0

From Apache2's mod_ssl I have the following config files that work:

 SSLCertificateFile      x (certificate)
 SSLCertificateKeyFile   y (rsa private key)
 SSLCertificateChainFile z.crt

From these files, I would like to generate a java keystore that can be passed into jetty for SSL. I done a lot of reading, but I'm confused on what I actually have here, and what steps are needed to transform these files into a keystore.

Sumurai8
  • 20,333
  • 11
  • 66
  • 100
jwhitlark
  • 505
  • 3
  • 16
  • possible duplicate of [How can i create keystore from an existing certificate (abc.crt) and abc.key files?](http://stackoverflow.com/questions/11952274/how-can-i-create-keystore-from-an-existing-certificate-abc-crt-and-abc-key-fil) – Bruno Oct 31 '12 at 10:21

2 Answers2

1

You can't import a private key into a keystore directly. But you may use openssl to transform the key and the certificate into a pkcs#12 store. Then you can import the whole pkcs#12 into a default java keystore by using the option -importkeystore together with the option -srcstoretype pkcs12.

(You can also use the pkcs12 store directly by providing the storetype 'pkcs12')

Andy
  • 1,964
  • 1
  • 15
  • 29
1

Assuming that you want to use the alias "domain.com" to store the key and certificate in the keystore, you can use the following commands to get the job done:

keytool -keystore keystore.jks -import -alias root -file z.crt -trustcacerts

which will import your root certificate (or the chain file). Then you can import your certificate: 

keytool -keystore keystore.jks -import -alias domain.com -file x -trustcacerts

Finally, you use openssl tool to convert the private key into pkcs12, and import it into the keystore. 

openssl pkcs12 -export -in x -inkey y -out domain.pkcs12
keytool -importkeystore -srckeystore domain.pkcs12 -srcstoretype PKCS12 -destkeystore domain.com
Alen Stojanov
  • 1,178
  • 10
  • 14