• Post Reply Bookmark Topic Watch Topic
  • New Topic

How to use Java KeyTool with Existing Certificate  RSS feed

 
Mike London
Ranch Hand
Posts: 1391
8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm a bit confused by Java's keytool command.

I already have an existing certificate for my website (.crt files, etc.) created without the keytool command. But, my web service framework wants to read this certificate data from a Java keystore format. Not sure how to create a keystore using my existing crt file from the website vendor.

The existing "tutorials" don't really explain, that I can see, how to handle the situation where you don't want to create a new CSR using keytool, but, instead, just "import" an existing cert into a keystore.

Trying to do commands like this do not work after first creating the keystore:

$keytool -importcert -trustcacerts -file mydomain.com.crt -alias mydomain.com -keystore keystore.jks

---

Since I'm sure this can't be that difficult, I'm clearly missing something here.

Thanks in advance for any suggestions.

- mike
 
Mike London
Ranch Hand
Posts: 1391
8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What I'm really asking is if you just create a new keystore and import a "trusted certificate" into it (skipping the CSR process in KeyStore, instead, doing CSR process separately), if this single keystore.jks entry (just the certificate) will work as expected.

IOW, is the CSR a needed in the keystore as some kind of key itself?

Should the below be sufficient?

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

mysite.com (comodo rsa domain validation secure server ca), Jul 12, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 12:52:24:9R:CD:58:63:4B:22:86:8D:AZ:ED:B8:8E:EE:A1:T5:8F:6R


Thanks,

- mike
 
Tony Docherty
Bartender
Posts: 3235
79
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This may help: https://www.grim.se/guide/jre-cert
 
Mike London
Ranch Hand
Posts: 1391
8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tony Docherty wrote:This may help: https://www.grim.se/guide/jre-cert


So, from on my posting above, is that a valid Keystore with just the trusted certificate in it?

- mike
 
Tim Holloway
Bartender
Posts: 18606
68
Android Eclipse IDE Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The CSR (Certificate Signing Request) is the prototype certificate that you generate with keytool, OpenSSL or some similar tool. Since it has not been signed, it cannot be used as an actual SSL cert.

So you must either send it to a recognized signing agent (CA) or sign it yourself.

The actual SSL process requires BOTH a cert (sent to the client) and a related Private Key (kept hidden on the server). The Tomcat SSL docs tell how to generate both items for a self-signed certificate and store them in the keystore using keytool. Their examples mostly combine the function of creating a new keystore and the private key by using the "-genkey" option.

You can use OpenSSL to generate the CSR, which you would send to the CA of your choice to be signed. The CA will typically then provide you with the signed cert and any upstream certs needed to establish the Chain of Trust. Tomcat's docs cover this under the heading "Installing a Certificate from a Certificate Authority".

So your keystore needs a Private Key entry, the signed cert, and any parent certs that the CA provides.

I mentioned elsewhere that Tomcat and Apache use different file formats for their certs, even though the actual cert information is the same. Tomcat uses JKS format. Apache uses X509, I believe. Portecle is a nice GUI tool that can be used to convert cert formats. Plus it also can do many of the keytool functions graphically.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!