Import of PEM certificate chain and key to Java Keystore
There are plenty of resources out there about this topic, but none I found which covers this slightly special case.
I have 4 files;
- privatekey.pem
- certificate.pem
- intermediate_rapidssl.pem
- ca_geotrust_global.pem
And I wish to import them into a fresh keystore.
Some site suggest to use DER-format, and import them one by one, but this failed because the key is not recognized.
Another site suggested a special "ImportKey"-class to run for import, and this worked until I saw that the chain is broken. I.e. the chain length on the certificate is 1, ignoring the intermediate and ca.
Some sites suggest PKCS7, but I can't even get a chain from that. Other suggest PKCS12 format, but as far as my tests go that failed as well for getting the whole chain.
Any advice or hints are much welcome.
This may not be perfect, but I had some notes on my use of keytool
that I've modified for your scenario.
-
Import a root or intermediate CA certificate to an existing Java keystore:
keytool -import -trustcacerts -alias root -file ca_geotrust_global.pem -keystore yourkeystore.jks keytool -import -trustcacerts -alias root -file intermediate_rapidssl.pem -keystore yourkeystore.jks
-
Combine the certificate and private key into one file before importing.
cat certificate.pem privatekey.pem > combined.pem
This should result in a file resembling the below format.
BEGIN CERTIFICATE
...
END CERTIFICATE
BEGIN RSA PRIVATE KEY
...
END RSA PRIVATE KEY -
Import a signed primary certificate & key to an existing Java keystore:
keytool -import -trustcacerts -alias yourdomain -file combined.pem -keystore yourkeystore.jks
Concatenate all *.pem files into one pem file, like all.pem Then create keystore in p12 format with private key + all.pem
openssl pkcs12 -export -inkey private.key -in all.pem -name test -out test.p12
Then export p12 into jks
keytool -importkeystore -srckeystore test.p12 -srcstoretype pkcs12 -destkeystore test.jks