How to extract CA Certificate from .pfx file and add it to a trust store file

Question

I have a .pfx file that has multiple certificates, one of them is the signing CA certificate of a server certificate assigned to the IBM i Remote Command Server in DCM.

I managed to use openssl and certutil to display the content of such a certificate, as follows:

openssl x509 -passin pass:<password> -text -noout -in filename.pfx
openssl pkcs12 -in filename.pfx -passin pass:<password> -info -nokeys
certutil -v -dump DEVP20.pfx

All the above are working fine and displaying content, but the problem is that I don't know how to analyze such output.

Also, the keytool is reporting that there are no entries in the keystone:

keytool -list -v -keystore filename.pfx
Enter keystore password: <entery-password>
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 0 entries

All I want is to create a new trust store or use an existing trust store such as jssecacerts to add the signing CA Certificate to the trust store.

Note that in the output of the different commands above I see multiple certificates. I am not sure if they are part of the chain or related, and by checking the alias or friendly name, I can tell which one I want.

The objective is to be able to use the class SecureAS400 from IBM Toolbox for Java to open a secure connection to the IBM i and invoke a command. So we have to load the trust store with the JVM.

I appreciate your help.

Answer 1

First, you have to extract the CA certificate from the .pfx file using openssl:
openssl pkcs12 -in filename.pfx -passin pass:<password> -info -nokeys > filename.pem.
Double check that extraction worked:
openssl x509 -in test.pem -noout -text

Then either create new JKS using the key tool:
keytool -import -trustcacerts -keystore test.jks -storepass choose-password -file test.pem -alias CANAME

Or you can import the certificate into the existing trust store:
keytool -import -keystore cacerts -storepass changeit -file test.pem -alias CANAME -storetype JKS

Usually you would use openssl to interact with most certificate file formats and keytool with java key stores only (JKS)

==============.
Update
PKCS12 is an archive file format for storing private keys and X.509 certificates with filename extensions .p12 or .pfx To be able to work with .pfx files you would use openssl pkcs12 command. I am guessing x509 command returns first certificate it finds. PKCS12 wiki

keytool Manages a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates. I think it only works with java keystores .jks or .bcfks (Bouncy Castle FIPS keyStore) etc.. I think you might actually be able to import certificates directly from .pfx file to a java keystore using keytool.

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS

That could also import the private key if it's in the .pfx file but I am not sure.

Hope that helps.

Answer 2

Thanks to @Yan and @dave_thompson_085 for the answer and info provided.

Finally, we found out that the provided PFX file wasn't necessary. There was a .cer file that had the certificate chain to be trusted. I used this new .cer file and picked one cacerts from the JRE security library, copied it, changed its name, and added the .cer file to the copy of the cacerts file. The justification is that we may need to trust some of the certificates that are shipped with JRE and this will save some time.

I used a desktop tool from "IBM i Client Access Solutions" called "Key Management" to import the cer file to the copy of the cacerts file. Now, I have a new jks file to be used for the Java program that will use the class SecureAS400 to open a secured RPC Connection to IBM i.

---

Some extra stuff for verification and clarification:

I used the extracted pem file from the provided pfx file as mentioned by @Yan... I imported the pem file using keytool import to a copy of the cacerts file so now I have, say, cacerts_a.jks.

I understood that this pfx file has the root CA as well as the private key of the server certificate, and looks like there is a certificate in the middle so it has a total of 3 certificates.

Then, I understood that ... no... I have to use a new cer file with the trust chain. I used this new pem file and imported it to a copy of the cacerts file and now I have, say, cacerts_b.jks.

I tried to compare the output of the following two commands:

>keytool -list -v -keystore cacerts_a.jks -storepass changeit | clip
>keytool -list -v -keystore cacerts_b.jks -storepass changeit | clip

I compared the output of the above two commands and found that there are significant differences between the pem/cer extracted from the pfx file and the given cer file with the trust chain. It seems to me that we shouldn't get the trust chain for the pfx file that is meant to have the server certificate.