following two steps which I found in the comments/posts linked in the other answers:



                    Step one: Convert x509 Cert and Key to a pkcs12 file



                    openssl pkcs12 -export -in server.crt -inkey server.key 
                    -out server.p12 -name [some-alias]
                    -CAfile ca.crt -caname root


                    Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)



                    Note 2: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)



                    Step two: Convert the pkcs12 file to a java keystore



                    keytool -importkeystore 
                    -deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore
                    -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password
                    -alias [some-alias]


                    Finished



                    OPTIONAL Step Zero, create self-signed certificate



                    openssl genrsa -out server.key 2048
                    openssl req -new -out server.csr -key server.key
                    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


                    Cheers!






                    share|improve this answer





















                    • 10





                      Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache)

                      – jocull
                      Jun 5 '12 at 20:12






                    • 9





                      In my case at step one the option -CAfile ca.crt -caname root didn't correctly output the CA certificates. Instead I used -certfile concatenedCAFiles.pem

                      – dcernahoschi
                      Feb 9 '13 at 0:36






                    • 11





                      Don't forget to use the -chain argument with openssl to include the full certificate chain in your pfx/p12 file if you want that in your key store.

                      – Mafuba
                      Sep 24 '13 at 2:31








                    • 3





                      In a Windows environment, pvk2pfx (a standard VS tool available in the VS cmd prompt) will spit out a .pfx--equivalent to a .p12. @jocull's advice is still relevant; put a password on it. No openssl needed.

                      – Ben Mosher
                      Nov 21 '13 at 22:49








                    • 6





                      For Tomcat in particular it's imperative that the keystore and the key passwords are same. When you import a .p12 the key will have the password of the original .p12. Tomcat will fail with java.security.UnrecoverableKeyException: Cannot recover key. In other words: if you need to execute -deststorepass changeit -srcstorepass some-password with different passwords, then you must include -destkeypass changeit (with same password as -deststorepass)

                      – Slav
                      Oct 2 '14 at 15:14














                    481












                    481








                    481







                    I used the following two steps which I found in the comments/posts linked in the other answers:



                    Step one: Convert x509 Cert and Key to a pkcs12 file



                    openssl pkcs12 -export -in server.crt -inkey server.key 
                    -out server.p12 -name [some-alias]
                    -CAfile ca.crt -caname root


                    Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)



                    Note 2: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)



                    Step two: Convert the pkcs12 file to a java keystore



                    keytool -importkeystore 
                    -deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore
                    -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password
                    -alias [some-alias]


                    Finished



                    OPTIONAL Step Zero, create self-signed certificate



                    openssl genrsa -out server.key 2048
                    openssl req -new -out server.csr -key server.key
                    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


                    Cheers!






                    share|improve this answer















                    I used the following two steps which I found in the comments/posts linked in the other answers:



                    Step one: Convert x509 Cert and Key to a pkcs12 file



                    openssl pkcs12 -export -in server.crt -inkey server.key 
                    -out server.p12 -name [some-alias]
                    -CAfile ca.crt -caname root


                    Note: Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)



                    Note 2: You might want to add the -chainoption to preserve the full certificate chain. (Thanks Mafuba)



                    Step two: Convert the pkcs12 file to a java keystore



                    keytool -importkeystore 
                    -deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore
                    -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password
                    -alias [some-alias]


                    Finished



                    OPTIONAL Step Zero, create self-signed certificate



                    openssl genrsa -out server.key 2048
                    openssl req -new -out server.csr -key server.key
                    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


                    Cheers!







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Jun 17 '15 at 14:04









                    codybuell

                    1581312




                    1581312










                    answered Nov 22 '11 at 9:52









                    retoreto

                    12.1k64258




                    12.1k64258








                    • 10





                      Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache)

                      – jocull
                      Jun 5 '12 at 20:12






                    • 9





                      In my case at step one the option -CAfile ca.crt -caname root didn't correctly output the CA certificates. Instead I used -certfile concatenedCAFiles.pem

                      – dcernahoschi
                      Feb 9 '13 at 0:36






                    • 11





                      Don't forget to use the -chain argument with openssl to include the full certificate chain in your pfx/p12 file if you want that in your key store.

                      – Mafuba
                      Sep 24 '13 at 2:31








                    • 3





                      In a Windows environment, pvk2pfx (a standard VS tool available in the VS cmd prompt) will spit out a .pfx--equivalent to a .p12. @jocull's advice is still relevant; put a password on it. No openssl needed.

                      – Ben Mosher
                      Nov 21 '13 at 22:49








                    • 6





                      For Tomcat in particular it's imperative that the keystore and the key passwords are same. When you import a .p12 the key will have the password of the original .p12. Tomcat will fail with java.security.UnrecoverableKeyException: Cannot recover key. In other words: if you need to execute -deststorepass changeit -srcstorepass some-password with different passwords, then you must include -destkeypass changeit (with same password as -deststorepass)

                      – Slav
                      Oct 2 '14 at 15:14














                    • 10





                      Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache)

                      – jocull
                      Jun 5 '12 at 20:12






                    • 9





                      In my case at step one the option -CAfile ca.crt -caname root didn't correctly output the CA certificates. Instead I used -certfile concatenedCAFiles.pem

                      – dcernahoschi
                      Feb 9 '13 at 0:36






                    • 11





                      Don't forget to use the -chain argument with openssl to include the full certificate chain in your pfx/p12 file if you want that in your key store.

                      – Mafuba
                      Sep 24 '13 at 2:31








                    • 3





                      In a Windows environment, pvk2pfx (a standard VS tool available in the VS cmd prompt) will spit out a .pfx--equivalent to a .p12. @jocull's advice is still relevant; put a password on it. No openssl needed.

                      – Ben Mosher
                      Nov 21 '13 at 22:49








                    • 6





                      For Tomcat in particular it's imperative that the keystore and the key passwords are same. When you import a .p12 the key will have the password of the original .p12. Tomcat will fail with java.security.UnrecoverableKeyException: Cannot recover key. In other words: if you need to execute -deststorepass changeit -srcstorepass some-password with different passwords, then you must include -destkeypass changeit (with same password as -deststorepass)

                      – Slav
                      Oct 2 '14 at 15:14








                    10




                    10





                    Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache)

                    – jocull
                    Jun 5 '12 at 20:12





                    Make sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it. (In case anyone else had this headache)

                    – jocull
                    Jun 5 '12 at 20:12




                    9




                    9





                    In my case at step one the option -CAfile ca.crt -caname root didn't correctly output the CA certificates. Instead I used -certfile concatenedCAFiles.pem

                    – dcernahoschi
                    Feb 9 '13 at 0:36





                    In my case at step one the option -CAfile ca.crt -caname root didn't correctly output the CA certificates. Instead I used -certfile concatenedCAFiles.pem

                    – dcernahoschi
                    Feb 9 '13 at 0:36




                    11




                    11





                    Don't forget to use the -chain argument with openssl to include the full certificate chain in your pfx/p12 file if you want that in your key store.

                    – Mafuba
                    Sep 24 '13 at 2:31







                    Don't forget to use the -chain argument with openssl to include the full certificate chain in your pfx/p12 file if you want that in your key store.

                    – Mafuba
                    Sep 24 '13 at 2:31






                    3




                    3





                    In a Windows environment, pvk2pfx (a standard VS tool available in the VS cmd prompt) will spit out a .pfx--equivalent to a .p12. @jocull's advice is still relevant; put a password on it. No openssl needed.

                    – Ben Mosher
                    Nov 21 '13 at 22:49







                    In a Windows environment, pvk2pfx (a standard VS tool available in the VS cmd prompt) will spit out a .pfx--equivalent to a .p12. @jocull's advice is still relevant; put a password on it. No openssl needed.

                    – Ben Mosher
                    Nov 21 '13 at 22:49






                    6




                    6





                    For Tomcat in particular it's imperative that the keystore and the key passwords are same. When you import a .p12 the key will have the password of the original .p12. Tomcat will fail with java.security.UnrecoverableKeyException: Cannot recover key. In other words: if you need to execute -deststorepass changeit -srcstorepass some-password with different passwords, then you must include -destkeypass changeit (with same password as -deststorepass)

                    – Slav
                    Oct 2 '14 at 15:14





                    For Tomcat in particular it's imperative that the keystore and the key passwords are same. When you import a .p12 the key will have the password of the original .p12. Tomcat will fail with java.security.UnrecoverableKeyException: Cannot recover key. In other words: if you need to execute -deststorepass changeit -srcstorepass some-password with different passwords, then you must include -destkeypass changeit (with same password as -deststorepass)

                    – Slav
                    Oct 2 '14 at 15:14











                    114














                    Keytool in Java 6 does have this capability: Importing private keys into a Java keystore using keytool



                    Here are the basic details from that post.





                    1. Convert the existing cert to a PKCS12 using OpenSSL. A password is required when asked or the 2nd step will complain.



                      openssl pkcs12 -export -in [my_certificate.crt] -inkey [my_key.key] -out [keystore.p12] -name [new_alias] -CAfile [my_ca_bundle.crt] -caname root



                    2. Convert the PKCS12 to a Java Keystore File.



                      keytool -importkeystore -deststorepass [new_keystore_pass] -destkeypass [new_key_pass] -destkeystore [keystore.jks] -srckeystore [keystore.p12] -srcstoretype PKCS12 -srcstorepass [pass_used_in_p12_keystore] -alias [alias_used_in_p12_keystore]







                    share|improve this answer





















                    • 4





                      The answer by @reto contains the contents of this link.

                      – Mafuba
                      Sep 24 '13 at 2:33






                    • 4





                      As stated by @Mafuba, you must still create a separate pkcs12 keystore with non-java tool like openssl - then this can be imported into a jks store by keytool as stated in the answer by reto.

                      – Mister_Tom
                      Dec 6 '13 at 21:09











                    • One thing that makes this a good answer is the fact that the input certs are clearly specified in the brackets.

                      – Mr.Budris
                      May 3 '17 at 14:07
















                    114














                    Keytool in Java 6 does have this capability: Importing private keys into a Java keystore using keytool



                    Here are the basic details from that post.





                    1. Convert the existing cert to a PKCS12 using OpenSSL. A password is required when asked or the 2nd step will complain.



                      openssl pkcs12 -export -in [my_certificate.crt] -inkey [my_key.key] -out [keystore.p12] -name [new_alias] -CAfile [my_ca_bundle.crt] -caname root



                    2. Convert the PKCS12 to a Java Keystore File.



                      keytool -importkeystore -deststorepass [new_keystore_pass] -destkeypass [new_key_pass] -destkeystore [keystore.jks] -srckeystore [keystore.p12] -srcstoretype PKCS12 -srcstorepass [pass_used_in_p12_keystore] -alias [alias_used_in_p12_keystore]







                    share|improve this answer





















                    • 4





                      The answer by @reto contains the contents of this link.

                      – Mafuba
                      Sep 24 '13 at 2:33






                    • 4





                      As stated by @Mafuba, you must still create a separate pkcs12 keystore with non-java tool like openssl - then this can be imported into a jks store by keytool as stated in the answer by reto.

                      – Mister_Tom
                      Dec 6 '13 at 21:09











                    • One thing that makes this a good answer is the fact that the input certs are clearly specified in the brackets.

                      – Mr.Budris
                      May 3 '17 at 14:07














                    114












                    114








                    114







                    Keytool in Java 6 does have this capability: Importing private keys into a Java keystore using keytool



                    Here are the basic details from that post.





                    1. Convert the existing cert to a PKCS12 using OpenSSL. A password is required when asked or the 2nd step will complain.



                      openssl pkcs12 -export -in [my_certificate.crt] -inkey [my_key.key] -out [keystore.p12] -name [new_alias] -CAfile [my_ca_bundle.crt] -caname root



                    2. Convert the PKCS12 to a Java Keystore File.



                      keytool -importkeystore -deststorepass [new_keystore_pass] -destkeypass [new_key_pass] -destkeystore [keystore.jks] -srckeystore [keystore.p12] -srcstoretype PKCS12 -srcstorepass [pass_used_in_p12_keystore] -alias [alias_used_in_p12_keystore]







                    share|improve this answer















                    Keytool in Java 6 does have this capability: Importing private keys into a Java keystore using keytool



                    Here are the basic details from that post.





                    1. Convert the existing cert to a PKCS12 using OpenSSL. A password is required when asked or the 2nd step will complain.



                      openssl pkcs12 -export -in [my_certificate.crt] -inkey [my_key.key] -out [keystore.p12] -name [new_alias] -CAfile [my_ca_bundle.crt] -caname root



                    2. Convert the PKCS12 to a Java Keystore File.



                      keytool -importkeystore -deststorepass [new_keystore_pass] -destkeypass [new_key_pass] -destkeystore [keystore.jks] -srckeystore [keystore.p12] -srcstoretype PKCS12 -srcstorepass [pass_used_in_p12_keystore] -alias [alias_used_in_p12_keystore]








                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Mar 6 '18 at 9:55









                    Hi I'm Frogatto

                    20.5k86097




                    20.5k86097










                    answered Jan 26 '10 at 17:26









                    CoverosGeneCoverosGene

                    6,08922543




                    6,08922543








                    • 4





                      The answer by @reto contains the contents of this link.

                      – Mafuba
                      Sep 24 '13 at 2:33






                    • 4





                      As stated by @Mafuba, you must still create a separate pkcs12 keystore with non-java tool like openssl - then this can be imported into a jks store by keytool as stated in the answer by reto.

                      – Mister_Tom
                      Dec 6 '13 at 21:09











                    • One thing that makes this a good answer is the fact that the input certs are clearly specified in the brackets.

                      – Mr.Budris
                      May 3 '17 at 14:07














                    • 4





                      The answer by @reto contains the contents of this link.

                      – Mafuba
                      Sep 24 '13 at 2:33






                    • 4





                      As stated by @Mafuba, you must still create a separate pkcs12 keystore with non-java tool like openssl - then this can be imported into a jks store by keytool as stated in the answer by reto.

                      – Mister_Tom
                      Dec 6 '13 at 21:09











                    • One thing that makes this a good answer is the fact that the input certs are clearly specified in the brackets.

                      – Mr.Budris
                      May 3 '17 at 14:07








                    4




                    4





                    The answer by @reto contains the contents of this link.

                    – Mafuba
                    Sep 24 '13 at 2:33





                    The answer by @reto contains the contents of this link.

                    – Mafuba
                    Sep 24 '13 at 2:33




                    4




                    4





                    As stated by @Mafuba, you must still create a separate pkcs12 keystore with non-java tool like openssl - then this can be imported into a jks store by keytool as stated in the answer by reto.

                    – Mister_Tom
                    Dec 6 '13 at 21:09





                    As stated by @Mafuba, you must still create a separate pkcs12 keystore with non-java tool like openssl - then this can be imported into a jks store by keytool as stated in the answer by reto.

                    – Mister_Tom
                    Dec 6 '13 at 21:09













                    One thing that makes this a good answer is the fact that the input certs are clearly specified in the brackets.

                    – Mr.Budris
                    May 3 '17 at 14:07





                    One thing that makes this a good answer is the fact that the input certs are clearly specified in the brackets.

                    – Mr.Budris
                    May 3 '17 at 14:07











                    9














                    And one more:



                    #!/bin/bash

                    # We have:
                    #
                    # 1) $KEY : Secret key in PEM format ("-----BEGIN RSA PRIVATE KEY-----")
                    # 2) $LEAFCERT : Certificate for secret key obtained from some
                    # certification outfit, also in PEM format ("-----BEGIN CERTIFICATE-----")
                    # 3) $CHAINCERT : Intermediate certificate linking $LEAFCERT to a trusted
                    # Self-Signed Root CA Certificate
                    #
                    # We want to create a fresh Java "keystore" $TARGET_KEYSTORE with the
                    # password $TARGET_STOREPW, to be used by Tomcat for HTTPS Connector.
                    #
                    # The keystore must contain: $KEY, $LEAFCERT, $CHAINCERT
                    # The Self-Signed Root CA Certificate is obtained by Tomcat from the
                    # JDK's truststore in /etc/pki/java/cacerts

                    # The non-APR HTTPS connector (APR uses OpenSSL-like configuration, much
                    # easier than this) in server.xml looks like this
                    # (See: https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html):
                    #
                    # <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
                    # SSLEnabled="true"
                    # maxThreads="150" scheme="https" secure="true"
                    # clientAuth="false" sslProtocol="TLS"
                    # keystoreFile="/etc/tomcat6/etl-web.keystore.jks"
                    # keystorePass="changeit" />
                    #

                    # Let's roll:

                    TARGET_KEYSTORE=/etc/tomcat6/foo-server.keystore.jks
                    TARGET_STOREPW=changeit

                    TLS=/etc/pki/tls

                    KEY=$TLS/private/httpd/foo-server.example.com.key
                    LEAFCERT=$TLS/certs/httpd/foo-server.example.com.pem
                    CHAINCERT=$TLS/certs/httpd/chain.cert.pem

                    # ----
                    # Create PKCS#12 file to import using keytool later
                    # ----

                    # From https://www.sslshopper.com/ssl-converter.html:
                    # The PKCS#12 or PFX format is a binary format for storing the server certificate,
                    # any intermediate certificates, and the private key in one encryptable file. PFX
                    # files usually have extensions such as .pfx and .p12. PFX files are typically used
                    # on Windows machines to import and export certificates and private keys.

                    TMPPW=$$ # Some random password

                    PKCS12FILE=`mktemp`

                    if [[ $? != 0 ]]; then
                    echo "Creation of temporary PKCS12 file failed -- exiting" >&2; exit 1
                    fi

                    TRANSITFILE=`mktemp`

                    if [[ $? != 0 ]]; then
                    echo "Creation of temporary transit file failed -- exiting" >&2; exit 1
                    fi

                    cat "$KEY" "$LEAFCERT" > "$TRANSITFILE"

                    openssl pkcs12 -export -passout "pass:$TMPPW" -in "$TRANSITFILE" -name etl-web > "$PKCS12FILE"

                    /bin/rm "$TRANSITFILE"

                    # Print out result for fun! Bug in doc (I think): "-pass " arg does not work, need "-passin"

                    openssl pkcs12 -passin "pass:$TMPPW" -passout "pass:$TMPPW" -in "$PKCS12FILE" -info

                    # ----
                    # Import contents of PKCS12FILE into a Java keystore. WTF, Sun, what were you thinking?
                    # ----

                    if [[ -f "$TARGET_KEYSTORE" ]]; then
                    /bin/rm "$TARGET_KEYSTORE"
                    fi

                    keytool -importkeystore
                    -deststorepass "$TARGET_STOREPW"
                    -destkeypass "$TARGET_STOREPW"
                    -destkeystore "$TARGET_KEYSTORE"
                    -srckeystore "$PKCS12FILE"
                    -srcstoretype PKCS12
                    -srcstorepass "$TMPPW"
                    -alias foo-the-server

                    /bin/rm "$PKCS12FILE"

                    # ----
                    # Import the chain certificate. This works empirically, it is not at all clear from the doc whether this is correct
                    # ----

                    echo "Importing chain"

                    TT=-trustcacerts

                    keytool -import $TT -storepass "$TARGET_STOREPW" -file "$CHAINCERT" -keystore "$TARGET_KEYSTORE" -alias chain

                    # ----
                    # Print contents
                    # ----

                    echo "Listing result"

                    keytool -list -storepass "$TARGET_STOREPW" -keystore "$TARGET_KEYSTORE"





                    share|improve this answer






























                      9














                      And one more:



                      #!/bin/bash

                      # We have:
                      #
                      # 1) $KEY : Secret key in PEM format ("-----BEGIN RSA PRIVATE KEY-----")
                      # 2) $LEAFCERT : Certificate for secret key obtained from some
                      # certification outfit, also in PEM format ("-----BEGIN CERTIFICATE-----")
                      # 3) $CHAINCERT : Intermediate certificate linking $LEAFCERT to a trusted
                      # Self-Signed Root CA Certificate
                      #
                      # We want to create a fresh Java "keystore" $TARGET_KEYSTORE with the
                      # password $TARGET_STOREPW, to be used by Tomcat for HTTPS Connector.
                      #
                      # The keystore must contain: $KEY, $LEAFCERT, $CHAINCERT
                      # The Self-Signed Root CA Certificate is obtained by Tomcat from the
                      # JDK's truststore in /etc/pki/java/cacerts

                      # The non-APR HTTPS connector (APR uses OpenSSL-like configuration, much
                      # easier than this) in server.xml looks like this
                      # (See: https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html):
                      #
                      # <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
                      # SSLEnabled="true"
                      # maxThreads="150" scheme="https" secure="true"
                      # clientAuth="false" sslProtocol="TLS"
                      # keystoreFile="/etc/tomcat6/etl-web.keystore.jks"
                      # keystorePass="changeit" />
                      #

                      # Let's roll:

                      TARGET_KEYSTORE=/etc/tomcat6/foo-server.keystore.jks
                      TARGET_STOREPW=changeit

                      TLS=/etc/pki/tls

                      KEY=$TLS/private/httpd/foo-server.example.com.key
                      LEAFCERT=$TLS/certs/httpd/foo-server.example.com.pem
                      CHAINCERT=$TLS/certs/httpd/chain.cert.pem

                      # ----
                      # Create PKCS#12 file to import using keytool later
                      # ----

                      # From https://www.sslshopper.com/ssl-converter.html:
                      # The PKCS#12 or PFX format is a binary format for storing the server certificate,
                      # any intermediate certificates, and the private key in one encryptable file. PFX
                      # files usually have extensions such as .pfx and .p12. PFX files are typically used
                      # on Windows machines to import and export certificates and private keys.

                      TMPPW=$$ # Some random password

                      PKCS12FILE=`mktemp`

                      if [[ $? != 0 ]]; then
                      echo "Creation of temporary PKCS12 file failed -- exiting" >&2; exit 1
                      fi

                      TRANSITFILE=`mktemp`

                      if [[ $? != 0 ]]; then
                      echo "Creation of temporary transit file failed -- exiting" >&2; exit 1
                      fi

                      cat "$KEY" "$LEAFCERT" > "$TRANSITFILE"

                      openssl pkcs12 -export -passout "pass:$TMPPW" -in "$TRANSITFILE" -name etl-web > "$PKCS12FILE"

                      /bin/rm "$TRANSITFILE"

                      # Print out result for fun! Bug in doc (I think): "-pass " arg does not work, need "-passin"

                      openssl pkcs12 -passin "pass:$TMPPW" -passout "pass:$TMPPW" -in "$PKCS12FILE" -info

                      # ----
                      # Import contents of PKCS12FILE into a Java keystore. WTF, Sun, what were you thinking?
                      # ----

                      if [[ -f "$TARGET_KEYSTORE" ]]; then
                      /bin/rm "$TARGET_KEYSTORE"
                      fi

                      keytool -importkeystore
                      -deststorepass "$TARGET_STOREPW"
                      -destkeypass "$TARGET_STOREPW"
                      -destkeystore "$TARGET_KEYSTORE"
                      -srckeystore "$PKCS12FILE"
                      -srcstoretype PKCS12
                      -srcstorepass "$TMPPW"
                      -alias foo-the-server

                      /bin/rm "$PKCS12FILE"

                      # ----
                      # Import the chain certificate. This works empirically, it is not at all clear from the doc whether this is correct
                      # ----

                      echo "Importing chain"

                      TT=-trustcacerts

                      keytool -import $TT -storepass "$TARGET_STOREPW" -file "$CHAINCERT" -keystore "$TARGET_KEYSTORE" -alias chain

                      # ----
                      # Print contents
                      # ----

                      echo "Listing result"

                      keytool -list -storepass "$TARGET_STOREPW" -keystore "$TARGET_KEYSTORE"





                      share|improve this answer




























                        9












                        9








                        9







                        And one more:



                        #!/bin/bash

                        # We have:
                        #
                        # 1) $KEY : Secret key in PEM format ("-----BEGIN RSA PRIVATE KEY-----")
                        # 2) $LEAFCERT : Certificate for secret key obtained from some
                        # certification outfit, also in PEM format ("-----BEGIN CERTIFICATE-----")
                        # 3) $CHAINCERT : Intermediate certificate linking $LEAFCERT to a trusted
                        # Self-Signed Root CA Certificate
                        #
                        # We want to create a fresh Java "keystore" $TARGET_KEYSTORE with the
                        # password $TARGET_STOREPW, to be used by Tomcat for HTTPS Connector.
                        #
                        # The keystore must contain: $KEY, $LEAFCERT, $CHAINCERT
                        # The Self-Signed Root CA Certificate is obtained by Tomcat from the
                        # JDK's truststore in /etc/pki/java/cacerts

                        # The non-APR HTTPS connector (APR uses OpenSSL-like configuration, much
                        # easier than this) in server.xml looks like this
                        # (See: https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html):
                        #
                        # <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
                        # SSLEnabled="true"
                        # maxThreads="150" scheme="https" secure="true"
                        # clientAuth="false" sslProtocol="TLS"
                        # keystoreFile="/etc/tomcat6/etl-web.keystore.jks"
                        # keystorePass="changeit" />
                        #

                        # Let's roll:

                        TARGET_KEYSTORE=/etc/tomcat6/foo-server.keystore.jks
                        TARGET_STOREPW=changeit

                        TLS=/etc/pki/tls

                        KEY=$TLS/private/httpd/foo-server.example.com.key
                        LEAFCERT=$TLS/certs/httpd/foo-server.example.com.pem
                        CHAINCERT=$TLS/certs/httpd/chain.cert.pem

                        # ----
                        # Create PKCS#12 file to import using keytool later
                        # ----

                        # From https://www.sslshopper.com/ssl-converter.html:
                        # The PKCS#12 or PFX format is a binary format for storing the server certificate,
                        # any intermediate certificates, and the private key in one encryptable file. PFX
                        # files usually have extensions such as .pfx and .p12. PFX files are typically used
                        # on Windows machines to import and export certificates and private keys.

                        TMPPW=$$ # Some random password

                        PKCS12FILE=`mktemp`

                        if [[ $? != 0 ]]; then
                        echo "Creation of temporary PKCS12 file failed -- exiting" >&2; exit 1
                        fi

                        TRANSITFILE=`mktemp`

                        if [[ $? != 0 ]]; then
                        echo "Creation of temporary transit file failed -- exiting" >&2; exit 1
                        fi

                        cat "$KEY" "$LEAFCERT" > "$TRANSITFILE"

                        openssl pkcs12 -export -passout "pass:$TMPPW" -in "$TRANSITFILE" -name etl-web > "$PKCS12FILE"

                        /bin/rm "$TRANSITFILE"

                        # Print out result for fun! Bug in doc (I think): "-pass " arg does not work, need "-passin"

                        openssl pkcs12 -passin "pass:$TMPPW" -passout "pass:$TMPPW" -in "$PKCS12FILE" -info

                        # ----
                        # Import contents of PKCS12FILE into a Java keystore. WTF, Sun, what were you thinking?
                        # ----

                        if [[ -f "$TARGET_KEYSTORE" ]]; then
                        /bin/rm "$TARGET_KEYSTORE"
                        fi

                        keytool -importkeystore
                        -deststorepass "$TARGET_STOREPW"
                        -destkeypass "$TARGET_STOREPW"
                        -destkeystore "$TARGET_KEYSTORE"
                        -srckeystore "$PKCS12FILE"
                        -srcstoretype PKCS12
                        -srcstorepass "$TMPPW"
                        -alias foo-the-server

                        /bin/rm "$PKCS12FILE"

                        # ----
                        # Import the chain certificate. This works empirically, it is not at all clear from the doc whether this is correct
                        # ----

                        echo "Importing chain"

                        TT=-trustcacerts

                        keytool -import $TT -storepass "$TARGET_STOREPW" -file "$CHAINCERT" -keystore "$TARGET_KEYSTORE" -alias chain

                        # ----
                        # Print contents
                        # ----

                        echo "Listing result"

                        keytool -list -storepass "$TARGET_STOREPW" -keystore "$TARGET_KEYSTORE"





                        share|improve this answer















                        And one more:



                        #!/bin/bash

                        # We have:
                        #
                        # 1) $KEY : Secret key in PEM format ("-----BEGIN RSA PRIVATE KEY-----")
                        # 2) $LEAFCERT : Certificate for secret key obtained from some
                        # certification outfit, also in PEM format ("-----BEGIN CERTIFICATE-----")
                        # 3) $CHAINCERT : Intermediate certificate linking $LEAFCERT to a trusted
                        # Self-Signed Root CA Certificate
                        #
                        # We want to create a fresh Java "keystore" $TARGET_KEYSTORE with the
                        # password $TARGET_STOREPW, to be used by Tomcat for HTTPS Connector.
                        #
                        # The keystore must contain: $KEY, $LEAFCERT, $CHAINCERT
                        # The Self-Signed Root CA Certificate is obtained by Tomcat from the
                        # JDK's truststore in /etc/pki/java/cacerts

                        # The non-APR HTTPS connector (APR uses OpenSSL-like configuration, much
                        # easier than this) in server.xml looks like this
                        # (See: https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html):
                        #
                        # <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
                        # SSLEnabled="true"
                        # maxThreads="150" scheme="https" secure="true"
                        # clientAuth="false" sslProtocol="TLS"
                        # keystoreFile="/etc/tomcat6/etl-web.keystore.jks"
                        # keystorePass="changeit" />
                        #

                        # Let's roll:

                        TARGET_KEYSTORE=/etc/tomcat6/foo-server.keystore.jks
                        TARGET_STOREPW=changeit

                        TLS=/etc/pki/tls

                        KEY=$TLS/private/httpd/foo-server.example.com.key
                        LEAFCERT=$TLS/certs/httpd/foo-server.example.com.pem
                        CHAINCERT=$TLS/certs/httpd/chain.cert.pem

                        # ----
                        # Create PKCS#12 file to import using keytool later
                        # ----

                        # From https://www.sslshopper.com/ssl-converter.html:
                        # The PKCS#12 or PFX format is a binary format for storing the server certificate,
                        # any intermediate certificates, and the private key in one encryptable file. PFX
                        # files usually have extensions such as .pfx and .p12. PFX files are typically used
                        # on Windows machines to import and export certificates and private keys.

                        TMPPW=$$ # Some random password

                        PKCS12FILE=`mktemp`

                        if [[ $? != 0 ]]; then
                        echo "Creation of temporary PKCS12 file failed -- exiting" >&2; exit 1
                        fi

                        TRANSITFILE=`mktemp`

                        if [[ $? != 0 ]]; then
                        echo "Creation of temporary transit file failed -- exiting" >&2; exit 1
                        fi

                        cat "$KEY" "$LEAFCERT" > "$TRANSITFILE"

                        openssl pkcs12 -export -passout "pass:$TMPPW" -in "$TRANSITFILE" -name etl-web > "$PKCS12FILE"

                        /bin/rm "$TRANSITFILE"

                        # Print out result for fun! Bug in doc (I think): "-pass " arg does not work, need "-passin"

                        openssl pkcs12 -passin "pass:$TMPPW" -passout "pass:$TMPPW" -in "$PKCS12FILE" -info

                        # ----
                        # Import contents of PKCS12FILE into a Java keystore. WTF, Sun, what were you thinking?
                        # ----

                        if [[ -f "$TARGET_KEYSTORE" ]]; then
                        /bin/rm "$TARGET_KEYSTORE"
                        fi

                        keytool -importkeystore
                        -deststorepass "$TARGET_STOREPW"
                        -destkeypass "$TARGET_STOREPW"
                        -destkeystore "$TARGET_KEYSTORE"
                        -srckeystore "$PKCS12FILE"
                        -srcstoretype PKCS12
                        -srcstorepass "$TMPPW"
                        -alias foo-the-server

                        /bin/rm "$PKCS12FILE"

                        # ----
                        # Import the chain certificate. This works empirically, it is not at all clear from the doc whether this is correct
                        # ----

                        echo "Importing chain"

                        TT=-trustcacerts

                        keytool -import $TT -storepass "$TARGET_STOREPW" -file "$CHAINCERT" -keystore "$TARGET_KEYSTORE" -alias chain

                        # ----
                        # Print contents
                        # ----

                        echo "Listing result"

                        keytool -list -storepass "$TARGET_STOREPW" -keystore "$TARGET_KEYSTORE"






                        share|improve this answer














                        share|improve this answer



                        share|improve this answer








                        edited Jul 27 '15 at 23:08

























                        answered Jul 27 '15 at 23:00









                        David TonhoferDavid Tonhofer

                        5,60313532




                        5,60313532























                            8














                            Yes, it's indeed a sad fact that keytool has no functionality to import a private key.



                            For the record, at the end I went with the solution described here






                            share|improve this answer






























                              8














                              Yes, it's indeed a sad fact that keytool has no functionality to import a private key.



                              For the record, at the end I went with the solution described here






                              share|improve this answer




























                                8












                                8








                                8







                                Yes, it's indeed a sad fact that keytool has no functionality to import a private key.



                                For the record, at the end I went with the solution described here






                                share|improve this answer















                                Yes, it's indeed a sad fact that keytool has no functionality to import a private key.



                                For the record, at the end I went with the solution described here







                                share|improve this answer














                                share|improve this answer



                                share|improve this answer








                                edited Sep 10 '16 at 3:26









                                SeldomNeedy

                                589718




                                589718










                                answered May 26 '09 at 7:19









                                Aleksandar IvanisevicAleksandar Ivanisevic

                                1,275398




                                1,275398























                                    7














                                    First convert to p12:



                                    openssl pkcs12 -export -in [filename-certificate] -inkey [filename-key] -name [host] -out [filename-new-PKCS-12.p12]


                                    Create new JKS from p12:



                                    keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12





                                    share|improve this answer




























                                      7














                                      First convert to p12:



                                      openssl pkcs12 -export -in [filename-certificate] -inkey [filename-key] -name [host] -out [filename-new-PKCS-12.p12]


                                      Create new JKS from p12:



                                      keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12





                                      share|improve this answer


























                                        7












                                        7








                                        7







                                        First convert to p12:



                                        openssl pkcs12 -export -in [filename-certificate] -inkey [filename-key] -name [host] -out [filename-new-PKCS-12.p12]


                                        Create new JKS from p12:



                                        keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12





                                        share|improve this answer













                                        First convert to p12:



                                        openssl pkcs12 -export -in [filename-certificate] -inkey [filename-key] -name [host] -out [filename-new-PKCS-12.p12]


                                        Create new JKS from p12:



                                        keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12






                                        share|improve this answer












                                        share|improve this answer



                                        share|improve this answer










                                        answered Jun 1 '17 at 8:49









                                        Michał JurczukMichał Jurczuk

                                        1,84912341




                                        1,84912341























                                            6














                                            In my case I had a pem file which contained two certificates and an encrypted private key to be used in mutual SSL authentication.
                                            So my pem file looked like this:



                                            -----BEGIN CERTIFICATE-----
                                            ...
                                            -----END CERTIFICATE-----
                                            -----BEGIN RSA PRIVATE KEY-----
                                            Proc-Type: 4,ENCRYPTED
                                            DEK-Info: DES-EDE3-CBC,C8BF220FC76AA5F9
                                            ...
                                            -----END RSA PRIVATE KEY-----
                                            -----BEGIN CERTIFICATE-----
                                            ...
                                            -----END CERTIFICATE-----


                                            Here is what I did:



                                            Split the file into three separate files, so that each one contains just one entry,
                                            starting with "---BEGIN.." and ending with "---END.." lines. Lets assume we now have three files: cert1.pem cert2.pem and pkey.pem



                                            Convert pkey.pem into DER format using openssl and the following syntax:



                                            openssl pkcs8 -topk8 -nocrypt -in pkey.pem -inform PEM -out pkey.der -outform DER



                                            Note, that if the private key is encrypted you need to supply a password( obtain it from the supplier of the original pem file )
                                            to convert to DER format,
                                            openssl will ask you for the password like this: "enter a pass phraze for pkey.pem: "
                                            If conversion is successful, you will get a new file called "pkey.der"



                                            Create a new java key store and import the private key and the certificates:



                                            String keypass = "password";  // this is a new password, you need to come up with to protect your java key store file
                                            String defaultalias = "importkey";
                                            KeyStore ks = KeyStore.getInstance("JKS", "SUN");

                                            // this section does not make much sense to me,
                                            // but I will leave it intact as this is how it was in the original example I found on internet:
                                            ks.load( null, keypass.toCharArray());
                                            ks.store( new FileOutputStream ( "mykeystore" ), keypass.toCharArray());
                                            ks.load( new FileInputStream ( "mykeystore" ), keypass.toCharArray());
                                            // end of section..


                                            // read the key file from disk and create a PrivateKey

                                            FileInputStream fis = new FileInputStream("pkey.der");
                                            DataInputStream dis = new DataInputStream(fis);
                                            byte bytes = new byte[dis.available()];
                                            dis.readFully(bytes);
                                            ByteArrayInputStream bais = new ByteArrayInputStream(bytes);

                                            byte key = new byte[bais.available()];
                                            KeyFactory kf = KeyFactory.getInstance("RSA");
                                            bais.read(key, 0, bais.available());
                                            bais.close();

                                            PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );
                                            PrivateKey ff = kf.generatePrivate (keysp);


                                            // read the certificates from the files and load them into the key store:

                                            Collection col_crt1 = CertificateFactory.getInstance("X509").generateCertificates(new FileInputStream("cert1.pem"));
                                            Collection col_crt2 = CertificateFactory.getInstance("X509").generateCertificates(new FileInputStream("cert2.pem"));

                                            Certificate crt1 = (Certificate) col_crt1.iterator().next();
                                            Certificate crt2 = (Certificate) col_crt2.iterator().next();
                                            Certificate chain = new Certificate { crt1, crt2 };

                                            String alias1 = ((X509Certificate) crt1).getSubjectX500Principal().getName();
                                            String alias2 = ((X509Certificate) crt2).getSubjectX500Principal().getName();

                                            ks.setCertificateEntry(alias1, crt1);
                                            ks.setCertificateEntry(alias2, crt2);

                                            // store the private key
                                            ks.setKeyEntry(defaultalias, ff, keypass.toCharArray(), chain );

                                            // save the key store to a file
                                            ks.store(new FileOutputStream ( "mykeystore" ),keypass.toCharArray());


                                            (optional) Verify the content of your new key store:



                                            keytool -list -keystore mykeystore -storepass password




                                            Keystore type: JKS Keystore provider: SUN



                                            Your keystore contains 3 entries



                                            cn=...,ou=...,o=.., Sep 2, 2014, trustedCertEntry, Certificate
                                            fingerprint (SHA1): 2C:B8: ...



                                            importkey, Sep 2, 2014, PrivateKeyEntry, Certificate fingerprint
                                            (SHA1): 9C:B0: ...



                                            cn=...,o=...., Sep 2, 2014, trustedCertEntry, Certificate fingerprint
                                            (SHA1): 83:63: ...




                                            (optional) Test your certificates and private key from your new key store against your SSL server:
                                            ( You may want to enable debugging as an VM option: -Djavax.net.debug=all )



                                                    char passw = "password".toCharArray();
                                            KeyStore ks = KeyStore.getInstance("JKS", "SUN");
                                            ks.load(new FileInputStream ( "mykeystore" ), passw );

                                            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                                            kmf.init(ks, passw);

                                            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                                            tmf.init(ks);
                                            TrustManager tm = tmf.getTrustManagers();

                                            SSLContext sclx = SSLContext.getInstance("TLS");
                                            sclx.init( kmf.getKeyManagers(), tm, null);

                                            SSLSocketFactory factory = sclx.getSocketFactory();
                                            SSLSocket socket = (SSLSocket) factory.createSocket( "192.168.1.111", 443 );
                                            socket.startHandshake();

                                            //if no exceptions are thrown in the startHandshake method, then everything is fine..


                                            Finally register your certificates with HttpsURLConnection if plan to use it:



                                                    char passw = "password".toCharArray();
                                            KeyStore ks = KeyStore.getInstance("JKS", "SUN");
                                            ks.load(new FileInputStream ( "mykeystore" ), passw );

                                            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                                            kmf.init(ks, passw);

                                            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                                            tmf.init(ks);
                                            TrustManager tm = tmf.getTrustManagers();

                                            SSLContext sclx = SSLContext.getInstance("TLS");
                                            sclx.init( kmf.getKeyManagers(), tm, null);

                                            HostnameVerifier hv = new HostnameVerifier()
                                            {
                                            public boolean verify(String urlHostName, SSLSession session)
                                            {
                                            if (!urlHostName.equalsIgnoreCase(session.getPeerHost()))
                                            {
                                            System.out.println("Warning: URL host '" + urlHostName + "' is different to SSLSession host '" + session.getPeerHost() + "'.");
                                            }
                                            return true;
                                            }
                                            };

                                            HttpsURLConnection.setDefaultSSLSocketFactory( sclx.getSocketFactory() );
                                            HttpsURLConnection.setDefaultHostnameVerifier(hv);





                                            share|improve this answer


























                                            • However, Bruno mentioned that this hostname verifier is wrong: "Your hostname verifier is wrong, session.getPeerHost() doesn't return the name in the certificate, but the name you connected with (i.e. the urlHostName here), so that's always going to be true. You're always returning true anyway. – Bruno". It worked for me though, but I would appreciate if somebody shows me how to write a good host name verifier.

                                              – Interkot
                                              Sep 4 '14 at 16:22








                                            • 1





                                              Of course it will "work" for you, since it will never produce an error, even when it should. Leave the default hostname verifier used by HttpsURLConnection instead of trying to writing your own. (Another problem with your example is that you're using the same keystore as a keystore and a truststore, which isn't always a good idea...)

                                              – Bruno
                                              Sep 4 '14 at 16:31


















                                            6














                                            In my case I had a pem file which contained two certificates and an encrypted private key to be used in mutual SSL authentication.
                                            So my pem file looked like this:



                                            -----BEGIN CERTIFICATE-----
                                            ...
                                            -----END CERTIFICATE-----
                                            -----BEGIN RSA PRIVATE KEY-----
                                            Proc-Type: 4,ENCRYPTED
                                            DEK-Info: DES-EDE3-CBC,C8BF220FC76AA5F9
                                            ...
                                            -----END RSA PRIVATE KEY-----
                                            -----BEGIN CERTIFICATE-----
                                            ...
                                            -----END CERTIFICATE-----


                                            Here is what I did:



                                            Split the file into three separate files, so that each one contains just one entry,
                                            starting with "---BEGIN.." and ending with "---END.." lines. Lets assume we now have three files: cert1.pem cert2.pem and pkey.pem



                                            Convert pkey.pem into DER format using openssl and the following syntax:



                                            openssl pkcs8 -topk8 -nocrypt -in pkey.pem -inform PEM -out pkey.der -outform DER



                                            Note, that if the private key is encrypted you need to supply a password( obtain it from the supplier of the original pem file )
                                            to convert to DER format,
                                            openssl will ask you for the password like this: "enter a pass phraze for pkey.pem: "
                                            If conversion is successful, you will get a new file called "pkey.der"



                                            Create a new java key store and import the private key and the certificates:



                                            String keypass = "password";  // this is a new password, you need to come up with to protect your java key store file
                                            String defaultalias = "importkey";
                                            KeyStore ks = KeyStore.getInstance("JKS", "SUN");

                                            // this section does not make much sense to me,
                                            // but I will leave it intact as this is how it was in the original example I found on internet:
                                            ks.load( null, keypass.toCharArray());
                                            ks.store( new FileOutputStream ( "mykeystore" ), keypass.toCharArray());
                                            ks.load( new FileInputStream ( "mykeystore" ), keypass.toCharArray());
                                            // end of section..


                                            // read the key file from disk and create a PrivateKey

                                            FileInputStream fis = new FileInputStream("pkey.der");
                                            DataInputStream dis = new DataInputStream(fis);
                                            byte bytes = new byte[dis.available()];
                                            dis.readFully(bytes);
                                            ByteArrayInputStream bais = new ByteArrayInputStream(bytes);

                                            byte key = new byte[bais.available()];
                                            KeyFactory kf = KeyFactory.getInstance("RSA");
                                            bais.read(key, 0, bais.available());
                                            bais.close();

                                            PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );
                                            PrivateKey ff = kf.generatePrivate (keysp);


                                            // read the certificates from the files and load them into the key store:

                                            Collection col_crt1 = CertificateFactory.getInstance("X509").generateCertificates(new FileInputStream("cert1.pem"));
                                            Collection col_crt2 = CertificateFactory.getInstance("X509").generateCertificates(new FileInputStream("cert2.pem"));

                                            Certificate crt1 = (Certificate) col_crt1.iterator().next();
                                            Certificate crt2 = (Certificate) col_crt2.iterator().next();
                                            Certificate chain = new Certificate { crt1, crt2 };

                                            String alias1 = ((X509Certificate) crt1).getSubjectX500Principal().getName();
                                            String alias2 = ((X509Certificate) crt2).getSubjectX500Principal().getName();

                                            ks.setCertificateEntry(alias1, crt1);
                                            ks.setCertificateEntry(alias2, crt2);

                                            // store the private key
                                            ks.setKeyEntry(defaultalias, ff, keypass.toCharArray(), chain );

                                            // save the key store to a file
                                            ks.store(new FileOutputStream ( "mykeystore" ),keypass.toCharArray());


                                            (optional) Verify the content of your new key store:



                                            keytool -list -keystore mykeystore -storepass password




                                            Keystore type: JKS Keystore provider: SUN



                                            Your keystore contains 3 entries



                                            cn=...,ou=...,o=.., Sep 2, 2014, trustedCertEntry, Certificate
                                            fingerprint (SHA1): 2C:B8: ...



                                            importkey, Sep 2, 2014, PrivateKeyEntry, Certificate fingerprint
                                            (SHA1): 9C:B0: ...



                                            cn=...,o=...., Sep 2, 2014, trustedCertEntry, Certificate fingerprint
                                            (SHA1): 83:63: ...




                                            (optional) Test your certificates and private key from your new key store against your SSL server:
                                            ( You may want to enable debugging as an VM option: -Djavax.net.debug=all )



                                                    char passw = "password".toCharArray();
                                            KeyStore ks = KeyStore.getInstance("JKS", "SUN");
                                            ks.load(new FileInputStream ( "mykeystore" ), passw );

                                            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                                            kmf.init(ks, passw);

                                            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                                            tmf.init(ks);
                                            TrustManager tm = tmf.getTrustManagers();

                                            SSLContext sclx = SSLContext.getInstance("TLS");
                                            sclx.init( kmf.getKeyManagers(), tm, null);

                                            SSLSocketFactory factory = sclx.getSocketFactory();
                                            SSLSocket socket = (SSLSocket) factory.createSocket( "192.168.1.111", 443 );
                                            socket.startHandshake();

                                            //if no exceptions are thrown in the startHandshake method, then everything is fine..


                                            Finally register your certificates with HttpsURLConnection if plan to use it:



                                                    char passw = "password".toCharArray();
                                            KeyStore ks = KeyStore.getInstance("JKS", "SUN");
                                            ks.load(new FileInputStream ( "mykeystore" ), passw );

                                            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                                            kmf.init(ks, passw);

                                            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                                            tmf.init(ks);
                                            TrustManager tm = tmf.getTrustManagers();

                                            SSLContext sclx = SSLContext.getInstance("TLS");
                                            sclx.init( kmf.getKeyManagers(), tm, null);

                                            HostnameVerifier hv = new HostnameVerifier()
                                            {
                                            public boolean verify(String urlHostName, SSLSession session)
                                            {
                                            if (!urlHostName.equalsIgnoreCase(session.getPeerHost()))
                                            {
                                            System.out.println("Warning: URL host '" + urlHostName + "' is different to SSLSession host '" + session.getPeerHost() + "'.");
                                            }
                                            return true;
                                            }
                                            };

                                            HttpsURLConnection.setDefaultSSLSocketFactory( sclx.getSocketFactory() );
                                            HttpsURLConnection.setDefaultHostnameVerifier(hv);





                                            share|improve this answer


























                                            • However, Bruno mentioned that this hostname verifier is wrong: "Your hostname verifier is wrong, session.getPeerHost() doesn't return the name in the certificate, but the name you connected with (i.e. the urlHostName here), so that's always going to be true. You're always returning true anyway. – Bruno". It worked for me though, but I would appreciate if somebody shows me how to write a good host name verifier.

                                              – Interkot
                                              Sep 4 '14 at 16:22








                                            • 1





                                              Of course it will "work" for you, since it will never produce an error, even when it should. Leave the default hostname verifier used by HttpsURLConnection instead of trying to writing your own. (Another problem with your example is that you're using the same keystore as a keystore and a truststore, which isn't always a good idea...)

                                              – Bruno
                                              Sep 4 '14 at 16:31
















                                            6












                                            6








                                            6







                                            In my case I had a pem file which contained two certificates and an encrypted private key to be used in mutual SSL authentication.
                                            So my pem file looked like this:



                                            -----BEGIN CERTIFICATE-----
                                            ...
                                            -----END CERTIFICATE-----
                                            -----BEGIN RSA PRIVATE KEY-----
                                            Proc-Type: 4,ENCRYPTED
                                            DEK-Info: DES-EDE3-CBC,C8BF220FC76AA5F9
                                            ...
                                            -----END RSA PRIVATE KEY-----
                                            -----BEGIN CERTIFICATE-----
                                            ...
                                            -----END CERTIFICATE-----


                                            Here is what I did:



                                            Split the file into three separate files, so that each one contains just one entry,
                                            starting with "---BEGIN.." and ending with "---END.." lines. Lets assume we now have three files: cert1.pem cert2.pem and pkey.pem



                                            Convert pkey.pem into DER format using openssl and the following syntax:



                                            openssl pkcs8 -topk8 -nocrypt -in pkey.pem -inform PEM -out pkey.der -outform DER



                                            Note, that if the private key is encrypted you need to supply a password( obtain it from the supplier of the original pem file )
                                            to convert to DER format,
                                            openssl will ask you for the password like this: "enter a pass phraze for pkey.pem: "
                                            If conversion is successful, you will get a new file called "pkey.der"



                                            Create a new java key store and import the private key and the certificates:



                                            String keypass = "password";  // this is a new password, you need to come up with to protect your java key store file
                                            String defaultalias = "importkey";
                                            KeyStore ks = KeyStore.getInstance("JKS", "SUN");

                                            // this section does not make much sense to me,
                                            // but I will leave it intact as this is how it was in the original example I found on internet:
                                            ks.load( null, keypass.toCharArray());
                                            ks.store( new FileOutputStream ( "mykeystore" ), keypass.toCharArray());
                                            ks.load( new FileInputStream ( "mykeystore" ), keypass.toCharArray());
                                            // end of section..


                                            // read the key file from disk and create a PrivateKey

                                            FileInputStream fis = new FileInputStream("pkey.der");
                                            DataInputStream dis = new DataInputStream(fis);
                                            byte bytes = new byte[dis.available()];
                                            dis.readFully(bytes);
                                            ByteArrayInputStream bais = new ByteArrayInputStream(bytes);

                                            byte key = new byte[bais.available()];
                                            KeyFactory kf = KeyFactory.getInstance("RSA");
                                            bais.read(key, 0, bais.available());
                                            bais.close();

                                            PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );
                                            PrivateKey ff = kf.generatePrivate (keysp);


                                            // read the certificates from the files and load them into the key store:

                                            Collection col_crt1 = CertificateFactory.getInstance("X509").generateCertificates(new FileInputStream("cert1.pem"));
                                            Collection col_crt2 = CertificateFactory.getInstance("X509").generateCertificates(new FileInputStream("cert2.pem"));

                                            Certificate crt1 = (Certificate) col_crt1.iterator().next();
                                            Certificate crt2 = (Certificate) col_crt2.iterator().next();
                                            Certificate chain = new Certificate { crt1, crt2 };

                                            String alias1 = ((X509Certificate) crt1).getSubjectX500Principal().getName();
                                            String alias2 = ((X509Certificate) crt2).getSubjectX500Principal().getName();

                                            ks.setCertificateEntry(alias1, crt1);
                                            ks.setCertificateEntry(alias2, crt2);

                                            // store the private key
                                            ks.setKeyEntry(defaultalias, ff, keypass.toCharArray(), chain );

                                            // save the key store to a file
                                            ks.store(new FileOutputStream ( "mykeystore" ),keypass.toCharArray());


                                            (optional) Verify the content of your new key store:



                                            keytool -list -keystore mykeystore -storepass password




                                            Keystore type: JKS Keystore provider: SUN



                                            Your keystore contains 3 entries



                                            cn=...,ou=...,o=.., Sep 2, 2014, trustedCertEntry, Certificate
                                            fingerprint (SHA1): 2C:B8: ...



                                            importkey, Sep 2, 2014, PrivateKeyEntry, Certificate fingerprint
                                            (SHA1): 9C:B0: ...



                                            cn=...,o=...., Sep 2, 2014, trustedCertEntry, Certificate fingerprint
                                            (SHA1): 83:63: ...




                                            (optional) Test your certificates and private key from your new key store against your SSL server:
                                            ( You may want to enable debugging as an VM option: -Djavax.net.debug=all )



                                                    char passw = "password".toCharArray();
                                            KeyStore ks = KeyStore.getInstance("JKS", "SUN");
                                            ks.load(new FileInputStream ( "mykeystore" ), passw );

                                            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                                            kmf.init(ks, passw);

                                            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                                            tmf.init(ks);
                                            TrustManager tm = tmf.getTrustManagers();

                                            SSLContext sclx = SSLContext.getInstance("TLS");
                                            sclx.init( kmf.getKeyManagers(), tm, null);

                                            SSLSocketFactory factory = sclx.getSocketFactory();
                                            SSLSocket socket = (SSLSocket) factory.createSocket( "192.168.1.111", 443 );
                                            socket.startHandshake();

                                            //if no exceptions are thrown in the startHandshake method, then everything is fine..


                                            Finally register your certificates with HttpsURLConnection if plan to use it:



                                                    char passw = "password".toCharArray();
                                            KeyStore ks = KeyStore.getInstance("JKS", "SUN");
                                            ks.load(new FileInputStream ( "mykeystore" ), passw );

                                            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                                            kmf.init(ks, passw);

                                            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                                            tmf.init(ks);
                                            TrustManager tm = tmf.getTrustManagers();

                                            SSLContext sclx = SSLContext.getInstance("TLS");
                                            sclx.init( kmf.getKeyManagers(), tm, null);

                                            HostnameVerifier hv = new HostnameVerifier()
                                            {
                                            public boolean verify(String urlHostName, SSLSession session)
                                            {
                                            if (!urlHostName.equalsIgnoreCase(session.getPeerHost()))
                                            {
                                            System.out.println("Warning: URL host '" + urlHostName + "' is different to SSLSession host '" + session.getPeerHost() + "'.");
                                            }
                                            return true;
                                            }
                                            };

                                            HttpsURLConnection.setDefaultSSLSocketFactory( sclx.getSocketFactory() );
                                            HttpsURLConnection.setDefaultHostnameVerifier(hv);





                                            share|improve this answer















                                            In my case I had a pem file which contained two certificates and an encrypted private key to be used in mutual SSL authentication.
                                            So my pem file looked like this:



                                            -----BEGIN CERTIFICATE-----
                                            ...
                                            -----END CERTIFICATE-----
                                            -----BEGIN RSA PRIVATE KEY-----
                                            Proc-Type: 4,ENCRYPTED
                                            DEK-Info: DES-EDE3-CBC,C8BF220FC76AA5F9
                                            ...
                                            -----END RSA PRIVATE KEY-----
                                            -----BEGIN CERTIFICATE-----
                                            ...
                                            -----END CERTIFICATE-----


                                            Here is what I did:



                                            Split the file into three separate files, so that each one contains just one entry,
                                            starting with "---BEGIN.." and ending with "---END.." lines. Lets assume we now have three files: cert1.pem cert2.pem and pkey.pem



                                            Convert pkey.pem into DER format using openssl and the following syntax:



                                            openssl pkcs8 -topk8 -nocrypt -in pkey.pem -inform PEM -out pkey.der -outform DER



                                            Note, that if the private key is encrypted you need to supply a password( obtain it from the supplier of the original pem file )
                                            to convert to DER format,
                                            openssl will ask you for the password like this: "enter a pass phraze for pkey.pem: "
                                            If conversion is successful, you will get a new file called "pkey.der"



                                            Create a new java key store and import the private key and the certificates:



                                            String keypass = "password";  // this is a new password, you need to come up with to protect your java key store file
                                            String defaultalias = "importkey";
                                            KeyStore ks = KeyStore.getInstance("JKS", "SUN");

                                            // this section does not make much sense to me,
                                            // but I will leave it intact as this is how it was in the original example I found on internet:
                                            ks.load( null, keypass.toCharArray());
                                            ks.store( new FileOutputStream ( "mykeystore" ), keypass.toCharArray());
                                            ks.load( new FileInputStream ( "mykeystore" ), keypass.toCharArray());
                                            // end of section..


                                            // read the key file from disk and create a PrivateKey

                                            FileInputStream fis = new FileInputStream("pkey.der");
                                            DataInputStream dis = new DataInputStream(fis);
                                            byte bytes = new byte[dis.available()];
                                            dis.readFully(bytes);
                                            ByteArrayInputStream bais = new ByteArrayInputStream(bytes);

                                            byte key = new byte[bais.available()];
                                            KeyFactory kf = KeyFactory.getInstance("RSA");
                                            bais.read(key, 0, bais.available());
                                            bais.close();

                                            PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );
                                            PrivateKey ff = kf.generatePrivate (keysp);


                                            // read the certificates from the files and load them into the key store:

                                            Collection col_crt1 = CertificateFactory.getInstance("X509").generateCertificates(new FileInputStream("cert1.pem"));
                                            Collection col_crt2 = CertificateFactory.getInstance("X509").generateCertificates(new FileInputStream("cert2.pem"));

                                            Certificate crt1 = (Certificate) col_crt1.iterator().next();
                                            Certificate crt2 = (Certificate) col_crt2.iterator().next();
                                            Certificate chain = new Certificate { crt1, crt2 };

                                            String alias1 = ((X509Certificate) crt1).getSubjectX500Principal().getName();
                                            String alias2 = ((X509Certificate) crt2).getSubjectX500Principal().getName();

                                            ks.setCertificateEntry(alias1, crt1);
                                            ks.setCertificateEntry(alias2, crt2);

                                            // store the private key
                                            ks.setKeyEntry(defaultalias, ff, keypass.toCharArray(), chain );

                                            // save the key store to a file
                                            ks.store(new FileOutputStream ( "mykeystore" ),keypass.toCharArray());


                                            (optional) Verify the content of your new key store:



                                            keytool -list -keystore mykeystore -storepass password




                                            Keystore type: JKS Keystore provider: SUN



                                            Your keystore contains 3 entries



                                            cn=...,ou=...,o=.., Sep 2, 2014, trustedCertEntry, Certificate
                                            fingerprint (SHA1): 2C:B8: ...



                                            importkey, Sep 2, 2014, PrivateKeyEntry, Certificate fingerprint
                                            (SHA1): 9C:B0: ...



                                            cn=...,o=...., Sep 2, 2014, trustedCertEntry, Certificate fingerprint
                                            (SHA1): 83:63: ...




                                            (optional) Test your certificates and private key from your new key store against your SSL server:
                                            ( You may want to enable debugging as an VM option: -Djavax.net.debug=all )



                                                    char passw = "password".toCharArray();
                                            KeyStore ks = KeyStore.getInstance("JKS", "SUN");
                                            ks.load(new FileInputStream ( "mykeystore" ), passw );

                                            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                                            kmf.init(ks, passw);

                                            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                                            tmf.init(ks);
                                            TrustManager tm = tmf.getTrustManagers();

                                            SSLContext sclx = SSLContext.getInstance("TLS");
                                            sclx.init( kmf.getKeyManagers(), tm, null);

                                            SSLSocketFactory factory = sclx.getSocketFactory();
                                            SSLSocket socket = (SSLSocket) factory.createSocket( "192.168.1.111", 443 );
                                            socket.startHandshake();

                                            //if no exceptions are thrown in the startHandshake method, then everything is fine..


                                            Finally register your certificates with HttpsURLConnection if plan to use it:



                                                    char passw = "password".toCharArray();
                                            KeyStore ks = KeyStore.getInstance("JKS", "SUN");
                                            ks.load(new FileInputStream ( "mykeystore" ), passw );

                                            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                                            kmf.init(ks, passw);

                                            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                                            tmf.init(ks);
                                            TrustManager tm = tmf.getTrustManagers();

                                            SSLContext sclx = SSLContext.getInstance("TLS");
                                            sclx.init( kmf.getKeyManagers(), tm, null);

                                            HostnameVerifier hv = new HostnameVerifier()
                                            {
                                            public boolean verify(String urlHostName, SSLSession session)
                                            {
                                            if (!urlHostName.equalsIgnoreCase(session.getPeerHost()))
                                            {
                                            System.out.println("Warning: URL host '" + urlHostName + "' is different to SSLSession host '" + session.getPeerHost() + "'.");
                                            }
                                            return true;
                                            }
                                            };

                                            HttpsURLConnection.setDefaultSSLSocketFactory( sclx.getSocketFactory() );
                                            HttpsURLConnection.setDefaultHostnameVerifier(hv);






                                            share|improve this answer














                                            share|improve this answer



                                            share|improve this answer








                                            edited May 18 '16 at 13:17









                                            bekce

                                            2,0091624




                                            2,0091624










                                            answered Sep 4 '14 at 16:18









                                            InterkotInterkot

                                            29757




                                            29757













                                            • However, Bruno mentioned that this hostname verifier is wrong: "Your hostname verifier is wrong, session.getPeerHost() doesn't return the name in the certificate, but the name you connected with (i.e. the urlHostName here), so that's always going to be true. You're always returning true anyway. – Bruno". It worked for me though, but I would appreciate if somebody shows me how to write a good host name verifier.

                                              – Interkot
                                              Sep 4 '14 at 16:22








                                            • 1





                                              Of course it will "work" for you, since it will never produce an error, even when it should. Leave the default hostname verifier used by HttpsURLConnection instead of trying to writing your own. (Another problem with your example is that you're using the same keystore as a keystore and a truststore, which isn't always a good idea...)

                                              – Bruno
                                              Sep 4 '14 at 16:31





















                                            • However, Bruno mentioned that this hostname verifier is wrong: "Your hostname verifier is wrong, session.getPeerHost() doesn't return the name in the certificate, but the name you connected with (i.e. the urlHostName here), so that's always going to be true. You're always returning true anyway. – Bruno". It worked for me though, but I would appreciate if somebody shows me how to write a good host name verifier.

                                              – Interkot
                                              Sep 4 '14 at 16:22








                                            • 1





                                              Of course it will "work" for you, since it will never produce an error, even when it should. Leave the default hostname verifier used by HttpsURLConnection instead of trying to writing your own. (Another problem with your example is that you're using the same keystore as a keystore and a truststore, which isn't always a good idea...)

                                              – Bruno
                                              Sep 4 '14 at 16:31



















                                            However, Bruno mentioned that this hostname verifier is wrong: "Your hostname verifier is wrong, session.getPeerHost() doesn't return the name in the certificate, but the name you connected with (i.e. the urlHostName here), so that's always going to be true. You're always returning true anyway. – Bruno". It worked for me though, but I would appreciate if somebody shows me how to write a good host name verifier.

                                            – Interkot
                                            Sep 4 '14 at 16:22







                                            However, Bruno mentioned that this hostname verifier is wrong: "Your hostname verifier is wrong, session.getPeerHost() doesn't return the name in the certificate, but the name you connected with (i.e. the urlHostName here), so that's always going to be true. You're always returning true anyway. – Bruno". It worked for me though, but I would appreciate if somebody shows me how to write a good host name verifier.

                                            – Interkot
                                            Sep 4 '14 at 16:22






                                            1




                                            1





                                            Of course it will "work" for you, since it will never produce an error, even when it should. Leave the default hostname verifier used by HttpsURLConnection instead of trying to writing your own. (Another problem with your example is that you're using the same keystore as a keystore and a truststore, which isn't always a good idea...)

                                            – Bruno
                                            Sep 4 '14 at 16:31







                                            Of course it will "work" for you, since it will never produce an error, even when it should. Leave the default hostname verifier used by HttpsURLConnection instead of trying to writing your own. (Another problem with your example is that you're using the same keystore as a keystore and a truststore, which isn't always a good idea...)

                                            – Bruno
                                            Sep 4 '14 at 16:31













                                            5














                                            Based on the answers above, here is how to create a brand new keystore for your java based web server, out of an independently created Comodo cert and private key using keytool (requires JDK 1.6+)




                                            1. Issue this command and at the password prompt enter somepass - 'server.crt' is your server's cert and 'server.key' is the private key you used for issuing the CSR:
                                              openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name www.yourdomain.com -CAfile AddTrustExternalCARoot.crt -caname "AddTrust External CA Root"


                                            2. Then use keytool to convert the p12 keystore into a jks keystore:
                                              keytool -importkeystore -deststorepass somepass -destkeypass somepass -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass somepass



                                            Then import the other two root/intermediate certs you received from Comodo:




                                            1. Import COMODORSAAddTrustCA.crt:
                                              keytool -import -trustcacerts -alias cert1 -file COMODORSAAddTrustCA.crt -keystore keystore.jks


                                            2. Import COMODORSADomainValidationSecureServerCA.crt:
                                              keytool -import -trustcacerts -alias cert2 -file COMODORSADomainValidationSecureServerCA.crt -keystore keystore.jks







                                            share|improve this answer






























                                              5














                                              Based on the answers above, here is how to create a brand new keystore for your java based web server, out of an independently created Comodo cert and private key using keytool (requires JDK 1.6+)




                                              1. Issue this command and at the password prompt enter somepass - 'server.crt' is your server's cert and 'server.key' is the private key you used for issuing the CSR:
                                                openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name www.yourdomain.com -CAfile AddTrustExternalCARoot.crt -caname "AddTrust External CA Root"


                                              2. Then use keytool to convert the p12 keystore into a jks keystore:
                                                keytool -importkeystore -deststorepass somepass -destkeypass somepass -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass somepass



                                              Then import the other two root/intermediate certs you received from Comodo:




                                              1. Import COMODORSAAddTrustCA.crt:
                                                keytool -import -trustcacerts -alias cert1 -file COMODORSAAddTrustCA.crt -keystore keystore.jks


                                              2. Import COMODORSADomainValidationSecureServerCA.crt:
                                                keytool -import -trustcacerts -alias cert2 -file COMODORSADomainValidationSecureServerCA.crt -keystore keystore.jks







                                              share|improve this answer




























                                                5












                                                5








                                                5







                                                Based on the answers above, here is how to create a brand new keystore for your java based web server, out of an independently created Comodo cert and private key using keytool (requires JDK 1.6+)




                                                1. Issue this command and at the password prompt enter somepass - 'server.crt' is your server's cert and 'server.key' is the private key you used for issuing the CSR:
                                                  openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name www.yourdomain.com -CAfile AddTrustExternalCARoot.crt -caname "AddTrust External CA Root"


                                                2. Then use keytool to convert the p12 keystore into a jks keystore:
                                                  keytool -importkeystore -deststorepass somepass -destkeypass somepass -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass somepass



                                                Then import the other two root/intermediate certs you received from Comodo:




                                                1. Import COMODORSAAddTrustCA.crt:
                                                  keytool -import -trustcacerts -alias cert1 -file COMODORSAAddTrustCA.crt -keystore keystore.jks


                                                2. Import COMODORSADomainValidationSecureServerCA.crt:
                                                  keytool -import -trustcacerts -alias cert2 -file COMODORSADomainValidationSecureServerCA.crt -keystore keystore.jks







                                                share|improve this answer















                                                Based on the answers above, here is how to create a brand new keystore for your java based web server, out of an independently created Comodo cert and private key using keytool (requires JDK 1.6+)




                                                1. Issue this command and at the password prompt enter somepass - 'server.crt' is your server's cert and 'server.key' is the private key you used for issuing the CSR:
                                                  openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name www.yourdomain.com -CAfile AddTrustExternalCARoot.crt -caname "AddTrust External CA Root"


                                                2. Then use keytool to convert the p12 keystore into a jks keystore:
                                                  keytool -importkeystore -deststorepass somepass -destkeypass somepass -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass somepass



                                                Then import the other two root/intermediate certs you received from Comodo:




                                                1. Import COMODORSAAddTrustCA.crt:
                                                  keytool -import -trustcacerts -alias cert1 -file COMODORSAAddTrustCA.crt -keystore keystore.jks


                                                2. Import COMODORSADomainValidationSecureServerCA.crt:
                                                  keytool -import -trustcacerts -alias cert2 -file COMODORSADomainValidationSecureServerCA.crt -keystore keystore.jks








                                                share|improve this answer














                                                share|improve this answer



                                                share|improve this answer








                                                edited Dec 21 '17 at 17:32

























                                                answered Dec 13 '16 at 23:48









                                                Alex FotiosAlex Fotios

                                                954912




                                                954912























                                                    4














                                                    Here are the steps I followed to import the key to an existing keystore - combined instructions from answers here and other places to get these steps that worked for my java keystore:




                                                    1. Run


                                                    openssl pkcs12 -export -in yourserver.crt -inkey yourkey.key -out server.p12 -name somename -certfile yourca.crt -caname root



                                                    (If required put the -chain option. Putting that failed for me).
                                                    This will ask for the password - you must give the correct password else you will get an error
                                                    (heading error or padding error etc).




                                                    1. It will ask you to enter a new password - you must enter a password here - enter anything but remember it. (Let us assume you enter Aragorn).

                                                    2. This will create the server.p12 file in the pkcs format.

                                                    3. Now to import it into the *.jks file run:


                                                    keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12
                                                    -destkeystore yourexistingjavakeystore.jks -deststoretype JKS -deststorepass existingjavastorepassword -destkeypass existingjavastorepassword



                                                    (Very important - do not leave out the deststorepass and the destkeypass parameters.)

                                                    5. It will ask you for the src key store password. Enter Aragorn and hit enter.
                                                    The certificate and key is now imported into your existing java keystore.






                                                    share|improve this answer






























                                                      4














                                                      Here are the steps I followed to import the key to an existing keystore - combined instructions from answers here and other places to get these steps that worked for my java keystore:




                                                      1. Run


                                                      openssl pkcs12 -export -in yourserver.crt -inkey yourkey.key -out server.p12 -name somename -certfile yourca.crt -caname root



                                                      (If required put the -chain option. Putting that failed for me).
                                                      This will ask for the password - you must give the correct password else you will get an error
                                                      (heading error or padding error etc).




                                                      1. It will ask you to enter a new password - you must enter a password here - enter anything but remember it. (Let us assume you enter Aragorn).

                                                      2. This will create the server.p12 file in the pkcs format.

                                                      3. Now to import it into the *.jks file run:


                                                      keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12
                                                      -destkeystore yourexistingjavakeystore.jks -deststoretype JKS -deststorepass existingjavastorepassword -destkeypass existingjavastorepassword



                                                      (Very important - do not leave out the deststorepass and the destkeypass parameters.)

                                                      5. It will ask you for the src key store password. Enter Aragorn and hit enter.
                                                      The certificate and key is now imported into your existing java keystore.






                                                      share|improve this answer




























                                                        4












                                                        4








                                                        4







                                                        Here are the steps I followed to import the key to an existing keystore - combined instructions from answers here and other places to get these steps that worked for my java keystore:




                                                        1. Run


                                                        openssl pkcs12 -export -in yourserver.crt -inkey yourkey.key -out server.p12 -name somename -certfile yourca.crt -caname root



                                                        (If required put the -chain option. Putting that failed for me).
                                                        This will ask for the password - you must give the correct password else you will get an error
                                                        (heading error or padding error etc).




                                                        1. It will ask you to enter a new password - you must enter a password here - enter anything but remember it. (Let us assume you enter Aragorn).

                                                        2. This will create the server.p12 file in the pkcs format.

                                                        3. Now to import it into the *.jks file run:


                                                        keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12
                                                        -destkeystore yourexistingjavakeystore.jks -deststoretype JKS -deststorepass existingjavastorepassword -destkeypass existingjavastorepassword



                                                        (Very important - do not leave out the deststorepass and the destkeypass parameters.)

                                                        5. It will ask you for the src key store password. Enter Aragorn and hit enter.
                                                        The certificate and key is now imported into your existing java keystore.






                                                        share|improve this answer















                                                        Here are the steps I followed to import the key to an existing keystore - combined instructions from answers here and other places to get these steps that worked for my java keystore:




                                                        1. Run


                                                        openssl pkcs12 -export -in yourserver.crt -inkey yourkey.key -out server.p12 -name somename -certfile yourca.crt -caname root



                                                        (If required put the -chain option. Putting that failed for me).
                                                        This will ask for the password - you must give the correct password else you will get an error
                                                        (heading error or padding error etc).




                                                        1. It will ask you to enter a new password - you must enter a password here - enter anything but remember it. (Let us assume you enter Aragorn).

                                                        2. This will create the server.p12 file in the pkcs format.

                                                        3. Now to import it into the *.jks file run:


                                                        keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12
                                                        -destkeystore yourexistingjavakeystore.jks -deststoretype JKS -deststorepass existingjavastorepassword -destkeypass existingjavastorepassword



                                                        (Very important - do not leave out the deststorepass and the destkeypass parameters.)

                                                        5. It will ask you for the src key store password. Enter Aragorn and hit enter.
                                                        The certificate and key is now imported into your existing java keystore.







                                                        share|improve this answer














                                                        share|improve this answer



                                                        share|improve this answer








                                                        edited Jul 13 '17 at 14:27









                                                        Esha

                                                        1,1381030




                                                        1,1381030










                                                        answered Jul 14 '16 at 13:47









                                                        vanvalvanval

                                                        677614




                                                        677614























                                                            3














                                                            Previous answers point out correctly that you can only do this with the standard JDK tools by converting the JKS file into PKCS #12 format first. If you're interested, I put together a compact utility to import OpenSSL-derived keys into a JKS-formatted keystore without having to convert the keystore to PKCS #12 first: http://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art049



                                                            You would use the linked utility like this:



                                                            $ openssl req -x509 -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/CN=localhost"


                                                            (sign the CSR, get back localhost.cer)



                                                            $ openssl rsa -in localhost.key -out localhost.rsa
                                                            Enter pass phrase for localhost.key:
                                                            writing RSA key
                                                            $ java -classpath . KeyImport -keyFile localhost.rsa -alias localhost -certificateFile localhost.cer -keystore localhost.jks -keystorePassword changeit -keystoreType JKS -keyPassword changeit





                                                            share|improve this answer


























                                                            • Just linking to your own library (or utility) is not a good answer. Linking to it, explaining why it solves the problem, providing code using it to do so and disclaiming makes for a better answer. See: How can I link to an external resource in a community-friendly way?

                                                              – Mogsdad
                                                              Mar 2 '16 at 19:40











                                                            • Not sure what you mean by "disclaim", but I added an example.

                                                              – Joshua Davies
                                                              Mar 3 '16 at 18:48











                                                            • Great! That's a canned comment, so part didn't apply - disclaim means to report your affiliation with the linked product or service, which you did with "I put together..."

                                                              – Mogsdad
                                                              Mar 3 '16 at 20:17
















                                                            3














                                                            Previous answers point out correctly that you can only do this with the standard JDK tools by converting the JKS file into PKCS #12 format first. If you're interested, I put together a compact utility to import OpenSSL-derived keys into a JKS-formatted keystore without having to convert the keystore to PKCS #12 first: http://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art049



                                                            You would use the linked utility like this:



                                                            $ openssl req -x509 -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/CN=localhost"


                                                            (sign the CSR, get back localhost.cer)



                                                            $ openssl rsa -in localhost.key -out localhost.rsa
                                                            Enter pass phrase for localhost.key:
                                                            writing RSA key
                                                            $ java -classpath . KeyImport -keyFile localhost.rsa -alias localhost -certificateFile localhost.cer -keystore localhost.jks -keystorePassword changeit -keystoreType JKS -keyPassword changeit





                                                            share|improve this answer


























                                                            • Just linking to your own library (or utility) is not a good answer. Linking to it, explaining why it solves the problem, providing code using it to do so and disclaiming makes for a better answer. See: How can I link to an external resource in a community-friendly way?

                                                              – Mogsdad
                                                              Mar 2 '16 at 19:40











                                                            • Not sure what you mean by "disclaim", but I added an example.

                                                              – Joshua Davies
                                                              Mar 3 '16 at 18:48











                                                            • Great! That's a canned comment, so part didn't apply - disclaim means to report your affiliation with the linked product or service, which you did with "I put together..."

                                                              – Mogsdad
                                                              Mar 3 '16 at 20:17














                                                            3












                                                            3








                                                            3







                                                            Previous answers point out correctly that you can only do this with the standard JDK tools by converting the JKS file into PKCS #12 format first. If you're interested, I put together a compact utility to import OpenSSL-derived keys into a JKS-formatted keystore without having to convert the keystore to PKCS #12 first: http://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art049



                                                            You would use the linked utility like this:



                                                            $ openssl req -x509 -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/CN=localhost"


                                                            (sign the CSR, get back localhost.cer)



                                                            $ openssl rsa -in localhost.key -out localhost.rsa
                                                            Enter pass phrase for localhost.key:
                                                            writing RSA key
                                                            $ java -classpath . KeyImport -keyFile localhost.rsa -alias localhost -certificateFile localhost.cer -keystore localhost.jks -keystorePassword changeit -keystoreType JKS -keyPassword changeit





                                                            share|improve this answer















                                                            Previous answers point out correctly that you can only do this with the standard JDK tools by converting the JKS file into PKCS #12 format first. If you're interested, I put together a compact utility to import OpenSSL-derived keys into a JKS-formatted keystore without having to convert the keystore to PKCS #12 first: http://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art049



                                                            You would use the linked utility like this:



                                                            $ openssl req -x509 -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/CN=localhost"


                                                            (sign the CSR, get back localhost.cer)



                                                            $ openssl rsa -in localhost.key -out localhost.rsa
                                                            Enter pass phrase for localhost.key:
                                                            writing RSA key
                                                            $ java -classpath . KeyImport -keyFile localhost.rsa -alias localhost -certificateFile localhost.cer -keystore localhost.jks -keystorePassword changeit -keystoreType JKS -keyPassword changeit






                                                            share|improve this answer














                                                            share|improve this answer



                                                            share|improve this answer








                                                            edited Mar 3 '16 at 18:47

























                                                            answered Mar 2 '16 at 19:23









                                                            Joshua DaviesJoshua Davies

                                                            629511




                                                            629511













                                                            • Just linking to your own library (or utility) is not a good answer. Linking to it, explaining why it solves the problem, providing code using it to do so and disclaiming makes for a better answer. See: How can I link to an external resource in a community-friendly way?

                                                              – Mogsdad
                                                              Mar 2 '16 at 19:40











                                                            • Not sure what you mean by "disclaim", but I added an example.

                                                              – Joshua Davies
                                                              Mar 3 '16 at 18:48











                                                            • Great! That's a canned comment, so part didn't apply - disclaim means to report your affiliation with the linked product or service, which you did with "I put together..."

                                                              – Mogsdad
                                                              Mar 3 '16 at 20:17



















                                                            • Just linking to your own library (or utility) is not a good answer. Linking to it, explaining why it solves the problem, providing code using it to do so and disclaiming makes for a better answer. See: How can I link to an external resource in a community-friendly way?

                                                              – Mogsdad
                                                              Mar 2 '16 at 19:40











                                                            • Not sure what you mean by "disclaim", but I added an example.

                                                              – Joshua Davies
                                                              Mar 3 '16 at 18:48











                                                            • Great! That's a canned comment, so part didn't apply - disclaim means to report your affiliation with the linked product or service, which you did with "I put together..."

                                                              – Mogsdad
                                                              Mar 3 '16 at 20:17

















                                                            Just linking to your own library (or utility) is not a good answer. Linking to it, explaining why it solves the problem, providing code using it to do so and disclaiming makes for a better answer. See: How can I link to an external resource in a community-friendly way?

                                                            – Mogsdad
                                                            Mar 2 '16 at 19:40





                                                            Just linking to your own library (or utility) is not a good answer. Linking to it, explaining why it solves the problem, providing code using it to do so and disclaiming makes for a better answer. See: How can I link to an external resource in a community-friendly way?

                                                            – Mogsdad
                                                            Mar 2 '16 at 19:40













                                                            Not sure what you mean by "disclaim", but I added an example.

                                                            – Joshua Davies
                                                            Mar 3 '16 at 18:48





                                                            Not sure what you mean by "disclaim", but I added an example.

                                                            – Joshua Davies
                                                            Mar 3 '16 at 18:48













                                                            Great! That's a canned comment, so part didn't apply - disclaim means to report your affiliation with the linked product or service, which you did with "I put together..."

                                                            – Mogsdad
                                                            Mar 3 '16 at 20:17





                                                            Great! That's a canned comment, so part didn't apply - disclaim means to report your affiliation with the linked product or service, which you did with "I put together..."

                                                            – Mogsdad
                                                            Mar 3 '16 at 20:17











                                                            2














                                                            If you have a PEM file (e.g. server.pem) containing:




                                                            • the trusted certificate

                                                            • the private key


                                                            then you can import the certificate and key into a JKS keystore like this:



                                                            1) Copy the private key from the PEM file into an ascii file (e.g. server.key)



                                                            2) Copy the cert from the PEM file into an ascii file (e.g. server.crt)



                                                            3) Export the cert and key into a PKCS12 file:



                                                            $ openssl pkcs12 -export -in server.crt -inkey server.key 
                                                            -out server.p12 -name [some-alias] -CAfile server.pem -caname root




                                                            • the PEM file can be used as the argument to the -CAfile option.

                                                            • you are prompted for an 'export' password.

                                                            • if doing this in git bash then add winpty to the start of the command so the export password can be entered.


                                                            4) Convert the PKCS12 file to a JKS keystore:



                                                            $ keytool -importkeystore -deststorepass changeit -destkeypass changeit 
                                                            -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12
                                                            -srcstorepass changeit



                                                            • the srcstorepass password should match the export password from step 3)






                                                            share|improve this answer




























                                                              2














                                                              If you have a PEM file (e.g. server.pem) containing:




                                                              • the trusted certificate

                                                              • the private key


                                                              then you can import the certificate and key into a JKS keystore like this:



                                                              1) Copy the private key from the PEM file into an ascii file (e.g. server.key)



                                                              2) Copy the cert from the PEM file into an ascii file (e.g. server.crt)



                                                              3) Export the cert and key into a PKCS12 file:



                                                              $ openssl pkcs12 -export -in server.crt -inkey server.key 
                                                              -out server.p12 -name [some-alias] -CAfile server.pem -caname root




                                                              • the PEM file can be used as the argument to the -CAfile option.

                                                              • you are prompted for an 'export' password.

                                                              • if doing this in git bash then add winpty to the start of the command so the export password can be entered.


                                                              4) Convert the PKCS12 file to a JKS keystore:



                                                              $ keytool -importkeystore -deststorepass changeit -destkeypass changeit 
                                                              -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12
                                                              -srcstorepass changeit



                                                              • the srcstorepass password should match the export password from step 3)






                                                              share|improve this answer


























                                                                2












                                                                2








                                                                2







                                                                If you have a PEM file (e.g. server.pem) containing:




                                                                • the trusted certificate

                                                                • the private key


                                                                then you can import the certificate and key into a JKS keystore like this:



                                                                1) Copy the private key from the PEM file into an ascii file (e.g. server.key)



                                                                2) Copy the cert from the PEM file into an ascii file (e.g. server.crt)



                                                                3) Export the cert and key into a PKCS12 file:



                                                                $ openssl pkcs12 -export -in server.crt -inkey server.key 
                                                                -out server.p12 -name [some-alias] -CAfile server.pem -caname root




                                                                • the PEM file can be used as the argument to the -CAfile option.

                                                                • you are prompted for an 'export' password.

                                                                • if doing this in git bash then add winpty to the start of the command so the export password can be entered.


                                                                4) Convert the PKCS12 file to a JKS keystore:



                                                                $ keytool -importkeystore -deststorepass changeit -destkeypass changeit 
                                                                -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12
                                                                -srcstorepass changeit



                                                                • the srcstorepass password should match the export password from step 3)






                                                                share|improve this answer













                                                                If you have a PEM file (e.g. server.pem) containing:




                                                                • the trusted certificate

                                                                • the private key


                                                                then you can import the certificate and key into a JKS keystore like this:



                                                                1) Copy the private key from the PEM file into an ascii file (e.g. server.key)



                                                                2) Copy the cert from the PEM file into an ascii file (e.g. server.crt)



                                                                3) Export the cert and key into a PKCS12 file:



                                                                $ openssl pkcs12 -export -in server.crt -inkey server.key 
                                                                -out server.p12 -name [some-alias] -CAfile server.pem -caname root




                                                                • the PEM file can be used as the argument to the -CAfile option.

                                                                • you are prompted for an 'export' password.

                                                                • if doing this in git bash then add winpty to the start of the command so the export password can be entered.


                                                                4) Convert the PKCS12 file to a JKS keystore:



                                                                $ keytool -importkeystore -deststorepass changeit -destkeypass changeit 
                                                                -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12
                                                                -srcstorepass changeit



                                                                • the srcstorepass password should match the export password from step 3)







                                                                share|improve this answer












                                                                share|improve this answer



                                                                share|improve this answer










                                                                answered Jan 16 at 0:00









                                                                Joman68Joman68

                                                                9115




                                                                9115























                                                                    1














                                                                    What I was trying to achieve was using already provided private key and certificate to sign message that was going someplace that needed to make sure that the message was coming from me (private keys sign while public keys encrypt).



                                                                    So if you already have a .key file and a .crt file?



                                                                    Try this:



                                                                    Step1: Convert the key and cert to .p12 file



                                                                    openssl pkcs12 -export -in certificate.crt -inkey privateKey.key -name alias -out yourconvertedfile.p12


                                                                    Step 2: Import the key and create a .jsk file with a single command



                                                                    keytool -importkeystore -deststorepass changeit -destkeystore keystore.jks -srckeystore umeme.p12 -srcstoretype PKCS12


                                                                    Step 3: In your java:



                                                                    char keyPassword = "changeit".toCharArray();

                                                                    KeyStore keyStore = KeyStore.getInstance("JKS");
                                                                    InputStream keyStoreData = new FileInputStream("keystore.jks");

                                                                    keyStore.load(keyStoreData, keyPassword);
                                                                    KeyStore.ProtectionParameter entryPassword = new KeyStore.PasswordProtection(keyPassword);
                                                                    KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry)keyStore.getEntry("alias", entryPassword);

                                                                    System.out.println(privateKeyEntry.toString());


                                                                    If you need to sign some string using this key do the following:



                                                                    Step 1: Convert the text you want to encrypt



                                                                    byte data = "test".getBytes("UTF8");


                                                                    Step 2: Get base64 encoded private key



                                                                    keyStore.load(keyStoreData, keyPassword);

                                                                    //get cert, pubkey and private key from the store by alias
                                                                    Certificate cert = keyStore.getCertificate("localhost");
                                                                    PublicKey publicKey = cert.getPublicKey();
                                                                    KeyPair keyPair = new KeyPair(publicKey, (PrivateKey) key);

                                                                    //sign with this alg
                                                                    Signature sig = Signature.getInstance("SHA1WithRSA");
                                                                    sig.initSign(keyPair.getPrivate());
                                                                    sig.update(data);
                                                                    byte signatureBytes = sig.sign();
                                                                    System.out.println("Signature:" + Base64.getEncoder().encodeToString(signatureBytes));

                                                                    sig.initVerify(keyPair.getPublic());
                                                                    sig.update(data);

                                                                    System.out.println(sig.verify(signatureBytes));


                                                                    References:




                                                                    1. How to import an existing x509 certificate and private key in Java keystore to use in SSL?

                                                                    2. http://tutorials.jenkov.com/java-cryptography/keystore.html

                                                                    3. http://www.java2s.com/Code/Java/Security/RetrievingaKeyPairfromaKeyStore.htm

                                                                    4. How to sign string with private key


                                                                    Final program



                                                                    public static void main(String args) throws Exception {

                                                                    byte data = "test".getBytes("UTF8");

                                                                    // load keystore
                                                                    char keyPassword = "changeit".toCharArray();

                                                                    KeyStore keyStore = KeyStore.getInstance("JKS");
                                                                    //System.getProperty("user.dir") + "" < for a file in particular path
                                                                    InputStream keyStoreData = new FileInputStream("keystore.jks");
                                                                    keyStore.load(keyStoreData, keyPassword);

                                                                    Key key = keyStore.getKey("localhost", keyPassword);

                                                                    Certificate cert = keyStore.getCertificate("localhost");

                                                                    PublicKey publicKey = cert.getPublicKey();

                                                                    KeyPair keyPair = new KeyPair(publicKey, (PrivateKey) key);

                                                                    Signature sig = Signature.getInstance("SHA1WithRSA");

                                                                    sig.initSign(keyPair.getPrivate());
                                                                    sig.update(data);
                                                                    byte signatureBytes = sig.sign();
                                                                    System.out.println("Signature:" + Base64.getEncoder().encodeToString(signatureBytes));

                                                                    sig.initVerify(keyPair.getPublic());
                                                                    sig.update(data);

                                                                    System.out.println(sig.verify(signatureBytes));
                                                                    }





                                                                    share|improve this answer




























                                                                      1














                                                                      What I was trying to achieve was using already provided private key and certificate to sign message that was going someplace that needed to make sure that the message was coming from me (private keys sign while public keys encrypt).



                                                                      So if you already have a .key file and a .crt file?



                                                                      Try this:



                                                                      Step1: Convert the key and cert to .p12 file



                                                                      openssl pkcs12 -export -in certificate.crt -inkey privateKey.key -name alias -out yourconvertedfile.p12


                                                                      Step 2: Import the key and create a .jsk file with a single command



                                                                      keytool -importkeystore -deststorepass changeit -destkeystore keystore.jks -srckeystore umeme.p12 -srcstoretype PKCS12


                                                                      Step 3: In your java:



                                                                      char keyPassword = "changeit".toCharArray();

                                                                      KeyStore keyStore = KeyStore.getInstance("JKS");
                                                                      InputStream keyStoreData = new FileInputStream("keystore.jks");

                                                                      keyStore.load(keyStoreData, keyPassword);
                                                                      KeyStore.ProtectionParameter entryPassword = new KeyStore.PasswordProtection(keyPassword);
                                                                      KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry)keyStore.getEntry("alias", entryPassword);

                                                                      System.out.println(privateKeyEntry.toString());


                                                                      If you need to sign some string using this key do the following:



                                                                      Step 1: Convert the text you want to encrypt



                                                                      byte data = "test".getBytes("UTF8");


                                                                      Step 2: Get base64 encoded private key



                                                                      keyStore.load(keyStoreData, keyPassword);

                                                                      //get cert, pubkey and private key from the store by alias
                                                                      Certificate cert = keyStore.getCertificate("localhost");
                                                                      PublicKey publicKey = cert.getPublicKey();
                                                                      KeyPair keyPair = new KeyPair(publicKey, (PrivateKey) key);

                                                                      //sign with this alg
                                                                      Signature sig = Signature.getInstance("SHA1WithRSA");
                                                                      sig.initSign(keyPair.getPrivate());
                                                                      sig.update(data);
                                                                      byte signatureBytes = sig.sign();
                                                                      System.out.println("Signature:" + Base64.getEncoder().encodeToString(signatureBytes));

                                                                      sig.initVerify(keyPair.getPublic());
                                                                      sig.update(data);

                                                                      System.out.println(sig.verify(signatureBytes));


                                                                      References:




                                                                      1. How to import an existing x509 certificate and private key in Java keystore to use in SSL?

                                                                      2. http://tutorials.jenkov.com/java-cryptography/keystore.html

                                                                      3. http://www.java2s.com/Code/Java/Security/RetrievingaKeyPairfromaKeyStore.htm

                                                                      4. How to sign string with private key


                                                                      Final program



                                                                      public static void main(String args) throws Exception {

                                                                      byte data = "test".getBytes("UTF8");

                                                                      // load keystore
                                                                      char keyPassword = "changeit".toCharArray();

                                                                      KeyStore keyStore = KeyStore.getInstance("JKS");
                                                                      //System.getProperty("user.dir") + "" < for a file in particular path
                                                                      InputStream keyStoreData = new FileInputStream("keystore.jks");
                                                                      keyStore.load(keyStoreData, keyPassword);

                                                                      Key key = keyStore.getKey("localhost", keyPassword);

                                                                      Certificate cert = keyStore.getCertificate("localhost");

                                                                      PublicKey publicKey = cert.getPublicKey();

                                                                      KeyPair keyPair = new KeyPair(publicKey, (PrivateKey) key);

                                                                      Signature sig = Signature.getInstance("SHA1WithRSA");

                                                                      sig.initSign(keyPair.getPrivate());
                                                                      sig.update(data);
                                                                      byte signatureBytes = sig.sign();
                                                                      System.out.println("Signature:" + Base64.getEncoder().encodeToString(signatureBytes));

                                                                      sig.initVerify(keyPair.getPublic());
                                                                      sig.update(data);

                                                                      System.out.println(sig.verify(signatureBytes));
                                                                      }





                                                                      share|improve this answer


























                                                                        1












                                                                        1








                                                                        1







                                                                        What I was trying to achieve was using already provided private key and certificate to sign message that was going someplace that needed to make sure that the message was coming from me (private keys sign while public keys encrypt).



                                                                        So if you already have a .key file and a .crt file?



                                                                        Try this:



                                                                        Step1: Convert the key and cert to .p12 file



                                                                        openssl pkcs12 -export -in certificate.crt -inkey privateKey.key -name alias -out yourconvertedfile.p12


                                                                        Step 2: Import the key and create a .jsk file with a single command



                                                                        keytool -importkeystore -deststorepass changeit -destkeystore keystore.jks -srckeystore umeme.p12 -srcstoretype PKCS12


                                                                        Step 3: In your java:



                                                                        char keyPassword = "changeit".toCharArray();

                                                                        KeyStore keyStore = KeyStore.getInstance("JKS");
                                                                        InputStream keyStoreData = new FileInputStream("keystore.jks");

                                                                        keyStore.load(keyStoreData, keyPassword);
                                                                        KeyStore.ProtectionParameter entryPassword = new KeyStore.PasswordProtection(keyPassword);
                                                                        KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry)keyStore.getEntry("alias", entryPassword);

                                                                        System.out.println(privateKeyEntry.toString());


                                                                        If you need to sign some string using this key do the following:



                                                                        Step 1: Convert the text you want to encrypt



                                                                        byte data = "test".getBytes("UTF8");


                                                                        Step 2: Get base64 encoded private key



                                                                        keyStore.load(keyStoreData, keyPassword);

                                                                        //get cert, pubkey and private key from the store by alias
                                                                        Certificate cert = keyStore.getCertificate("localhost");
                                                                        PublicKey publicKey = cert.getPublicKey();
                                                                        KeyPair keyPair = new KeyPair(publicKey, (PrivateKey) key);

                                                                        //sign with this alg
                                                                        Signature sig = Signature.getInstance("SHA1WithRSA");
                                                                        sig.initSign(keyPair.getPrivate());
                                                                        sig.update(data);
                                                                        byte signatureBytes = sig.sign();
                                                                        System.out.println("Signature:" + Base64.getEncoder().encodeToString(signatureBytes));

                                                                        sig.initVerify(keyPair.getPublic());
                                                                        sig.update(data);

                                                                        System.out.println(sig.verify(signatureBytes));


                                                                        References:




                                                                        1. How to import an existing x509 certificate and private key in Java keystore to use in SSL?

                                                                        2. http://tutorials.jenkov.com/java-cryptography/keystore.html

                                                                        3. http://www.java2s.com/Code/Java/Security/RetrievingaKeyPairfromaKeyStore.htm

                                                                        4. How to sign string with private key


                                                                        Final program



                                                                        public static void main(String args) throws Exception {

                                                                        byte data = "test".getBytes("UTF8");

                                                                        // load keystore
                                                                        char keyPassword = "changeit".toCharArray();

                                                                        KeyStore keyStore = KeyStore.getInstance("JKS");
                                                                        //System.getProperty("user.dir") + "" < for a file in particular path
                                                                        InputStream keyStoreData = new FileInputStream("keystore.jks");
                                                                        keyStore.load(keyStoreData, keyPassword);

                                                                        Key key = keyStore.getKey("localhost", keyPassword);

                                                                        Certificate cert = keyStore.getCertificate("localhost");

                                                                        PublicKey publicKey = cert.getPublicKey();

                                                                        KeyPair keyPair = new KeyPair(publicKey, (PrivateKey) key);

                                                                        Signature sig = Signature.getInstance("SHA1WithRSA");

                                                                        sig.initSign(keyPair.getPrivate());
                                                                        sig.update(data);
                                                                        byte signatureBytes = sig.sign();
                                                                        System.out.println("Signature:" + Base64.getEncoder().encodeToString(signatureBytes));

                                                                        sig.initVerify(keyPair.getPublic());
                                                                        sig.update(data);

                                                                        System.out.println(sig.verify(signatureBytes));
                                                                        }





                                                                        share|improve this answer













                                                                        What I was trying to achieve was using already provided private key and certificate to sign message that was going someplace that needed to make sure that the message was coming from me (private keys sign while public keys encrypt).



                                                                        So if you already have a .key file and a .crt file?



                                                                        Try this:



                                                                        Step1: Convert the key and cert to .p12 file



                                                                        openssl pkcs12 -export -in certificate.crt -inkey privateKey.key -name alias -out yourconvertedfile.p12


                                                                        Step 2: Import the key and create a .jsk file with a single command



                                                                        keytool -importkeystore -deststorepass changeit -destkeystore keystore.jks -srckeystore umeme.p12 -srcstoretype PKCS12


                                                                        Step 3: In your java:



                                                                        char keyPassword = "changeit".toCharArray();

                                                                        KeyStore keyStore = KeyStore.getInstance("JKS");
                                                                        InputStream keyStoreData = new FileInputStream("keystore.jks");

                                                                        keyStore.load(keyStoreData, keyPassword);
                                                                        KeyStore.ProtectionParameter entryPassword = new KeyStore.PasswordProtection(keyPassword);
                                                                        KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry)keyStore.getEntry("alias", entryPassword);

                                                                        System.out.println(privateKeyEntry.toString());


                                                                        If you need to sign some string using this key do the following:



                                                                        Step 1: Convert the text you want to encrypt



                                                                        byte data = "test".getBytes("UTF8");


                                                                        Step 2: Get base64 encoded private key



                                                                        keyStore.load(keyStoreData, keyPassword);

                                                                        //get cert, pubkey and private key from the store by alias
                                                                        Certificate cert = keyStore.getCertificate("localhost");
                                                                        PublicKey publicKey = cert.getPublicKey();
                                                                        KeyPair keyPair = new KeyPair(publicKey, (PrivateKey) key);

                                                                        //sign with this alg
                                                                        Signature sig = Signature.getInstance("SHA1WithRSA");
                                                                        sig.initSign(keyPair.getPrivate());
                                                                        sig.update(data);
                                                                        byte signatureBytes = sig.sign();
                                                                        System.out.println("Signature:" + Base64.getEncoder().encodeToString(signatureBytes));

                                                                        sig.initVerify(keyPair.getPublic());
                                                                        sig.update(data);

                                                                        System.out.println(sig.verify(signatureBytes));


                                                                        References:




                                                                        1. How to import an existing x509 certificate and private key in Java keystore to use in SSL?

                                                                        2. http://tutorials.jenkov.com/java-cryptography/keystore.html

                                                                        3. http://www.java2s.com/Code/Java/Security/RetrievingaKeyPairfromaKeyStore.htm

                                                                        4. How to sign string with private key


                                                                        Final program



                                                                        public static void main(String args) throws Exception {

                                                                        byte data = "test".getBytes("UTF8");

                                                                        // load keystore
                                                                        char keyPassword = "changeit".toCharArray();

                                                                        KeyStore keyStore = KeyStore.getInstance("JKS");
                                                                        //System.getProperty("user.dir") + "" < for a file in particular path
                                                                        InputStream keyStoreData = new FileInputStream("keystore.jks");
                                                                        keyStore.load(keyStoreData, keyPassword);

                                                                        Key key = keyStore.getKey("localhost", keyPassword);

                                                                        Certificate cert = keyStore.getCertificate("localhost");

                                                                        PublicKey publicKey = cert.getPublicKey();

                                                                        KeyPair keyPair = new KeyPair(publicKey, (PrivateKey) key);

                                                                        Signature sig = Signature.getInstance("SHA1WithRSA");

                                                                        sig.initSign(keyPair.getPrivate());
                                                                        sig.update(data);
                                                                        byte signatureBytes = sig.sign();
                                                                        System.out.println("Signature:" + Base64.getEncoder().encodeToString(signatureBytes));

                                                                        sig.initVerify(keyPair.getPublic());
                                                                        sig.update(data);

                                                                        System.out.println(sig.verify(signatureBytes));
                                                                        }






                                                                        share|improve this answer












                                                                        share|improve this answer



                                                                        share|improve this answer










                                                                        answered Mar 18 at 11:30









                                                                        Mwa JoeMwa Joe

                                                                        6115




                                                                        6115























                                                                            0














                                                                            Just make a PKCS12 keystore, Java can use it directly now. In fact, if you list a Java-style keystore, keytool itself alerts you to the fact that PKCS12 is now the preferred format.



                                                                            openssl pkcs12 -export -in server.crt -inkey server.key 
                                                                            -out server.p12 -name [some-alias]
                                                                            -CAfile ca.crt -caname root -chain


                                                                            You should have received all three files (server.crt, server.key, ca.crt) from your certificate provider. I am not sure what "-caname root" actually means, but it seems to have to be specified that way.



                                                                            In the Java code, make sure to specify the right keystore type.



                                                                            KeyStore.getInstance("PKCS12")


                                                                            I got my comodo.com-issued SSL certificate working fine in NanoHTTPD this way.






                                                                            share|improve this answer




























                                                                              0














                                                                              Just make a PKCS12 keystore, Java can use it directly now. In fact, if you list a Java-style keystore, keytool itself alerts you to the fact that PKCS12 is now the preferred format.



                                                                              openssl pkcs12 -export -in server.crt -inkey server.key 
                                                                              -out server.p12 -name [some-alias]
                                                                              -CAfile ca.crt -caname root -chain


                                                                              You should have received all three files (server.crt, server.key, ca.crt) from your certificate provider. I am not sure what "-caname root" actually means, but it seems to have to be specified that way.



                                                                              In the Java code, make sure to specify the right keystore type.



                                                                              KeyStore.getInstance("PKCS12")


                                                                              I got my comodo.com-issued SSL certificate working fine in NanoHTTPD this way.






                                                                              share|improve this answer


























                                                                                0












                                                                                0








                                                                                0







                                                                                Just make a PKCS12 keystore, Java can use it directly now. In fact, if you list a Java-style keystore, keytool itself alerts you to the fact that PKCS12 is now the preferred format.



                                                                                openssl pkcs12 -export -in server.crt -inkey server.key 
                                                                                -out server.p12 -name [some-alias]
                                                                                -CAfile ca.crt -caname root -chain


                                                                                You should have received all three files (server.crt, server.key, ca.crt) from your certificate provider. I am not sure what "-caname root" actually means, but it seems to have to be specified that way.



                                                                                In the Java code, make sure to specify the right keystore type.



                                                                                KeyStore.getInstance("PKCS12")


                                                                                I got my comodo.com-issued SSL certificate working fine in NanoHTTPD this way.






                                                                                share|improve this answer













                                                                                Just make a PKCS12 keystore, Java can use it directly now. In fact, if you list a Java-style keystore, keytool itself alerts you to the fact that PKCS12 is now the preferred format.



                                                                                openssl pkcs12 -export -in server.crt -inkey server.key 
                                                                                -out server.p12 -name [some-alias]
                                                                                -CAfile ca.crt -caname root -chain


                                                                                You should have received all three files (server.crt, server.key, ca.crt) from your certificate provider. I am not sure what "-caname root" actually means, but it seems to have to be specified that way.



                                                                                In the Java code, make sure to specify the right keystore type.



                                                                                KeyStore.getInstance("PKCS12")


                                                                                I got my comodo.com-issued SSL certificate working fine in NanoHTTPD this way.







                                                                                share|improve this answer












                                                                                share|improve this answer



                                                                                share|improve this answer










                                                                                answered Dec 31 '18 at 16:45









                                                                                Stefan ReichStefan Reich

                                                                                496411




                                                                                496411























                                                                                    0














                                                                                    in a case of Elliptic Curve and answer the question import an existing x509 certificate and private key in Java keystore, you may want to have a look also to this thread How to read EC Private key in java which is in .pem file format






                                                                                    share|improve this answer




























                                                                                      0














                                                                                      in a case of Elliptic Curve and answer the question import an existing x509 certificate and private key in Java keystore, you may want to have a look also to this thread How to read EC Private key in java which is in .pem file format






                                                                                      share|improve this answer


























                                                                                        0












                                                                                        0








                                                                                        0







                                                                                        in a case of Elliptic Curve and answer the question import an existing x509 certificate and private key in Java keystore, you may want to have a look also to this thread How to read EC Private key in java which is in .pem file format






                                                                                        share|improve this answer













                                                                                        in a case of Elliptic Curve and answer the question import an existing x509 certificate and private key in Java keystore, you may want to have a look also to this thread How to read EC Private key in java which is in .pem file format







                                                                                        share|improve this answer












                                                                                        share|improve this answer



                                                                                        share|improve this answer










                                                                                        answered Mar 20 at 21:49









                                                                                        dilbertsidedilbertside

                                                                                        17914




                                                                                        17914

















                                                                                            protected by Robert Harvey Jul 13 '14 at 18:40



                                                                                            Thank you for your interest in this question.
                                                                                            Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).



                                                                                            Would you like to answer one of these unanswered questions instead?



                                                                                            Popular posts from this blog

                                                                                            mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

                                                                                            How to change which sound is reproduced for terminal bell?

                                                                                            Can I use Tabulator js library in my java Spring + Thymeleaf project?