7

I have java code that needs a keystore and I have privateKey.pem and bank.cer file. Private key would be to sign a value to bank and bank.cer to verify banks response. I can't find a way to put them into a keystore so my code would work.

Can it be done with keytool?

ivar
  • 819
  • 4
  • 12
  • 19
  • I think it would be good if you could provide what you tried so far. – musiKk Jun 06 '11 at 14:02
  • I have tried importing with keytool but it imports as trustedCertEntry but I would like it to be a privateKeyEntry. Also tried a java program called ktl241 that said java.lang.Exception: obj: not an instance of X509Certificate when importing private key pem. Also tried the top search results from google. – ivar Jun 07 '11 at 06:00
  • 2
    I once wrote a blog entry on how to do that. Maybe it helps: http://quakology.blogspot.com/2009/06/how-to-use-ssl-with-client-certificate.html – musiKk Jun 07 '11 at 07:01
  • Thank you for answering but it didn't work. Got No certificate matches private key. My pem contain only private key – ivar Jun 07 '11 at 07:23
  • Have you tried http://stackoverflow.com/questions/2138940/import-pem-into-java-key-store? – musiKk Jun 07 '11 at 07:27
  • It did put the private key in the keystore. Is it ok though? Because the private key and cert I had are not a pair but are now in keystore as a pair. – ivar Jun 07 '11 at 07:43
  • I think this should be right. I'm facing similar problems right now but I think I found another solution. I'll answer with that and we'll see if it works for you too. – musiKk Jun 07 '11 at 08:01

1 Answers1

20

From my understanding it's impossible to do this with keytool alone. I use openssl for preparation.

Suppose the key is in file key and the certificate is in a file cert. You have to create a PKCS12 file that contains both (because keytool can handle PKCS12 and JKS and I don't know if anything else):

openssl pkcs12 -inkey key -in cert -export -out keys.pkcs12

Now you can import that into a keystore:

keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore mykeystore

This approach worked for me where everything else failed.

musiKk
  • 14,751
  • 4
  • 55
  • 82
  • 2
    To list the whole chain in the keystore's private-key-entry, you can cat together several .pem files of the certificate chain, and add them to the pkcs-store using openssl's `-certfile` option. – Andy Oct 09 '12 at 12:12
  • 1
    This worked for me. However, I had to make sure to always use the same password; I thought I could write and read the PKCS12 with a temporary password, and only give the *real* one for the output of `keytool`, but that created a keystore where keystore and key had different passwords, which apparently is very bad (http://joewlarson.com/blog/2009/03/25/java-ssl-use-the-same-password-for-keystore-and-key/). – Blaisorblade May 11 '15 at 18:41
  • 1
    @musiKk's solution worked for me with a minor change while creating the PKCS12 file, set the password, otherwise there will be an error for the later keytool command. openssl pkcs12 -inkey key -in cert -export -out keys.pkcs12 -passout pass:yourpasswd – Jianbo Zhu Aug 20 '16 at 03:13
  • I have an intermediate certificate and a root certificate, please which one should I use? – Soufiane Roui Dec 12 '22 at 21:14