Importing the private-key/public-certificate pair in the Java KeyStore

JavaSslX509certificateKeytool

Java Problem Overview

I used the following steps to create a new Java keystore with a pair of private/public key to be used by a Java (internal) server with TLS. Please notice that the certificate is selfsigned:

  1. Generate key with AES256

    openssl genrsa -aes256 -out server.key 1024

  2. Generate cert request for CA

    openssl req -x509 -sha256 -new -key server.key -out server.csr

  3. Generate self signed expiry-time 10 years

    openssl x509 -sha256 -days 3652 -in server.csr -signkey server.key -out selfsigned.crt

  4. Use a program like KeyStoreExplorer to import the pair (private key and selfsigned certificate) in a new JKS

This works but I'd like to implement the last step without using a GUI.

I know how to import the self signed certificate only:

// create the keystore and import the public key. THIS WILL NOT IMPORT THE PRIVATE KEY SO THE KEYSTORE CAN'T BE USED ON THE SERVER TO MAKE THE TLS CONNECTION
/usr/java/jdk1.6.0_45/bin/keytool -import -alias myservercert -file server.crt -keystore mykeystore.jks

So the question is: how can I create a Java KeyStore and import both the certificate with the public key and the private key without using a GUI?

Java Solutions

Solution 1 - Java

With your private key and public certificate, you need to create a PKCS12 keystore first, then convert it into a JKS.

# Create PKCS12 keystore from private key and public certificate.
openssl pkcs12 -export -name myservercert -in selfsigned.crt -inkey server.key -out keystore.p12

# Convert PKCS12 keystore into a JKS keystore
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -alias myservercert

To verify the contents of the JKS, you can use this command:

keytool -list -v -keystore mykeystore.jks

If this was not a self-signed certificate, you would probably want to follow this step with importing the certificate chain leading up to the trusted CA cert.

Solution 2 - Java

A keystore needs a keystore file. The KeyStore class needs a FileInputStream. But if you supply null (instead of FileInputStream instance) an empty keystore will be loaded. Once you create a keystore, you can verify its integrity using keytool.

Following code creates an empty keystore with empty password

> KeyStore ks2 = KeyStore.getInstance("jks"); > ks2.load(null,"".toCharArray()); > FileOutputStream out = new FileOutputStream("C:\mykeytore.keystore"); > ks2.store(out, "".toCharArray());

Once you have the keystore, importing certificate is very easy. Checkout this link for the sample code.

Categories
Recommended Java Solutions
Recommended Ssl Solutions
Recommended X509certificate Solutions
Recommended Keytool Solutions

Previous Solution:

Gradle location is incorrect error while importing ActionBarsherlock in Android Studio

AndroidActionbarsherlockAndroid Studio

Next Solution:

Generate migration - create join table

Ruby on-RailsRuby on-Rails-3Ruby on-Rails-4MigrationJointable

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionkingstonView Question on Stackoverflow
Solution 1 - JavagtrigView Answer on Stackoverflow
Solution 2 - JavaSantoshView Answer on Stackoverflow