Generate a .jks keystore using .key and .crt files :
Notes :
x509 standard assumes a strict hierarchical system of certificate authorities (CAs) for issuing the certificates.
Structure of a certificate :
The structure of an X.509 v3 digital certificate is as follows:
.
Certificate
Version
Serial Number
Algorithm ID
Issuer
Validity
Not Before
Not After
Subject
Subject Public Key Info
Public Key Algorithm
Subject Public Key
Issuer Unique Identifier (Optional)
Subject Unique Identifier (Optional)
Extensions (Optional)
…
Certificate Signature Algorithm
Certificate Signature
Issuer and subject unique identifiers were introduced in Version 2, Extensions in Version 3. Nevertheless, the Serial number must be unique for each certificate issued by a specific CA
Certificate filename extensions :
Common filename extensions for X.509 certificates are:
.pem – (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–”
.cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
.p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
.p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)
.pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g, with PFX files generated in IIS)
PKCS#7 is a standard for signing or encrypting (officially called “enveloping”) data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without any data to sign.
PKCS#12 evolved from the PFX (Personal inFormation eXchange) standard and is used to exchange public and private objects in a single file.
Steps :
Tools like in F5 load balancers generate .crt and .key files ( they basically use openssl ).
Here .crt is the signed certificate from a CA and key contains the private key.
These keys and certificates are in PEM format.
– Open both the files in a notepad and copy the contents in it to a new notepad file and save it with extension .pem
– Now we need to convert this .pem to .des
Note : DES is a binary format and non readable whereas PEM are in human readable form.
Note : Make sure OpenSSL is installed ( You can download it from : http://www.slproweb.com/products/Win32OpenSSL.html )
– You can use the following command to convert PEM to DER format.
Command : openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER ( this command will convert the key file (PEM format) containing private key to DER format )
Command : openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER ( This command converts the signed certificate (PEM format) to DER format ).
– Now we need to add the signed certificate and the private key into the keystore.
Keytool does not let you import an existing private key for which you already have a certificate.
– Download and compile the java code from the link below :
Link : http://www.agentbob.info/agentbob/80.html ( ImportKey.java )
Command : javac ImportKey.java
The above code will add the private key and the certificate into a .jks keystore.
Default name of the keystore that will be created : keystore.ImportKey ( you can edit the code and change it to identity.jks )
Default password/passphrase for the private key : importkey ( you can edit the code to make changes in it accordingly )
Default alias name given to this key would be : importkey
Once you have the .class file run the command below to generate the keystore ( i.e identity.jks ) :
Command : java ImportKey key.der cert.der ( Note the first argument is the key file and the second is the cerificate (both in DER format) )
Note : The keystore is not created in the same directory. You can find it in the root folder ( Eg : C:\Documents and Settings\CoolDragon\… )
– Now import your rootca.crt file into this keystore to complete the chaining of certificates
Command : keytool -import -file rootca.crt -alias -trustcacerts -keystore keystore.ImportKey -storepass importkey
– Now list the certificates of the keystore to check if the chaining is fine :
Command : keytool -v -list -keystore keystore.ImportKey -storepass importkey
Identity.jks file is now ready 🙂
Thanks for the nice tutorial. Was having some issues in importing private key that was created using openssl, to a keystore format.
Comment by Yuva Kumar — February 3, 2011 @ 3:07 pm
[…] http://www.akadia.com/services/ssh_test_certificate.html https://wls4mscratch.wordpress.com/2010/06/19/generate-a-jks-keystore-using-key-and-crt-files/ http://shib.kuleuven.be/docs/ssl_commands.shtml http://www.agentbob.info/agentbob/79-AB.html […]
Pingback by Java, J2EE, analiza, modelowanie » Blog Archive » Generate self signed certificate for Jboss/Tomcat with openssl — September 27, 2011 @ 3:51 pm
Hi, nice article.
Does it to possible import chain of certificates using this method?
Comment by victar — November 22, 2011 @ 8:09 pm
yes you should be able to import a cert chain as well..
Comment by streethawkz — November 22, 2011 @ 10:47 pm
Thank you for sharing this article. This was of great help for me.
Comment by Shradha — February 8, 2013 @ 2:00 pm
Try these steps.. it is much simpler 🙂
Below are the steps to import a crt and private key to a keystore :
1) Copy the crt contents from your email to a notepad and save this file with .pem extension.
Eg : cert.pem
Contents :
—–BEGIN CERTIFICATE—–
MIIFMDCCBBigAwIBAgIDDCucMA0GCSqGSIb3DQEBCwUAMDwxCzAJBgNVBAYTAlVT
.
.
EMJj7aen/ouZThhszQ7lYbvCsQRQlGkKHR0byY4TBoq7kIG5nb64tXvQoP048G7o
Ghf+c+KmfOwUoLoXSzW9CnXgV0EY6MQ5pluL6wB5W6NHQ7Xf
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
.
.
knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
.
.
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
—–END CERTIFICATE—–
2) Copy the contents of private key from your email and save it into a notepad with .pem extension.
Eg : key.pem
Contents :
—–BEGIN RSA PRIVATE KEY—–
MIIEogIBAAKCAQEAqm1GacPeZT/cb0Fn2/cF9tcZZZ/UOalrbSad8Qx7Dg467hee
.
.
US8hanaMxYSDY17u89OxSiJ70PnsArui47pF9GepaUaOgWn/IKM=
—–END RSA PRIVATE KEY—–
3)
Run the following command :
java utils.ImportPrivateKey -keystore identity.jks -storepass password -keyfile mykey -keyfilepass password -certfile certs.pem -keyfile key.pem -alias mykey
Sample output :
d:\Oracle\Middleware1036\user_projects\domains\wild_card_certificate_domain\certificates>java utils.ImportPrivateKey -keystore identity.jks -storepass password -keyfile mykey -keyfilepass password -certfile cert.pem -keyfile key.pem -alias mykey
No password was specified for the key entry
Key file password will be used
Imported private key key.pem and certificate cert.pem
into a new keystore identity.jks of type jks under alias mykey
Comment by streethawkz — July 17, 2013 @ 1:55 am
Hmm is anytone else experiencing problems with the images on this blog loading?
I’m trying to figure out if its a problem on my end or
if it’s the blog. Any feed-back would be greatly appreciated.
Comment by top rs rpg software free — June 10, 2014 @ 12:44 pm
Fantastic Article. Thank you for writing this,
it is incredibly effectively written and published.
I will likely keep checking back for more threads from you.
Comment by thebloop.net — September 18, 2014 @ 3:44 am
Excellent post. I was checking constantly this blog and
I am impressed! Very useful information specifically the remaining section :
) I take care of such information a lot. I used to be
seeking this particular information for a long time.
Thanks and good luck.
Comment by hbk wordpress hosting — October 5, 2014 @ 4:17 am
Hey there I am not sure if it’s me or possibly your
blog site but it is launching slowly for me, it took me sort of
a minute or two in order to load although facebook does
work absolutely . Nevertheless, Thank you for creating an incredibly
fabulous blog post. I assume it really has been useful to lots of people .
I am hoping I’ll be able to get even more incredible things and I also
really should compliment by telling you’ve done wonderful work.
I now have your site book marked to check out blogs you publish.
Comment by refnearn.com — October 28, 2014 @ 7:16 pm
Hello there! Your website is loading slow , the site consumed sort of a
minute to successfully reload, I really have no idea whether
it’s entirely me or perhaps your website however , google worked acceptable for me.
Anyway, Thanks for writing an extraordinarily great articles.
I believe it has already been extremely helpful to visitor who seem to
visit here. This one is without a doubt great everything that you actually have done and
would like to see even more awesome posts from your site.
Just after viewing your blog post, I have book marked your web blog.
Comment by gta5forpsp.com — May 12, 2015 @ 2:00 pm
Hi other internet sites performs good for my situation but your web site is
loading steadily which went on nearly a few minutes to actually load
up, I’m not sure whether it is my very own problem or maybe site issue.
However thanks for posting amazing blog post. I assume this has been beneficial to a lot
of people . I personally need to state that you really have done brilliant job with this as well
as hope to discover further wonderful content from you.
To get more understanding from content that you write-up,
I’ve added the site.
Comment by Grazyna — May 27, 2015 @ 10:35 pm
Hi there Your web site loads up really slow if you ask
me, I am not sure who’s issue is that although facebook starts up relatively fast.
Around the other hand thank you for submitting amazing
blog post. I guess it really has become beneficial to many people .
I personally ought to mention that you actually have done fantastic
job with this as well as wish to discover much more great
content from you. Immediately after taking a look at your post, I have
book marked the website.
Comment by www.gta5ios.com — June 24, 2015 @ 1:20 pm
VBlocker is highly user friendly app and developed to be the #1 call blocker and SMS
blocker in the Android app market with the help of cutting edge technology and a dedicated team of developers.
VBlocker promotes a hassle free mobile experience to
its large user base with an array of attractive features
that are unique to this app. VBlocker is
not a mere app to block unwanted calls, but a lifesaver in this
digital era.
The superiority of the Call blocker and SMS blocker app is due to its unique features and performance that competitor apps cannot offer.
This is simply the glitch free version of current Android apps for call blocking available in the market.
Comment by 36 — May 31, 2016 @ 3:22 pm
where can i get the rootca.crt file
Comment by jai — June 21, 2018 @ 3:09 pm
[…] https://wls4mscratch.wordpress.com/2010/06/19/generate-a-jks-keystore-using-key-and-crt-files/https://blogs.oracle.com/blogbypuneeth/steps-to-create-a-jks-keystore-using-key-and-crt-files […]
Pingback by Rebind ‘Update’ Tomcat Keystore with a new Certificate | Learn-IT [Solve IT] — December 14, 2018 @ 2:40 am
[…] https://wls4mscratch.wordpress.com/2010/06/19/generate-a-jks-keystore-using-key-and-crt-files/https://blogs.oracle.com/blogbypuneeth/steps-to-create-a-jks-keystore-using-key-and-crt-files […]
Pingback by Rebind ‘Update’ Tomcat Keystore with a new Certificate | TheColumnNG — February 19, 2019 @ 5:26 am
Nonetheless, the obvious simplicity of poker is deceptive. There are a great deal of different kinds of poker tables that can be discovered in the market. The important is you enjoy the play, and you enjoy the poker.
Comment by Delma Chhom — May 28, 2021 @ 9:31 pm
The question is interesting, I will also take part in the discussion.
Comment by Lacy Sharf — August 3, 2021 @ 6:06 pm