I already have an existing certificate for my website (.crt files, etc.) created without the keytool command. But, my web service framework wants to read this certificate data from a Java keystore format. Not sure how to create a keystore using my existing crt file from the website vendor.
The existing "tutorials" don't really explain, that I can see, how to handle the situation where you don't want to create a new CSR using keytool, but, instead, just "import" an existing cert into a keystore.
Trying to do commands like this do not work after first creating the keystore:
Since I'm sure this can't be that difficult, I'm clearly missing something here.
Thanks in advance for any suggestions.
posted 2 years ago
What I'm really asking is if you just create a new keystore and import a "trusted certificate" into it (skipping the CSR process in KeyStore, instead, doing CSR process separately), if this single keystore.jks entry (just the certificate) will work as expected.
IOW, is the CSR a needed in the keystore as some kind of key itself?
The CSR (Certificate Signing Request) is the prototype certificate that you generate with keytool, OpenSSL or some similar tool. Since it has not been signed, it cannot be used as an actual SSL cert.
So you must either send it to a recognized signing agent (CA) or sign it yourself.
The actual SSL process requires BOTH a cert (sent to the client) and a related Private Key (kept hidden on the server). The Tomcat SSL docs tell how to generate both items for a self-signed certificate and store them in the keystore using keytool. Their examples mostly combine the function of creating a new keystore and the private key by using the "-genkey" option.
You can use OpenSSL to generate the CSR, which you would send to the CA of your choice to be signed. The CA will typically then provide you with the signed cert and any upstream certs needed to establish the Chain of Trust. Tomcat's docs cover this under the heading "Installing a Certificate from a Certificate Authority".
So your keystore needs a Private Key entry, the signed cert, and any parent certs that the CA provides.
I mentioned elsewhere that Tomcat and Apache use different file formats for their certs, even though the actual cert information is the same. Tomcat uses JKS format. Apache uses X509, I believe. Portecle is a nice GUI tool that can be used to convert cert formats. Plus it also can do many of the keytool functions graphically.
Being persecuted doesn't in any way prove your righteousness or your beliefs. Many people get persecuted because they are repugnant or annoying. Or just because they can be.
permaculture is a more symbiotic relationship with nature so I can be even lazier. Read tiny ad: