44

I have file with chain of certificates - certificate.cer: 

subject=/C...
issuer=/C=US/O=VeriSign, Inc...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=VeriSign, Inc...
issuer=/C=US/O=VeriSign, Inc...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=VeriSign, Inc...
issuer=/C=US/O=VeriSign, Inc...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

I need to add this chain of certificates to keystore.
What I do: 

openssl x509 -outform der -in certificate.cer -out cert.der
keytool -v -importcert -alias mykey -file cert.der -keypass <passwd> -keystore keystore -storepass <passwd> -alias <myalias>

In result I have only 1 certificate in keystore.
But should have 3.
What could be wrong?

SOLUTION:
CA sent me certificates in PKCS#7 format.
I stored them in certificate.p7b file and then successfully added them to keystore by following command: 

keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass <mypasswd> -alias "myalias"
jww
  • 97,681
  • 90
  • 411
  • 885
Volodymyr Bezuglyy
  • 16,295
  • 33
  • 103
  • 133
  • Which version of KeyTool was used? The version `6-b14` isn't able to import certificate chains because: `// we can only store one user cert per identity.` Have a look at the source code: `http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/sun/security/tools/KeyTool.java#KeyTool.doImportIdentityDatabase%28java.io.InputStream%29` – My-Name-Is Aug 06 '15 at 07:38
  • Wanted to add my scenario for posterity. Stumbled on this post when trying to install certificate into keystore for WildFly 16. My CA gave me 2 .cer files and a .p7b chain file. I mistakenly imported one of the .cer files first, and with the wrong alias so I was getting untrusted certificate errors. To resolve, I removed the .cer record that I imported, and imported the .p7b file using the same alias used for the private key. Worked like a charm! – Rob Streeter Mar 01 '19 at 22:13
  • 1
    Having followed many different online posts demonstrating various methods of importing a PEM chain of trusted certificates into a JKS keystore, based on my experience, no matter how many certificates are bundled in either a .p7b or .pem file, it's only the top one that the `keytool` import command adds to the keystore file. – RZet Nov 17 '21 at 18:55

3 Answers3

41

I solved the problem by cat'ing all the pems together:

cat cert.pem chain.pem fullchain.pem >all.pem
openssl pkcs12 -export -in all.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root -password MYPASSWORD
keytool -importkeystore -deststorepass MYPASSWORD -destkeypass MYPASSWORD -destkeystore MyDSKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass MYPASSWORD -alias tomcat
keytool -import -trustcacerts -alias root -file chain.pem -keystore MyDSKeyStore.jks -storepass MYPASSWORD

(keytool didn't know what to do with a PKCS7 formatted key)

I got all the pems from letsencrypt

nont
  • 9,322
  • 7
  • 62
  • 82
  • Worked for me too. To obtain that private key, this other answer was useful: https://security.stackexchange.com/a/66865/141918 – Raul Santelices May 17 '17 at 14:20
  • 5
    Note that cat will create a broken pem if there is a newline missing at the end of a cert (happened to me). So better check `all.pem` content afterwards. – Marcus Apr 27 '18 at 13:52
  • Worked for me. Note that MYPASSWORD is not necessarily the same for the store, source- and destination certificate key. – Mathieu Diepman Jan 15 '20 at 13:48
  • 1
    I have been searching for days for this answer. This is what works if you have the cert chain, key, and the certificate itself all in .pem format. Thank you! – FerdTurgusen Sep 02 '21 at 19:13
  • thanks a lot, it works for me, but in my case I modify this: -deststoretype JCEKS, because in my code it cannot recognize PKCS12 format – danisupr4 Apr 15 '22 at 20:00
13

From the keytool man - it imports certificate chain, if input is given in PKCS#7 format, otherwise only the single certificate is imported. You should be able to convert certificates to PKCS#7 format with openssl, via openssl crl2pkcs7 command.

Nickolay Olshevsky
  • 13,706
  • 1
  • 34
  • 48
  • I already have certificates in PKCS#7 format. CA have sent me them in email. Certificates were successfully added to keystore by following command: keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass -alias "myalias" Thank you! – Volodymyr Bezuglyy Apr 17 '13 at 14:46
  • 20
    Didn't work for me. I'm getting the error: `keytool error: java.lang.Exception: Input not an X.509 certificate`. The p7p file was created via: `openssl crl2pkcs7 -nocrl -certfile cacert.pem -certfile client-cert.pem -out outfile.p7b` – My-Name-Is Aug 04 '15 at 21:34
  • 4
    The post here: `http://stackoverflow.com/a/22028156/1817029` tells that keytool can't import p7p files! – My-Name-Is Aug 04 '15 at 21:37
  • I also could not get keytool to import a p7b file – nont Nov 01 '16 at 18:32
2

I used below to solve my keystore chain issue Thanks @nont

echo -e 'Concat certs'
cat "${DIR_PATH}/tls/server/public/server.cert.pem" "${DIR_PATH}/tls/intermediate/certs/ca-chain-bundle.cert.pem" > "${DIR_PATH}/tls/server/tomcat/all.cert.pem"
echo -e "Creating new tomcat keystore"
openssl pkcs12 -inkey "${DIR_PATH}/tls/server/private/server.key.pem" -in "${DIR_PATH}/tls/server/tomcat/all.cert.pem" -export -out "${DIR_PATH}/tls/server/tomcat/tomcat.pfx" -password pass:changeit
Greg
  • 1,007
  • 1
  • 9
  • 9