Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Create java keystore from private key and CA certificate bundle

I am new to configure Jetty Server for SSL. I followed steps from digcert I created private key file, Certificate Request CSR file.

I sent Certificate Request to CA and got my signed CSR back. But CA sent me a bundle with two certificates, one is my certificate signed by CA and second is CA Certificate.(1. star_xyx_abc_com crt file, 2.DigiCertCA crt file). Now I am facing trouble to create a keystore from these files.

When I used keytool to create keystore by following Oracle docs steps 4,5 and 6, I got an error

keytool error: java.lang.Exception: Certificate not imported, alias already exists. 

when I used openssl to create pkcs12 I got

Loading 'screen' into random state - done 
Error unable to get issuer certificate getting chain.

error.

How can I generate KeyStore from private key file, my certificate signed by CA and CA Certificate ?

like image 569
madhu_karnati Avatar asked Jun 17 '15 19:06

madhu_karnati


People also ask

Can you import a private key into keystore?

You can't directly import private key information to a keystore (. JKS) using keytool. Instead, you must convert the certificate and private key into a PKCS 12 (. p12) file, and then you can import the PKCS 12 file into your keystore.


2 Answers

Here the steps I followed to install the certificate.

1.Created a PKCS12 with three files(private key file, my cert, CA cert) using OPENSSL tool.

openssl pkcs12 -export -out j2vproject.pkcs12 -inkey my_privatekeyfile.key -in star_xyz_abc.crt -certfile DigiCertCA.crt

2.Created a java keystore from PKCS12 using Keytool tool.

keytool -v -importkeystore -srckeystore j2vproject.pkcs12 -srcstoretype PKCS12  -destkeystore j2vprojectkeystore.jks -deststoretype JKS

3.added this keystore to server and it worked.

like image 117
madhu_karnati Avatar answered Oct 04 '22 22:10

madhu_karnati


Asides: you have a certificate signed by the CA, but a cert is not a signed CSR. Some data in the cert is the same as some data in the CSR, but not the whole thing. Plus I wonder why you followed the digicert instructions for Apache/OpenSSL instead of those for Tomcat/Java, which would be much simpler because Jetty also is Java.

Anyway: the instructions on that Oracle page only work if you generated the privatekey and CSR with Java keytool as described in steps 1,2,3. Moreover, steps 4 and 5+6 are alternatives; although the text is not as clear as it could be, you do one or the other, not both -- and only after doing 1,2,3.

Given where you are now, your only option is converting the OpenSSL files to pkcs12, and probably then using keytool to convert pkcs12 to JKS. (Java crypto itself can use a pkcs12 directly, but not all Java crypto apps can invoke this option, and I don't know if Jetty can.)

You say you tried this and give no details about what you did, but I'll guess that most likely the "Digicert CA" file you have is an intermediate CA not a root, and to get a complete chain you need to add the root. (A complete chain isn't actually required for the pkcs12 format, and thus the openssl pkcs12 subcommand, but is highly desirable for SSL/TLS such as Jetty and thus you should do it.)

First check what your (immediate) CA is and what DigicertCA.crt is with

 openssl x509 -in $yourcert.crt -noout -issuer 
 openssl x509 -in DigicertCA.crt -noout -subject -issuer

If issuer of your cert matches the subject of DigicertCA, and they (both) include something like "intermediate CA" or "SSL CA", and issuer of DigicertCA has "CN" which is any of DigiCert Assured ID Root CA, DigiCert Global Root CA or DigiCert High Assurance EV Root CA then you're in luck, as long as you (or anyone else) hasn't deleted the digicert root(s) from the default cacerts in your Java (JRE) installation. Use keytool -exportcert to copy that digicert root from the matching entry in JRE/lib/security/cacerts into a file. Concatenate your privatekey, your cert, the intermediate "DigicertCA" cert, and the appropriate root cert into one file, and feed that to openssl pkcs12 -export [-name whatever] and direct the output to a file, giving a nonempty password.

(Other cases: If DigicertCA.crt actually is a root and matches the issuer of your cert, that would be very weird. If it's a root and doesn't match the issuer of your cert, you are missing the intermediate CA cert (or possibly even more than one); you should be able to get it (them) from Digicert. If it (DigicertCA.crt) matches the issuer of your cert and is not a root but its issuer isn't one of the roots named above, you'll need more certs for your chain but without more data I can't advise which.)

With a pkcs12 file, do

keytool -importkeystore -srckeystore p12file -srcstoretype pkcs12 -destkeystore newjksfile
like image 30
dave_thompson_085 Avatar answered Oct 04 '22 21:10

dave_thompson_085