Prerequisites:

– a private key in PEM format and her passphrase;
– a certificate in PEM format firmed by authority;
– any authority certificate (the chain) in PEM format.

We are describing how create a java keystore starting from our prerequisites PEM files.
Let’s assume you have a private key (key.pem) and a certificate (cert.pem), both in PEM format as the file names suggest.
PEM format is “kind-of-human-readable” and looks like e.g.

—–BEGIN CERTIFICATE—–
Ulv6GtdFbjzLeqlkelqwewlq822OrEPdH+zxKUkKGX/eN
.
. (snip)
.
9801asds3BCfu52dm7JHzPAOqWKaEwIgymlk=
—-END CERTIFICATE—–

Convert both, the key (key.pem) and the certificate (cert.pem) into DER format using openssl

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

Now we need import these files into a new keystore JKS. We are using a java class ImportKey downloadable from http://www.agentbob.info/agentbob/80.html

We compile it through java 1.5+
javac Importkey

Now we can use ImportKey.class and runnning it like

java ImportKey key.der cert.der

Using keystore-file : /home/user/keystore.ImportKey
One certificate, no chain.
Key and certificate stored.
Alias:importkey Password:importkey

Now we have a proper JKS containing our private key and certificate in a file called keystore.ImportKey, using ‘importkey’ as alias and also as password. For any further changes, like changing the password we can use keytool.

Now we can import our certificate on keystore
To do this we need create a file PEM contain our certificate (cert.pem) and other authorities certificates chain append all in one file that we call it cert_all.pem

So we obtain a file composed like following:

—–BEGIN CERTIFICATE—–
Ulv6GtdFbjzLeqlkelqwewlq822OrEPdH+zxKUkKGX/eN
.
. (snip)
.
9801asds3BCfu52dm7JHzPAOqWKaEwIgymlk=
—-END CERTIFICATE—–
—–BEGIN PRIMARY INTERMEDIATE CA CERTIFICATE—–
Ulv6GtdFbjzLeqlkelqwewlq822OrEPdH+zxKUkKGX/eN
.
. (snip)
.
9801asds3BCfu52dm7JHzPAOqWKaEwIgymlk=
—-END PRIMARY INTERMEDIATE CA CERTIFICATE—–
—–BEGIN SECONDARY SSL INTERMEDIATE CA CERTIFICATE—–
Ulv6GtdFbjzLeqlkelqwewlq822OrEPdH+zxKUkKGX/eN
.
. (snip)
.
9801asds3BCfu52dm7JHzPAOqWKaEwIgymlk=
—-END SECONDARY SSL INTERMEDIATE CA CERTIFICATE—–

if our certificate has been released by Verisign we can obtain last two certificate at following address
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1735

Now we can import cert_all.pem into keystore through java keytool

keytool -import -alias importkey -keystore keystore.ImportKey -trustcacerts -file cert_all.pem

We can verify that import has gone well with:

keytool -list -v -keystore keystore.ImportKey
Enter keystore password: XXXXXXX

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: importkey
Creation date: Mar 30, 2007
Entry type: keyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=xxx, OU=zzz, O=”yyy”, L=ddd, ST=vvv, C=EN
Issuer: OU=Secure Server Certification Authority, O=”RSA Data Security, Inc.”, C=US
Serial number: 7xb49f71c05xxx402h77f841fa72fad2a2f
Valid from: Thu Jul 06 02:00:00 CEST 2006 until: Thu Aug 02 01:59:59 CEST 2007
Certificate fingerprints:

Certificate[2]:
Owner: OU=Secure Server Certification Authority, O=”RSA Data Security, Inc.”, C=US
Issuer: OU=Secure Server Certification Authority, O=”RSA Data Security, Inc.”, C=US
Serial number: 2ad667e4e45fe4e576f3c98695eddc0

Now for security we can change the keystore password

keytool -storepasswd -new myNewPass -keystore keystore.ImportKey -storepass importkey

and change the password of alias

keytool -keypasswd -alias importkey -keystore keystore.ImportKey

Enjoy with your new java keystore 🙂

Share →

Leave a Reply

Your email address will not be published. Required fields are marked *