Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Not able to load P7B file into keystore file

Tags:

certificate

openssl

keystore

keytool

pkcs#7

I received a new certificate in crt / cert format. When I open this file in a text editor they added the complete certificate chain to this file. Each certificate starts with:

-----BEGIN CERTIFICATE-----

And ends with:

-----END CERTIFICATE-----

There are no empty lines in between. Since I am not keen with openssl, I opened up the certificate into Windows and exported the certificate with the complete chain in PKCS#7 format (test.p7b). When I open this file all looks fine in Windows and the root, intermediate and the certificate are all their in the chain.

When I put the file test.p7b on the server and try to import this with keytool as follows:

keytool -import -trustcacerts -alias my.domain.com -keystore my.domain.keystore -keypass changeme -storepass changeme -file test.p7b

I get the following error:

keytool error: java.lang.Exception: Input not an X.509 certificate

When I test the P7B file I also get errors:

bash-4.1$ openssl x509 -in test.p7b -text
unable to load certificate
140009984849736:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE

or:

bash-4.1$ openssl x509 -in test.p7b -inform DER -text
unable to load certificate
140396587853640:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320:
140396587853640:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509_CINF
140396587853640:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:752:Field=cert_info, Type=X509

Can someone help me out?

like image 921
Mark Veenstra Avatar asked Oct 28 '13 13:10

Mark Veenstra

1 Answers

When importing a certificate chain, keytool expects the certificates to be loaded in DER form. You can create such a bundle with openssl:

1 - Convert all certificates in DER format 

openssl x509 -in certificate.pem -outform DER -out certificate.crt

2 - Concat all DER certificates into one single file

cat cert1.crt cert2.crt ... > chain.der

3 - Now you can import the chain into your keystore with keytool 

keytool -importcert -trustcacerts -alias <myalias> -file chain.der -keystore keystore.jks -storepass <mypassword>

Note that myalias MUST be the same as the one used when the key was generated.

4 - verify that the chain was successfully imported

keytool -list -v -keystore keystore.jks
like image 82
Jcs Avatar answered Oct 06 '22 00:10

Jcs
Sign in to Comment

Related questions

OpenSSL decrypt fails but error code is 0
How to do this PKCS7 signing in node.js?
SSL/TLS protocols and cipher suites with the AndroidHttpClient
OpenSSL connection: alert internal error
How to perform successful SSL encryption with pkcs12/pfx in Qt on Mac OSX?
Login via starttls method from smtplib to old e-mail server
How to write openssl engine
What are the benefits to using BIO_printf() instead of printf()?
Compile OpenSSL 1.1.0 for Android
Problems to verify a file signed with python
How to establish TLS session in python using PKCS11
How to prevent multiple initialization of dynamic library
Ruby Net::HTTP responds with OpenSSL::SSL::SSLError "certificate verify failed" after certificate renewal
Self-Signed CA not accessible via X509Store
How does one build a OpenSSL library for Project Catalyst?
Load PKCS#8 binary key into Ruby
OpenSSL configure maximum number of connections
what is wrong with this pkcs12 file(pfx)
OpenSSL Get Subject Alternative Name from certificate
Unable to connect to 'ssl://gateway.sandbox.push.apple.com:2195'

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!