5

I have already created a keystore (server.jks in the image) having imported the relevant key-pair. 

keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12

I need to append intermediate certificates to it using the java keytool.

Using KeyStore explorer tool on windows, I can append certificates following the right click context menu, just like in the attached image.

enter image description here

After adding the primary/intermediate certificates following the Append Certificate option, I can see it on the KeyStore explorer like a tree.

---primary intermediate certificate
     |---secondary intermediate certificate
           |---my server certificate

I am very much interested in knowing how this can be done, using the 'Java KeyTool' on the (LINUX) command line.

Thank you in advance.

Chathura Kulasinghe
  • 2,640
  • 5
  • 23
  • 23
  • 2
    This question appears to belong on another site in the Stack Exchange network because its not about programming. Perhaps [Super User](https://www.superuser.com/) or [Server Fault](http://serverfault.com/). – jww May 15 '14 at 20:53
  • 4
    @jww, while it's true it's not purely a programming question, I'd consider `keytool` to be a software tool commonly used by developers, therefore such a question on-topic. Not sure the SF community would like such a question (possibly not "professional" enough), and possibly too specific for SU. I admit it's a grey area, like many SSL-related questions. – Bruno May 16 '14 at 13:08
  • That might not be directly a Programming question. But the Dev ops people usually are familiar with these stuff; programmers are not, even if we have to deal with these stuff usually. I am a programmer, Specially who is working with Middleware. People who work with me mostly visit Stack-overflow for these kind of questions. However, can we move the questions from Stack-overflow to a site like Super user? Because I do not want to delete this after I got the answer, making the person (Bruno) who answered the question losing the credit that he deserves. – Chathura Kulasinghe May 16 '14 at 13:19
  • I will add this question to the Super user, this may be deleted from here as I see two votes for closing this question. Bruno, please do provide your answer there. Thanks a lot!!! Find it here http://superuser.com/questions/755148/java-keytool-append-primary-secondary-intermediate-certificates-to-key-store I did not delete this question by myself, since it is not recommended to delete an answered question. – Chathura Kulasinghe May 16 '14 at 13:27
  • 2
    Don't worry too much about my potential reputation loss, I can live with that. It's generally better not to ask again on a different site but to ask for it to be moved (flag it), moderators should be able to move questions (with their answers). There are also only 2 closing votes at the moment, even if it reached 5, the question would be closed, not deleted (at least not immediately). – Bruno May 16 '14 at 14:11
  • 1
    I agree with @Bruno that the question belongs here rather than elsewhere. – user207421 May 16 '14 at 22:51
  • Bruno and EJP - with all do respect, what's the point of having rules if you are not going to follow them? Developers use lots of tools, but many are not on-topic here either. Its not limited to `keytool`. For what its worth, I did not think it was a bad question. But Stack Overflow rules dictate it belongs elsewhere. – jww May 17 '14 at 00:32

1 Answers1

5

This is more or less the same problem as in this question. You need to prepare a file representing the certificate chain, each certificate followed by the CA certificate that issued it.

-----BEGIN CERTIFICATE-----
MIICajCCAdOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVSzEa
....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICkjCCAfugAwIBAgIJAKm5bDEMxZd7MA0GCSqGSIb3DQEBBQUAMDsxCzAJBgNV
....
-----END CERTIFICATE-----

You may need to export your EEC (End Entity Certificate) from your keystore first (keytool -exportcert ...). Then, use the text editor of your choice (vi, emacs, gedit, ...) or cat to concatenate your EEC and the intermediate certificate(s) in order. Then import the resulting file into your keystore against the alias that contains your private key (keytool -importcert -alias ...).

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376