Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Import PKCS7 (Chained Certificate) using KeyTool command to JKS

I have a CA issued CERT in PKCS#7 format. It has certificates (chained) within it. Keytool does not recognize the PKCS7 format. I have tried OpenSSL tool to convert PKCS7 format certificate to PEM format and it fails. I receive an error message "Unable to load PKCS7 object".

How do I import the PKCS7 cert chain to my JKS?

like image 816
Rohit Sharma Avatar asked Apr 04 '13 14:04

Rohit Sharma


People also ask

What is certificate chain keystore?

keytool can create and manage keystore "key" entries that each contain a private key and an associated certificate "chain". The first certificate in the chain contains the public key corresponding to the private key.


1 Answers

As you can read in the keytool reference for -importcert command:

Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply) from the file cert_file, and stores it in the keystore entry identified by alias. If no file is given, the certificate or PKCS#7 reply is read from stdin.

keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type.

Try to import the PKCS7 cert as it is.

Though, it doesn't always work. If you have problems, try to do the following (using OpenSSL):

  1. Print all the certs it contains to a PEM file

    OpenSSL> pkcs7 -in initial_file.p7b -inform DER -print_certs -outform PEM -out certs_chain.pem

  2. Open the new PEM file (certs_chain.pem) with an editor and delete everything outside -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- boundaries (keep only the encoded content within the boundaries, the certificates themselves) and save it.

Now keytool should not have problems to import your cert, using certs_chain.pem as cert_file

like image 186
Sergio Pelin Avatar answered Sep 22 '22 04:09

Sergio Pelin