Menu
I have a CA issued CERT in PKCS#7 format. It has certificates (chained) within it. Keytool does not recognize the PKCS7 format. I have tried OpenSSL tool to convert PKCS7 format certificate to PEM format and it fails. I receive an error message "Unable to load PKCS7 object".
How do I import the PKCS7 cert chain to my JKS?
816
keytool can create and manage keystore "key" entries that each contain a private key and an associated certificate "chain". The first certificate in the chain contains the public key corresponding to the private key.
As you can read in the keytool reference for -importcert command:
Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply) from the file cert_file, and stores it in the keystore entry identified by alias. If no file is given, the certificate or PKCS#7 reply is read from stdin.
keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type.
Try to import the PKCS7 cert as it is.
Though, it doesn't always work. If you have problems, try to do the following (using OpenSSL):
Print all the certs it contains to a PEM file
OpenSSL> pkcs7 -in initial_file.p7b -inform DER -print_certs -outform PEM -out certs_chain.pem
Open the new PEM file (certs_chain.pem) with an editor and delete everything outside -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- boundaries (keep only the encoded content within the boundaries, the certificates themselves) and save it.
Now keytool should not have problems to import your cert, using certs_chain.pem as cert_file
186
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
