How to add certificate chain to JKS

I have a certificate chain: cert.cer

with content:

subject= ... OU=MyCA
issuer= ... OU=MyCA

subject= ... OU=Client
issuer= .. OU=MyCA


I tried to add this chain to JKS by calling:

keytool -import -trustcacerts -file cert.cer -keystore sample.keystore -storepass 123456 -alias chain

which only adds the top level certificate OU = MyCA.

How do I correctly add this chaining to JavaKeyStore (JKS)?


source to share

2 answers

Ok, I followed your command to merge the PKCS7 formatted certificate:

openssl > crl2pkcs7 -nocrl -certfile a.crt -certfile b.crt -out outfile.p7b


He worked.   
Then I tried to import the PKCS # 7 file into the JKS file using the following command as you said:

keytool -import -trustcacerts -file outfile.p7b -keystore keystore1.jks -storepass 123456 -alias chain


It didn't work.
Then I did a little research and found that I needed a certificate chain in either Base64 or Der formatted file. I had a Base64 format file. So, I tried to execute the file using the following windows command:

copy /b a.crt+b.crt c.crt


The linux command would be:

cat a.crt b.crt > c.crt


So the output file looked like this:



Then tried to import the certificate chain into JKS using the above command. It worked. Then I try to see the list of certificates from the keystore. To do this, I ran the following command:

keytool -list -v -keystore keystore1.jks


But he said, "Only 1 record was found," and one certificate was shown. Since the keystore was not loaded with the complete certificate chain, the experiment failed.
So, I tried to convert PKCS # 7 file to certificate chain using the following openssl command:

pkcs7 -print_certs -in outfile.p7b -out certificates.cer


The output file looks exactly like yours, starts with dn topic and dn issuer followed by a header and footer. Then I tried to save the certificates from certificate.cer file to jks file 'keystore1.jks'. But again, after importing, it shows that the keystore only has one certificate. So issuer dn and subject dn weren't a problem.
Then I tried to convert the Base64 file to Der file and then I tried to execute the data:

openssl x509 -in a.crt -outform DER -out aa.crt
openssl x509 -in b.crt -outform DER -out bb.crt
copy /b aa.crt+bb.crt cc.crt


Then I tried to import said file into JKS. But again only one certificate was imported.

I was really thinking about what could be really wrong with what I am doing. So I searched the KeyTool source code and found a way to import the certificate or certificate chain.

Imports a JDK 1.1-style identity database. We can only store one certificate per identity, because we use the identity name as the alias (which references a keystore entry), and aliases must be unique.


And I'm surprised their code converts the input stream to Certificate List, but they only work with one certificate certificate (the first one).

if (certs!=null && certs.length>0) {
      // we can only store one user cert per identity.
      // convert old-style to new-style cert via the encoding
         DerOutputStream dos = new DerOutputStream()


Thus, there is nothing we can do to add multiple certificates at once. ... A policy is one certificate for one entry. So, if you have multiple login certificates, you must record them individually. Or write Java code to make our job easy (I always do this).
Sorry for taking this long. But hopefully this clears up your confusion entirely.



two types of entries in KeyStore of type JKS :

  • the PrivateKey record contains the private key and the certificate or certificate chain for that private key

  • the TrustedCert record contains exactly one certificate, not a privatekey

The general KeyStore interface allows for a third entry type for SecretKey, but it is not supported by JKS, only much less used JCEKS, and I believe the BouncyCastle format.

I found your other question that explains why you don't want to write the private key correctly ... ... However, most of the instructions you'll find for keytool, etc. involve binding a chain (usually returned from a CA) to a private key, and obscure the fact that you cannot store a certificate chain as a single entry without a private key.

So yes, you have to enter each certificate separately . However, this does not necessarily mean that you have to obtain each certificate separately. CertPathBuilder exists specifically to retrieve from a trusted store such as (but not limited to) JKS all certificates that form a valid chain. Unfortunately, the bells and whistles required for CertPathBuilder (and in particular PKIX) to work properly for SSL / TLS make it rather clunky to use in simpler applications, so you might prefer to just get certificates.

Consolidated PEM certificates for PS run where chaining is allowed (with private key only), but the example you are showing is not valid. Lines -----BEGIN

and -----END

should be separate lines, NOT run together like yours.



All Articles