0

I have created a self signed certificate chain using openssl. The certificate is of .crt extension. I tried to create a .keystore file from that .crt file.

The command used to create the keystore file is :

    keytool -import -trustcacerts -alias root -file certificate.crt -keystore certificate.keystore

When using the keystore file in my tomcat application to enable ssl, my application did not start and got "This site can't be reached" error in my browser and no error in logs.

I converted the .crt file into .p12 file and used in my tomcat application. Now my application runs.

How can I generate the keystore file successfully and why does converting the file to .p12 works?

Hulk Man
  • 153
  • 1
  • 15
  • Dupe https://stackoverflow.com/questions/37412374/java-sslhandshakeexception-no-cipher-suites-in-common/37423399#37423399 and several more linked there. – dave_thompson_085 Dec 29 '17 at 10:04

1 Answers1

1

You can't create a keystore from a .crt file. A keystore must contain both a private key and the corresponding certificate. Not just the certificate.

There is no reason to use openssl in this situation at all. You don't need anything more than keytool -genkey ....

user207421
  • 305,947
  • 44
  • 307
  • 483
  • To avoid a common confusion: Java uses 'keystore' _files_ (JKS or PKCS12) to contain private key(s) with cert(s), OR 'trusted' certs without keys, or even a mixture (though that is usually a poor idea). A Java SSL/TLS server (like Tomcat) needs specifically a keystore file containing PrivateKeyEntry(s), whose cert(s) are for name(s) matching the hostname(s) used by the server. – dave_thompson_085 Dec 29 '17 at 10:04
  • If the keystore file should have both the certificate and the private key which is what the .p12 contains, what are present in a .keystore file? How is it different from .p12? – Hulk Man Dec 30 '17 at 12:02