SSL : CSR file created with openSSL and installing with keytool

Question

I have created CSR with the command openSSL and purchased crt files.

openssl genrsa -out private-key.pem 2048 
openssl req -new -key private-key.pem -out csr.pem

Will it be OK to install this by using keystore command as I have not created CSR file by using keytool (but created using openSSL) ?

Another question is I have got three files from the trusted certificate generation company. So how to indentify which one is primary, root, intermediate crt files ? File type(root,intermediate) is not mentioned in the filename itself. I have to run following commands on the basis of crt file type.

keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file [name of the root certificate]

keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file [name of the intermediate certificate]

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file [name of the certificate]

And what was the output from `keytool` for each of the three files? — Tim Biegeleisen, Aug 07 '15 at 07:23
@TimBiegeleisen I didn't execute command by considering it will create mess in the system if execute incorrectly. Shall I go ahead and execute ? — AmitG, Aug 07 '15 at 07:26
Please have a look at this site: https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html — Tim Biegeleisen, Aug 07 '15 at 07:29
@TimBiegeleisen that URL is not giving information to identify file type — AmitG, Aug 07 '15 at 07:45
I'm not familiar with "file type" being a standard property of an SSL certificate. Is the "file type" the alias? — Tim Biegeleisen, Aug 07 '15 at 07:48

score 1 · Answer 1 · edited May 23 '17 at 11:43

Will it be OK to install this by using keystore command as I have not created CSR file by using keytool (but created using openSSL) ?

You will have to import the private key into the keystore as well. Otherwise the keystore will be useless.

There are two ways to do this:

Create a PKCS#12 file with OpenSSL first and then convert this file to JKS with keytool (see here).
Use KeyStore Explorer, it has import/export features for OpenSSL formats. Instructions can be found here.

Another question is I have got three files from the trusted certificate generation company. So how to indentify which one is primary, root, intermediate crt files ?

You have to take a look at the content of the certificates, especially their distinguished names (DNs).

The root CA certificate always has identical SubjectDN and IssuerDN.
The intermediate CA has root CA's SubjectDN as its IssuerDN and a different SubjectDN.
The SSL certificate has the intermediate CA's SubjectDN as its IssuerDN and the domain name as part of its SubjectDN.

The OpenSSL command for printing out the SubjectDN and IssuerDN depends on the format of the certificate file (DER or PEM). DER is a binary format, PEM is a ASCII format. If you are not sure, try both:

openssl x509 -noout -subject -issuer -nameopt RFC2253 -inform DER -in <cert-file>

or

openssl x509 -noout  -subject -issuer -nameopt RFC2253 -inform PEM -in <cert-file>

SSL : CSR file created with openSSL and installing with keytool

1 Answers1