2013/01/23

Importing Key and Certificate into Java Keystore

For whatever reason I had a hell of a time trying to import the key and certificate from a third party CA into a Java keystore (JKS) that was used by a java web application.  I just kept finding incorrect steps on how to do it and then after about 3 days of monkeying around with it I finally found what worked.  

The first step was to export the key and certificate into PKCS12 format (either .pfx or .p12 file extension).  The keytool treats the PKCS12 file as a keystore.  If you are using Tomcat or some other Java application server you can actually use the file as a keystore without importing it into a JKS. The keytool gives you the ability to merge keystores which is what I ended up doing.  After several attempts the below command was what I ended up with.

keytool -importkeystore -destkeystore /certs/my.javakeystore -srckeystore certAndKey.p12  -srcstoretype PKCS12

I tried several times with the -alias option and it kept failing giving this error:

keytool error: java.lang.Exception: Alias <alias1> does not exist

I found that the alias that is used initially is in the PKCS12 file.  If the alias you are using does not match up to the alias, which I am assuming is the internal or friendly name, then it will fail.  So if you leave the alias option off then it will import using the default alias that is sees in the PKCS12 file.  In my case it was identical to one I had in my keystore already and it let me change the alias name during the import process.

1 comment: