Create java keystore from private key and CA certificate bundle

Question

I am new to configure Jetty Server for SSL. I followed steps from digcert I created private key file, Certificate Request CSR file.

I sent Certificate Request to CA and got my signed CSR back. But CA sent me a bundle with two certificates, one is my certificate signed by CA and second is CA Certificate.(1. star_xyx_abc_com crt file, 2.DigiCertCA crt file). Now I am facing trouble to create a keystore from these files.

When I used keytool to create keystore by following Oracle docs steps 4,5 and 6, I got an error

keytool error: java.lang.Exception: Certificate not imported, alias already exists. 

when I used openssl to create pkcs12 I got

Loading 'screen' into random state - done 
Error unable to get issuer certificate getting chain.

error.

How can I generate KeyStore from private key file, my certificate signed by CA and CA Certificate ?

Answer 1

Here the steps I followed to install the certificate.

1.Created a PKCS12 with three files(private key file, my cert, CA cert) using OPENSSL tool.

openssl pkcs12 -export -out j2vproject.pkcs12 -inkey my_privatekeyfile.key -in star_xyz_abc.crt -certfile DigiCertCA.crt

2.Created a java keystore from PKCS12 using Keytool tool.

keytool -v -importkeystore -srckeystore j2vproject.pkcs12 -srcstoretype PKCS12  -destkeystore j2vprojectkeystore.jks -deststoretype JKS

3.added this keystore to server and it worked.

Answer 2

Asides: you have a certificate signed by the CA, but a cert is not a signed CSR. Some data in the cert is the same as some data in the CSR, but not the whole thing. Plus I wonder why you followed the digicert instructions for Apache/OpenSSL instead of those for Tomcat/Java, which would be much simpler because Jetty also is Java.

Anyway: the instructions on that Oracle page only work if you generated the privatekey and CSR with Java keytool as described in steps 1,2,3. Moreover, steps 4 and 5+6 are alternatives; although the text is not as clear as it could be, you do one or the other, not both -- and only after doing 1,2,3.

Given where you are now, your only option is converting the OpenSSL files to pkcs12, and probably then using keytool to convert pkcs12 to JKS. (Java crypto itself can use a pkcs12 directly, but not all Java crypto apps can invoke this option, and I don't know if Jetty can.)

You say you tried this and give no details about what you did, but I'll guess that most likely the "Digicert CA" file you have is an intermediate CA not a root, and to get a complete chain you need to add the root. (A complete chain isn't actually required for the pkcs12 format, and thus the openssl pkcs12 subcommand, but is highly desirable for SSL/TLS such as Jetty and thus you should do it.)

First check what your (immediate) CA is and what DigicertCA.crt is with

 openssl x509 -in $yourcert.crt -noout -issuer 
 openssl x509 -in DigicertCA.crt -noout -subject -issuer

If issuer of your cert matches the subject of DigicertCA, and they (both) include something like "intermediate CA" or "SSL CA", and issuer of DigicertCA has "CN" which is any of DigiCert Assured ID Root CA, DigiCert Global Root CA or DigiCert High Assurance EV Root CA then you're in luck, as long as you (or anyone else) hasn't deleted the digicert root(s) from the default cacerts in your Java (JRE) installation. Use keytool -exportcert to copy that digicert root from the matching entry in JRE/lib/security/cacerts into a file. Concatenate your privatekey, your cert, the intermediate "DigicertCA" cert, and the appropriate root cert into one file, and feed that to openssl pkcs12 -export [-name whatever] and direct the output to a file, giving a nonempty password.

(Other cases: If DigicertCA.crt actually is a root and matches the issuer of your cert, that would be very weird. If it's a root and doesn't match the issuer of your cert, you are missing the intermediate CA cert (or possibly even more than one); you should be able to get it (them) from Digicert. If it (DigicertCA.crt) matches the issuer of your cert and is not a root but its issuer isn't one of the roots named above, you'll need more certs for your chain but without more data I can't advise which.)

With a pkcs12 file, do

keytool -importkeystore -srckeystore p12file -srcstoretype pkcs12 -destkeystore newjksfile

Answer 3

I tried to append both the CA certificate chain and the cacerts from the SSL distribution and use the result as ca cert chain and it worked !

cat yourCACert.crt /etc/ssl/certs/ca-certificates.crt > fullCAChain.crt

openssl pkcs12 -export -chain -CAfile fullCAChain.crt -in customercert.cer -inkey customercert.key -out customercert.keystore -name tomcat