0

I have 3 separate .pem files:

publicCert.pem
privateKey.pem
CertificateChain.pem

I want to put these into a new java keystore.

I have seen this question asked and answered before, but with only 1 or 2 .pem files, not 3, and not specifically for a new jks.

Additionally the other web servers run on IIS, and are using SSL with a wildcard domain. example: *domain.com

Can I create a jks for a wildcard domain? Looks like that may be tricky?

Commands appreciated!

Jim P.
  • 1,087
  • 3
  • 9
  • 24
  • Possible duplicate of [Importing the private-key/public-certificate pair in the Java KeyStore](http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore) – jww Aug 05 '14 at 03:00
  • Not a duplicate... Its not a self-signed cert. I dont need to create a cert request for a provider to approve. I already have the cert info in PEM format, but JKS apparently needs a JKS created before it can then import files like DER that have been converted from PEM. The domain is a wildcard as mentioned above. I have scoured google, and stack, and there are bits and pieces everywhere, but nothing that puts the whole picture together. Please allow the community to answer. Thanks. – Jim P. Aug 05 '14 at 03:54
  • unfortunately, you have not provided the code or commands you have tried. It appears you haven't done anything and simply want an answer. That's not how Stack Overflow works. – jww Aug 05 '14 at 04:00
  • I guess it is really a multipart question... Do I need *all* 3 files to create a valid cert in JKS? What format should I convert them to? How to create a JKS with wildcard domain? When creating JKS, do the answers I give for company, city, state, etc have to match anything inside the key that I am trying to import? – Jim P. Aug 05 '14 at 04:02
  • Oh its not? You cant ask general questions and get answers, like the 456 upvoted answer this thread got? http://stackoverflow.com/questions/1091945/where-can-i-get-a-list-of-the-xml-document-escape-characters – Jim P. Aug 05 '14 at 04:04
  • Like I said, I have put in hours of research, setup an ubuntu environment so I can use openssl and keytool. Yes I am asking for answers, but it is not like I havent put some effort in. – Jim P. Aug 05 '14 at 04:06

2 Answers2

1

Build a PKCS12 file, then use Java's Keytool to convert to a Java keystore.

openssl pkcs12 -export -chain -inkey privateKey.pem -CAfile CertificateChain.pem -in publicCert.pem -out myp12file.p12

keytool -importkeystore -destkeystore mykeystore.jks -srckeystore myp12file.p12 -srcstoretype pkcs12 -destalias mykey -srcalias 1

It will ask you for passwords, too.

jbl
  • 21
  • 2
  • PKCS12 can be used directly as a Java keystore in Java 8, [and in Java 9 PKCS12 is the default form of keystore](https://bugs.openjdk.org/browse/JDK-8044445). There's no longer any need to convert a PKcs12 file into a Java keystore. – Andrew Henle Mar 17 '23 at 09:24
0

You can create .p12 keystore first of all and then convert it to jks

openssl pkcs12 -export -in cert.pem -inkey key.pem \
-out keystore.p12 -name my_cert

you creates keystore .p12 with certificate cert.pem with open key key.pem under cert alias my_cert

Then you can conver p12 to jks like this:

keytool -importkeystore -deststorepass 111111 -destkeypass 111111 -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass 111111 -alias my_cert

For add another keys in jks use command

keytool -importcert -file chain.txt -keystore keystore.jks -alias root

If you want convert .cer to .pem (because you need add in keystore only .pem), you can use command

openssl x509 -inform der -in certificate.cer -out certificate.pem
Roberto
  • 1,288
  • 5
  • 23
  • 47