11

I'm renewing a certificate used by my Hadoop cluster. Current JKS has one entry:

Your keystore contains 1 entry

Alias name: myalias
Creation date: Jan 10, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1

I'm trying to create a new keystore from the new cert:

keytool -importcert -alias myalias  -file newcertfile.crt -keystore newkeystore.jks

But I get asked about whether I trust this certificate (If I say no, keytool quits):

Trust this certificate? [no]:  yes

And when I look at the result, it's no longer a PrivateKeyEntry but a trustedCertEntry:

keytool -list -v -keystore newkeystore.jks
...
...
Your keystore contains 1 entry

Alias name: myalias
Creation date: Feb 20, 2019
Entry type: trustedCertEntry
...
...

What am I missing here? Should I just use the JKS with the trustedCertEntry or is there a way to make it just like the old JKS (with PrivateKeyEntry)?

yurmix
  • 852
  • 2
  • 8
  • 21

1 Answers1

9

I eventually figured out that I have to supply the private key as well (As Roshith mentioned in the link he supplied).

So I started with first creating a pfx file:

openssl pkcs12 -export -out newcertbundle.pfx -inkey myprivate.key -in newcertfile.crt

And then converted it to jks:

keytool -importkeystore -srckeystore newcertbundle.pfx -srcstoretype PKCS12 -srcstorepass mypass -deststorepass mypass -destkeypass mypass -destkeystore newkeystore.jks

The only thing I couldn't figure out (but wasn't too important to me) was how to use an alias, so I went with a default one (when I tried specifying one I got: Alias does not exist. This is discussed here).

yurmix
  • 852
  • 2
  • 8
  • 21
  • 2
    You got the alias doesn't exist because you dint provide one when exporting the pfx, you need to provide a `-name ` on your `openssl pkcs12 export` command and provde `-alias ` in your `keytool` command. – Sivaprasanna Sethuraman Dec 26 '18 at 10:35