Import certificate as PrivateKeyEntry

Question

I am installing SSL on a Tomcat server and am following these instructions from the issuer https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO16181 and it states:

Verify the following information:  The SSL certificate is imported into the alias with the "Entry Type" of  PrivateKeyEntry or KeyEntry.  If not, please import the certificate into  the Private Key alias. 

When I import the certificate (tomcat) I am using:

keytool -import -trustcacerts -alias your_alias_name -keystore your_keystore_filename -file your_certificate_filename 

but when I do so it imports as trustCertEntry

Keystore type: JKS Keystore provider: SUN  Your keystore contains 3 entries  primaryca, Jul 26, 2014, trustedCertEntry, Certificate fingerprint (SHA1): <snip> tomcat, Jul 26, 2014, trustedCertEntry, Certificate fingerprint (SHA1):  <snip> secondaryca, Jul 26, 2014, trustedCertEntry, Certificate fingerprint (SHA1):  <snip> 

How can I make alias tomcat import as PrivateKeyEntry?

Answer 1

You try to add certificate and expect that it will be private key - its confusion between two different things.

Generally, when you create keystore (.jks) it include the private key inside. If its empty (deleted) you should generate bundle (.p12 file) from your key and certificates.

In order to create new free key and certificate you can use this this implementation of openSSl https://zerossl.com.

Then, you've got a key and certificate that you should generate (.p12) bundle file from them: (on linux machine)

openssl pkcs12 -export -in [filename-certificate] -inkey [filename-key] -name [host] -out [filename-new-PKCS-12.p12] 

Now, just add the bundle file (.p12 file) to a keystore (.jks) by executing the following command:

keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12