49

So, I am having trouble with LDAP. I have an integration test case that hopefully will work out, but it is currently running into LDAPS security issues with the SSL handshake.

I am able to connect to the LDAPS with Apache Directory Studio, and it has downloaded the keystore into a file "permanent.jks".

That's ok, but I want my integration test, which resides in Eclipse using a JRE, to be able to connect to the LDAP server using this keystore.

How can I take this keystore and import it into the JRE for its own use?

MetroidFan2002
  • 29,217
  • 16
  • 62
  • 80

3 Answers3

65

Ok, so here was my process:

keytool -list -v -keystore permanent.jks - got me the alias.

keytool -export -alias alias_name -file certificate_name -keystore permanent.jks - got me the certificate to import.

Then I could import it with the keytool:

keytool -import -alias alias_name -file certificate_name -keystore keystore location

As @Christian Bongiorno says the alias can't already exist in your keystore.

ChristiaanP
  • 655
  • 6
  • 20
MetroidFan2002
  • 29,217
  • 16
  • 62
  • 80
  • 3
    I got it working but with an ammendment (if you would like to change your answer). In the import process, the part where you have "alias name" (BTW: not a great variable name with a space) this has to be an alias that does not already exist in the destination store. If you don't specify the alias it defaults to "1" -- you can use step 1 to list aliases from your destination before installing – Christian Bongiorno Jul 03 '13 at 00:34
  • 3
    In the last step (importing), I got the error `keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect` even though the previous step (exporting), I can successfully finished with my password. Do you know why it is ? – Thai Tran Aug 23 '14 at 23:33
  • @ThaiTran For future readers, when importing a cert make sure to use the target cert file's password, not the password used to create the cert in the first place. Also note that on many systems, the JDK is owned by root. If this is the case you need to execute the keytool -import command as root. – BRasmussen Aug 03 '17 at 17:25
  • 1
    For other future readers that were receiving the IOException, the default password for cacerts is 'changeit'. – Luke Aug 23 '17 at 20:26
  • Ok this really did work. However my "permanent.jks" contained like 5 different certifcates. So after keytool -list -v -keystore permanent.jks.. cmd + f "alias" find all the aliases and export them one bye one. And then After 5 separate .cer files i was able to add them to cacerts (also one bye one following the help here). Thanks! – kristjan reinhold Mar 21 '18 at 09:46
  • I'll just put a big warning on this solution, when you want to import any private key, the import command will only import the public part – Mattew Eon Jul 15 '20 at 13:37
54

You can bulk import all aliases from one keystore to another:

keytool -importkeystore -srckeystore source.jks -destkeystore dest.jks
qwertzguy
  • 15,699
  • 9
  • 63
  • 66
29

to load a KeyStore, you'll need to tell it the type of keystore it is (probably jceks), provide an inputstream, and a password. then, you can load it like so:

KeyStore ks  = KeyStore.getInstance(TYPE_OF_KEYSTORE);
ks.load(new FileInputStream(PATH_TO_KEYSTORE), PASSWORD);

this can throw a KeyStoreException, so you can surround in a try block if you like, or re-throw. Keep in mind a keystore can contain multiple keys, so you'll need to look up your key with an alias, here's an example with a symmetric key:

SecretKeyEntry entry = (KeyStore.SecretKeyEntry)ks.getEntry(SOME_ALIAS,new KeyStore.PasswordProtection(SOME_PASSWORD));
SecretKey someKey = entry.getSecretKey();
Paul Sanwald
  • 10,899
  • 6
  • 44
  • 59
  • You saved my life. Was not loading the keystore properly, until I came to your example. Pity that I can not give you 10000 points for that. Thank you very much!! – raspayu Nov 11 '13 at 10:42
  • glad to help! your thanks is worth more than a few points :). – Paul Sanwald Nov 11 '13 at 18:41
  • Hi bro, Your code worded well with SHA1RSA, could you help to load a KeyStore SHA256RSA, it says "Invalid keystore format". – Hoang Tran Jun 28 '18 at 02:03
  • The method load(InputStream, char[]) in the type KeyStore is not applicable for the arguments (FileInputStream, String) – ChanGan Dec 31 '20 at 14:11
  • I am passing this key store file via JVM arg `-Djavax.net.ssl.keyStore` How can I load it? Do I still need to use the key path here `ks.load(new FileInputStream(PATH_TO_KEYSTORE), PASSWORD);`. if I still need to use this path, what is the point of this JVM arg? – Samet Baskıcı Aug 29 '22 at 08:38