I am new to configure Jetty Server for SSL. I followed steps from digcert I created private key file, Certificate Request CSR file. I sent Certificate Request to CA and got my signed CSR back. But CA sent me a bundle with two certificates, one is my certificate signed by CA and second is CA Certificate.(1. star_xyx_abc_com crt file, 2.DigiCertCA crt file). Now I am facing trouble to create a keystore from these files. When I used keytool to create keystore by following Oracle docs steps 4,5 and 6, I got an error <pre class="prettyprint lang-none prettyprint-override"><code>keytool error: java.lang.Exception: Certificate not imported, alias already exists. </code></pre> when I used openssl to create pkcs12 I got <pre class="prettyprint lang-none prettyprint-override"><code>Loading 'screen' into random state - done Error unable to get issuer certificate getting chain. </code></pre> error. How can I generate KeyStore from private key file, my certificate signed by CA and CA Certificate ?

Here the steps I followed to install the certificate. 1.Created a PKCS12 with three files(private key file, my cert, CA cert) using OPENSSL tool. <pre class="prettyprint"><code>openssl pkcs12 -export -out j2vproject.pkcs12 -inkey my_privatekeyfile.key -in star_xyz_abc.crt -certfile DigiCertCA.crt </code></pre> 2.Created a java keystore from PKCS12 using Keytool tool. <pre class="prettyprint"><code>keytool -v -importkeystore -srckeystore j2vproject.pkcs12 -srcstoretype PKCS12 -destkeystore j2vprojectkeystore.jks -deststoretype JKS </code></pre> 3.added this keystore to server and it worked.

Asides: you have a certificate signed by the CA, but a cert is not a signed CSR. Some data in the cert is the same as some data in the CSR, but not the whole thing. Plus I wonder why you followed the digicert instructions for Apache/OpenSSL instead of those for Tomcat/Java, which would be much simpler because Jetty also is Java. Anyway: the instructions on that Oracle page only work if you generated the privatekey and CSR with Java keytool as described in steps 1,2,3. Moreover, steps 4 and 5+6 are alternatives; although the text is not as clear as it could be, you do one or the other, not both -- and only after doing 1,2,3. Given where you are now, your only option is converting the OpenSSL files to pkcs12, and probably then using keytool to convert pkcs12 to JKS. (Java crypto itself can use a pkcs12 directly, but not all Java crypto apps can invoke this option, and I don't know if Jetty can.) You say you tried this and give no details about what you did, but I'll guess that most likely the "Digicert CA" file you have is an intermediate CA not a root, and to get a complete chain you need to add the root. (A complete chain isn't actually required for the pkcs12 format, and thus the <code>openssl pkcs12</code> subcommand, but is highly desirable for SSL/TLS such as Jetty and thus you should do it.) First check what your (immediate) CA is and what <code>DigicertCA.crt</code> is with <pre class="prettyprint"><code> openssl x509 -in $yourcert.crt -noout -issuer openssl x509 -in DigicertCA.crt -noout -subject -issuer </code></pre> If issuer of your cert matches the subject of DigicertCA, and they (both) include something like "intermediate CA" or "SSL CA", and issuer of DigicertCA has "CN" which is any of <code>DigiCert Assured ID Root CA</code>, <code>DigiCert Global Root CA</code> or <code>DigiCert High Assurance EV Root CA</code> then you're in luck, as long as you (or anyone else) hasn't deleted the digicert root(s) from the default <code>cacerts</code> in your Java (JRE) installation. Use <code>keytool -exportcert</code> to copy that digicert root from the matching entry in <code>JRE/lib/security/cacerts</code> into a file. Concatenate your privatekey, your cert, the intermediate "DigicertCA" cert, and the appropriate root cert into one file, and feed that to <code>openssl pkcs12 -export [-name whatever]</code> and direct the output to a file, giving a nonempty password. (Other cases: If DigicertCA.crt actually is a root and matches the issuer of your cert, that would be very weird. If it's a root and doesn't match the issuer of your cert, you are missing the intermediate CA cert (or possibly even more than one); you should be able to get it (them) from Digicert. If it (DigicertCA.crt) matches the issuer of your cert and is not a root but its issuer isn't one of the roots named above, you'll need more certs for your chain but without more data I can't advise which.) With a pkcs12 file, do <pre class="prettyprint"><code>keytool -importkeystore -srckeystore p12file -srcstoretype pkcs12 -destkeystore newjksfile </code></pre>

Create java keystore from private key and CA certificate bundle

I am new to configure Jetty Server for SSL. I followed steps from digcert I created private key file, Certificate Request CSR file.

I sent Certificate Request to CA and got my signed CSR back. But CA sent me a bundle with two certificates, one is my certificate signed by CA and second is CA Certificate.(1. star_xyx_abc_com crt file, 2.DigiCertCA crt file). Now I am facing trouble to create a keystore from these files.

When I used keytool to create keystore by following Oracle docs steps 4,5 and 6, I got an error

keytool error: java.lang.Exception: Certificate not imported, alias already exists.

when I used openssl to create pkcs12 I got

Loading 'screen' into random state - done 
Error unable to get issuer certificate getting chain.

error.

How can I generate KeyStore from private key file, my certificate signed by CA and CA Certificate ?

Can you import a private key into keystore?

You can't directly import private key information to a keystore (. JKS) using keytool. Instead, you must convert the certificate and private key into a PKCS 12 (. p12) file, and then you can import the PKCS 12 file into your keystore.

Here the steps I followed to install the certificate.

1.Created a PKCS12 with three files(private key file, my cert, CA cert) using OPENSSL tool.

openssl pkcs12 -export -out j2vproject.pkcs12 -inkey my_privatekeyfile.key -in star_xyz_abc.crt -certfile DigiCertCA.crt

2.Created a java keystore from PKCS12 using Keytool tool.

keytool -v -importkeystore -srckeystore j2vproject.pkcs12 -srcstoretype PKCS12  -destkeystore j2vprojectkeystore.jks -deststoretype JKS

3.added this keystore to server and it worked.

Asides: you have a certificate signed by the CA, but a cert is not a signed CSR. Some data in the cert is the same as some data in the CSR, but not the whole thing. Plus I wonder why you followed the digicert instructions for Apache/OpenSSL instead of those for Tomcat/Java, which would be much simpler because Jetty also is Java.

Anyway: the instructions on that Oracle page only work if you generated the privatekey and CSR with Java keytool as described in steps 1,2,3. Moreover, steps 4 and 5+6 are alternatives; although the text is not as clear as it could be, you do one or the other, not both -- and only after doing 1,2,3.

Given where you are now, your only option is converting the OpenSSL files to pkcs12, and probably then using keytool to convert pkcs12 to JKS. (Java crypto itself can use a pkcs12 directly, but not all Java crypto apps can invoke this option, and I don't know if Jetty can.)

You say you tried this and give no details about what you did, but I'll guess that most likely the "Digicert CA" file you have is an intermediate CA not a root, and to get a complete chain you need to add the root. (A complete chain isn't actually required for the pkcs12 format, and thus the openssl pkcs12 subcommand, but is highly desirable for SSL/TLS such as Jetty and thus you should do it.)

First check what your (immediate) CA is and what DigicertCA.crt is with

 openssl x509 -in $yourcert.crt -noout -issuer 
 openssl x509 -in DigicertCA.crt -noout -subject -issuer

If issuer of your cert matches the subject of DigicertCA, and they (both) include something like "intermediate CA" or "SSL CA", and issuer of DigicertCA has "CN" which is any of DigiCert Assured ID Root CA, DigiCert Global Root CA or DigiCert High Assurance EV Root CA then you're in luck, as long as you (or anyone else) hasn't deleted the digicert root(s) from the default cacerts in your Java (JRE) installation. Use keytool -exportcert to copy that digicert root from the matching entry in JRE/lib/security/cacerts into a file. Concatenate your privatekey, your cert, the intermediate "DigicertCA" cert, and the appropriate root cert into one file, and feed that to openssl pkcs12 -export [-name whatever] and direct the output to a file, giving a nonempty password.

(Other cases: If DigicertCA.crt actually is a root and matches the issuer of your cert, that would be very weird. If it's a root and doesn't match the issuer of your cert, you are missing the intermediate CA cert (or possibly even more than one); you should be able to get it (them) from Digicert. If it (DigicertCA.crt) matches the issuer of your cert and is not a root but its issuer isn't one of the roots named above, you'll need more certs for your chain but without more data I can't advise which.)

With a pkcs12 file, do

keytool -importkeystore -srckeystore p12file -srcstoretype pkcs12 -destkeystore newjksfile

Create java keystore from private key and CA certificate bundle

Tags:

java

ssl-certificate

keystore

keytool

madhu_karnati

People also ask

2 Answers

madhu_karnati

dave_thompson_085

Recent Activity

Donate For Us

Create java keystore from private key and CA certificate bundle

Tags:

java

ssl-certificate

keystore

keytool

madhu_karnati

People also ask

2 Answers

madhu_karnati

dave_thompson_085

Related questions

Recent Activity

Donate For Us