Combined .pem certificate to truststore/keystore.jsk

Question

I have a combined .pem file which looks like this:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

I think this is a combination of ssl, key and ca. I need to convert this to truststore.jks and keystore.jks for my service.

openssl pkcs12 -export -out cert.pkcs12 -in cert
keytool -importcert -v -trustcacerts -alias eb-srv -file cert.pkcs12 -keystore truststore.jks

However this throws:

keytool error: java.lang.Exception: Input not an X.509 certificate
java.lang.Exception: Input not an X.509 certificate
    at sun.security.tools.keytool.Main.addTrustedCert(Main.java:2861)
    at sun.security.tools.keytool.Main.doCommands(Main.java:1050)
    at sun.security.tools.keytool.Main.run(Main.java:366)
    at sun.security.tools.keytool.Main.main(Main.java:359)

Same happens if I try:

openssl x509 -outform der -in cert -out cert.der
keytool -import -alias eb-srv -keystore cacerts -file cert.der

Have you try to separate the private key, certificate and intermediate certificates in different files and add them one by one? — Romeo Ninov, Dec 04 '19 at 17:40

score 4 · Answer 1 · answered Dec 06 '19 at 15:15

The first command you have (openssl) will create a keystore in PKCS12 format for you. However for the truststore you need to add each of the certificate in the chain individually.

When you have a certificate chain that is in the below format, it is usually in this hierarchy.

-----BEGIN CERTIFICATE-----
User
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Sub CA/CA
-----END CERTIFICATE-----
...

What you should be adding to the truststore are the CA and Sub CA certificates. So you need to separate these certificates into different files, and run this command for each certificate. Note that you don't need to do this for the user certificate.

keytool -importcert -keystore truststore.jks -storepass [password] -file [certificate_file]

The first command will create the keystore in PKCS12 format. If you need it other format like jks, you can run this command:

keytool -importkeystore -srckeystore [pkcs12_keystore] -srcstorepass [pkcs12_password] -srcstoretype pkcs12 -destkeystore [jks_keystore_file] -deststorepass [jks_keystore_password] -deststoretype jks

Combined .pem certificate to truststore/keystore.jsk

1 Answers1

Linked