Posted over 5 years ago. Visible to the public. Repeats.

Import private key and certificate into java keystore

From time to time you have to update your SSL keys and certificates. In some cases you may have a mixed infrastructure e.g. "normal" http servers and tomcat or other java based servers. In the latter case you'll have to import your shiny new certificate and key into your java keystore.

There are several methods that you can use but I found the following the most simple:

  1. Export your key, certificate and ca-certificate into a PKCS12 bundle via

    Copy
    % openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile my-ca-file.crt -name "my-domain.com" -out my.p12
  2. Be sure to set an export password! (see further below for an explanation)
  3. If you get the following error message "Error unable to get issuer certificate getting chain." then you should concatenate the openssl ca-certs with your own ca-cert into one file and use that as parameter for -CAfile. Example:

    Copy
    % cat /etc/ssl/cert.pem my-ca-file.crt > ca-certs.pem % openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile ca-certs.pem -name "my-domain.com" -out my.p12
  4. Import the PKCS12 file into a new java keystore via

    Copy
    % keytool -importkeystore -deststorepass MY-KEYSTORE-PASS -destkeystore my-keystore.jks -srckeystore my.p12 -srcstoretype PKCS12

Attention!

If you don't set an export password in the first step the import via keytool will most likely bail out with an NullPointerException.

Owner of this card:

Avatar
jan0sch
Last edit:
almost 4 years ago
by jan0sch
Posted by jan0sch to jan0sch's deck
This website uses cookies to improve usability and analyze traffic.
Accept or learn more