How to import an existing X 509 certificate and private key in Java keystore to use in SSL

Question

I have this in an ActiveMQ config    lt sslContext gt           lt sslContext keyStore  file  home alex work amq broker ks     keyStorePassword  password  trustStore  file   activemq base  conf broker ts    trustStorePassword  password   gt   lt  sslContext gt    I have a pair of X 509 cert and a key file   How do I import those two in order to use them in SSL and SSL stomp connectors  All examples I could google always generate the key themselves  but I already have a key   I have tried  keytool -import  -keystore   broker ks -file mycert crt   but this only imports the certificate and not the key file and results in  2009-05-25 13 16 24 270  localhost 61612  ERROR TransportConnector - Could not accept connection   No available certificate or key corresponds to the SSL cipher suites which are enabled    I have tried concatenating the cert and the key but got the same result   How do I import the key

User · Answer

Yes  it s indeed a sad fact that keytool has no functionality to import a private key   For the record  at the end I went with the solution described here

User · Answer

in a case of Elliptic Curve and answer the question import an existing x509 certificate and private key in Java keystore  you may want to have a look also to this thread How to read EC Private key in java which is in  pem file format

User · Answer

Keytool in Java 6 does have this capability  Importing private keys into a Java keystore using keytool  Here are the basic details from that post    Convert the existing cert to a PKCS12 using OpenSSL  A password is required when asked or the 2nd step will complain   openssl pkcs12 -export -in  my certificate crt  -inkey  my key key  -out  keystore p12  -name  new alias  -CAfile  my ca bundle crt  -caname root  Convert the PKCS12 to a Java Keystore File   keytool -importkeystore -deststorepass  new keystore pass  -destkeypass  new key pass  -destkeystore  keystore jks  -srckeystore  keystore p12  -srcstoretype PKCS12 -srcstorepass  pass used in p12 keystore  -alias  alias used in p12 keystore

User · Answer

What I was trying to achieve was using already provided private key and certificate to sign message that was going someplace that needed to make sure that the message was coming from me  private keys sign while public keys encrypt    So if you already have a  key file and a  crt file   Try this   Step1  Convert the key and cert to  p12 file  openssl pkcs12 -export -in certificate crt -inkey privateKey key -name alias -out yourconvertedfile p12   Step 2  Import the key and create a  jsk file with a single command  keytool -importkeystore -deststorepass changeit -destkeystore keystore jks -srckeystore umeme p12 -srcstoretype PKCS12   Step 3  In your java   char   keyPassword    changeit  toCharArray     KeyStore keyStore   KeyStore getInstance  JKS    InputStream keyStoreData   new FileInputStream  keystore jks     keyStore load keyStoreData  keyPassword   KeyStore ProtectionParameter entryPassword   new KeyStore PasswordProtection keyPassword   KeyStore PrivateKeyEntry privateKeyEntry    KeyStore PrivateKeyEntry keyStore getEntry  alias   entryPassword    System out println privateKeyEntry toString       If you need to sign some string using this key do the following   Step 1  Convert the text you want to encrypt  byte   data    test  getBytes  UTF8      Step 2  Get base64 encoded private key  keyStore load keyStoreData  keyPassword      get cert  pubkey and private key from the store by alias Certificate cert   keyStore getCertificate  localhost    PublicKey publicKey   cert getPublicKey    KeyPair keyPair   new KeyPair publicKey   PrivateKey  key      sign with this alg Signature sig   Signature getInstance  SHA1WithRSA    sig initSign keyPair getPrivate     sig update data   byte   signatureBytes   sig sign    System out println  Signature     Base64 getEncoder   encodeToString signatureBytes     sig initVerify keyPair getPublic     sig update data    System out println sig verify signatureBytes      References    How to import an existing x509 certificate and private key in Java keystore to use in SSL  http   tutorials jenkov com java-cryptography keystore html http   www java2s com Code Java Security RetrievingaKeyPairfromaKeyStore htm How to sign string with private key   Final program  public static void main String   args  throws Exception        byte   data    test  getBytes  UTF8            load keystore     char   keyPassword    changeit  toCharArray         KeyStore keyStore   KeyStore getInstance  JKS          System getProperty  user dir         lt  for a file in particular path      InputStream keyStoreData   new FileInputStream  keystore jks        keyStore load keyStoreData  keyPassword        Key key   keyStore getKey  localhost   keyPassword        Certificate cert   keyStore getCertificate  localhost         PublicKey publicKey   cert getPublicKey         KeyPair keyPair   new KeyPair publicKey   PrivateKey  key        Signature sig   Signature getInstance  SHA1WithRSA         sig initSign keyPair getPrivate         sig update data       byte   signatureBytes   sig sign        System out println  Signature     Base64 getEncoder   encodeToString signatureBytes         sig initVerify keyPair getPublic         sig update data        System out println sig verify signatureBytes

User · Answer

In my case I had a pem file which contained two certificates and an encrypted private key to be used in mutual SSL authentication  So my pem file looked like this   -----BEGIN CERTIFICATE-----     -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- Proc-Type  4 ENCRYPTED DEK-Info  DES-EDE3-CBC C8BF220FC76AA5F9     -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE-----     -----END CERTIFICATE-----   Here is what I did   Split the file into three separate files  so that each one contains just one entry   starting with  ---BEGIN    and ending with  ---END    lines  Lets assume we now have three files  cert1 pem cert2 pem and pkey pem  Convert pkey pem into DER format using openssl and the following syntax   openssl pkcs8 -topk8 -nocrypt -in pkey pem -inform PEM -out pkey der -outform DER  Note  that if the private key is encrypted you need to supply a password  obtain it from the supplier of the original pem file   to convert to DER format   openssl will ask you for the password like this   enter a pass phraze for pkey pem    If conversion is successful  you will get a new file called  pkey der   Create a new java key store and import the private key and the certificates   String keypass    password       this is a new password  you need to come up with to protect your java key store file String defaultalias    importkey   KeyStore ks   KeyStore getInstance  JKS    SUN        this section does not make much sense to me      but I will leave it intact as this is how it was in the original example I found on internet     ks load  null  keypass toCharArray     ks store  new FileOutputStream    mykeystore      keypass toCharArray     ks load  new FileInputStream    mykeystore        keypass toCharArray        end of section        read the key file from disk and create a PrivateKey  FileInputStream fis   new FileInputStream  pkey der    DataInputStream dis   new DataInputStream fis   byte   bytes   new byte dis available     dis readFully bytes   ByteArrayInputStream bais   new ByteArrayInputStream bytes    byte   key   new byte bais available     KeyFactory kf   KeyFactory getInstance  RSA    bais read key  0  bais available     bais close     PKCS8EncodedKeySpec keysp   new PKCS8EncodedKeySpec   key    PrivateKey ff   kf generatePrivate  keysp        read the certificates from the files and load them into the key store   Collection  col crt1   CertificateFactory getInstance  X509   generateCertificates new FileInputStream  cert1 pem     Collection  col crt2   CertificateFactory getInstance  X509   generateCertificates new FileInputStream  cert2 pem      Certificate crt1    Certificate  col crt1 iterator   next    Certificate crt2    Certificate  col crt2 iterator   next    Certificate   chain   new Certificate     crt1  crt2     String alias1     X509Certificate  crt1  getSubjectX500Principal   getName    String alias2     X509Certificate  crt2  getSubjectX500Principal   getName     ks setCertificateEntry alias1  crt1   ks setCertificateEntry alias2  crt2       store the private key ks setKeyEntry defaultalias  ff  keypass toCharArray    chain        save the key store to a file          ks store new FileOutputStream    mykeystore    keypass toCharArray        optional  Verify the content of your new key store   keytool -list -keystore mykeystore -storepass password     Keystore type  JKS Keystore provider  SUN      Your keystore contains 3 entries      cn     ou     o     Sep 2  2014  trustedCertEntry  Certificate   fingerprint  SHA1   2C B8           importkey  Sep 2  2014  PrivateKeyEntry  Certificate fingerprint    SHA1   9C B0           cn     o       Sep 2  2014  trustedCertEntry  Certificate fingerprint    SHA1   83 63         optional  Test your certificates and private key from your new key store against your SSL server    You may want to enable debugging as an VM option   -Djavax net debug all            char   passw    password  toCharArray            KeyStore ks   KeyStore getInstance  JKS    SUN            ks load new FileInputStream    mykeystore     passw             KeyManagerFactory kmf   KeyManagerFactory getInstance  SunX509            kmf init ks  passw            TrustManagerFactory tmf   TrustManagerFactory getInstance TrustManagerFactory getDefaultAlgorithm             tmf init ks           TrustManager   tm   tmf getTrustManagers             SSLContext sclx   SSLContext getInstance  TLS            sclx init  kmf getKeyManagers    tm  null            SSLSocketFactory factory   sclx getSocketFactory            SSLSocket socket    SSLSocket  factory createSocket   192 168 1 111   443            socket startHandshake               if no exceptions are thrown in the startHandshake method  then everything is fine     Finally register your certificates with    HttpsURLConnection if plan to use it           char   passw    password  toCharArray            KeyStore ks   KeyStore getInstance  JKS    SUN            ks load new FileInputStream    mykeystore     passw             KeyManagerFactory kmf   KeyManagerFactory getInstance  SunX509            kmf init ks  passw            TrustManagerFactory tmf   TrustManagerFactory getInstance TrustManagerFactory getDefaultAlgorithm             tmf init ks           TrustManager   tm   tmf getTrustManagers             SSLContext sclx   SSLContext getInstance  TLS            sclx init  kmf getKeyManagers    tm  null            HostnameVerifier hv   new HostnameVerifier                         public boolean verify String urlHostName  SSLSession session                                if   urlHostName equalsIgnoreCase session getPeerHost                                           System out println  Warning  URL host      urlHostName      is different to SSLSession host      session getPeerHost                                              return true                                    HttpsURLConnection setDefaultSSLSocketFactory  sclx getSocketFactory              HttpsURLConnection setDefaultHostnameVerifier hv

User · Answer

Believe or not  keytool does not provide such basic functionality like importing private key to keystore  You can try this workaround with merging PKSC12 file with private key to a keystore  keytool -importkeystore     -deststorepass storepassword     -destkeypass keypassword     -destkeystore my-keystore jks     -srckeystore cert-and-key p12     -srcstoretype PKCS12     -srcstorepass p12password     -alias 1  Or just use more user-friendly KeyMan from IBM for keystore handling instead of keytool

User · Answer

Previous answers point out correctly that you can only do this with the standard JDK tools by converting the JKS file into PKCS  12 format first   If you re interested  I put together a compact utility to import OpenSSL-derived keys into a JKS-formatted keystore without having to convert the keystore to PKCS  12 first  http   commandlinefanatic com cgi-bin showarticle cgi article art049  You would use the linked utility like this     openssl req -x509 -newkey rsa 2048 -keyout localhost key -out localhost csr -subj   CN localhost     sign the CSR  get back localhost cer     openssl rsa -in localhost key -out localhost rsa Enter pass phrase for localhost key  writing RSA key   java -classpath   KeyImport -keyFile localhost rsa -alias localhost -certificateFile localhost cer -keystore localhost jks -keystorePassword changeit -keystoreType JKS -keyPassword changeit

User · Answer

Using Let s Encrypt certificates Assuming you ve created your certificates and private keys with Let s Encrypt in  etc letsencrypt live you com  1  Create a PKCS  12 file openssl pkcs12 -export -in fullchain pem -inkey privkey pem -out pkcs p12           -name letsencrypt  This combines your SSL certificate fullchain pem and your private key privkey pem into a single file  pkcs p12  You ll be prompted for a password for pkcs p12  The export option specifies that a PKCS  12 file will be created rather than parsed  according to the manual   2  Create the Java keystore keytool -importkeystore -destkeystore keystore jks -srckeystore pkcs p12           -srcstoretype PKCS12 -alias letsencrypt  If keystore jks doesn t exist  it will be created containing the pkcs 12 file created above  Otherwise  you ll import pkcs 12 into the existing keystore   These instructions are derived from the post  quot Create a Java Keystore   JKS  from Let s Encrypt Certificates quot  on this blog  Here s more on the different kind of files in  etc letsencrypt live you com

User · Answer

I used the following two steps which I found in the comments posts linked in the other answers   Step one  Convert the x 509 cert and key to a pkcs12 file  openssl pkcs12 -export -in server crt -inkey server key                  -out server p12 -name  some-alias                   -CAfile ca crt -caname root   Note  Make sure you put a password on the pkcs12 file - otherwise you ll get a null pointer exception when you try to import it   In case anyone else had this headache    Thanks  jocull    Note 2  You might want to add the -chain option to preserve the full certificate chain   Thanks Mafuba   Step two  Convert the pkcs12 file to a Java keystore  keytool -importkeystore           -deststorepass  changeit  -destkeypass  changeit  -destkeystore server keystore           -srckeystore server p12 -srcstoretype PKCS12 -srcstorepass some-password           -alias  some-alias    Finished  OPTIONAL Step zero  Create self-signed certificate  openssl genrsa -out server key 2048 openssl req -new -out server csr -key server key openssl x509 -req -days 365 -in server csr -signkey server key -out server crt   Cheers

User · Answer

Based on the answers above  here is how to create a brand new keystore for your java based web server  out of an independently created Comodo cert and private key using keytool  requires JDK 1 6     Issue this command and at the password prompt enter somepass -  server crt  is your server s cert and  server key  is the private key you used for issuing the CSR  openssl pkcs12 -export -in server crt -inkey server key -out server p12 -name www yourdomain com -CAfile AddTrustExternalCARoot crt -caname  AddTrust External CA Root  Then use keytool to convert the p12 keystore into a jks keystore  keytool -importkeystore -deststorepass somepass -destkeypass somepass -destkeystore keystore jks -srckeystore server p12 -srcstoretype PKCS12 -srcstorepass somepass   Then import the other two root intermediate certs you received from Comodo    Import COMODORSAAddTrustCA crt  keytool -import -trustcacerts -alias cert1 -file COMODORSAAddTrustCA crt -keystore keystore jks     Import COMODORSADomainValidationSecureServerCA crt  keytool -import -trustcacerts -alias cert2 -file COMODORSADomainValidationSecureServerCA crt -keystore keystore jks

User · Answer

You can use these steps to import the key to an existing keystore  The instructions are combined from answers in this thread and other sites  These instructions worked for me  the java keystore       Run    openssl pkcs12 -export -in yourserver crt -inkey yourkey key -out server p12 -name somename -certfile yourca crt -caname root   If required put the -chain option  Putting that failed for me   This will ask for the password - you must give the correct password else you will get an error  heading error or padding error etc       It will ask you to enter a new password - you must enter a password here - enter anything but remember it   Let us assume you enter Aragorn     This will create the server p12 file in the pkcs format    Now to import it into the   jks file run   keytool -importkeystore -srckeystore server p12 -srcstoretype PKCS12 -destkeystore yourexistingjavakeystore jks -deststoretype JKS -deststorepass existingjavastorepassword -destkeypass existingjavastorepassword   Very important  - do not leave out the deststorepass and the destkeypass parameters     It will ask you for the src key store password  Enter Aragorn and hit enter  The certificate and key is now imported into your existing java keystore

User · Answer

If you have a PEM file  e g  server pem  containing    the trusted certificate the private key   then you can import the certificate and key into a JKS keystore like this   1  Copy the private key from the PEM file into an ascii file  e g  server key   2  Copy the cert from the PEM file into an ascii file  e g  server crt   3  Export the cert and key into a PKCS12 file     openssl pkcs12 -export -in server crt -inkey server key                    -out server p12 -name  some-alias  -CAfile server pem -caname root    the PEM file can be used as the argument to the -CAfile option  you are prompted for an  export  password  if doing this in git bash then add winpty to the start of the command so the export password can be entered    4  Convert the PKCS12 file to a JKS keystore     keytool -importkeystore -deststorepass changeit -destkeypass changeit             -destkeystore keystore jks  -srckeystore server p12 -srcstoretype PKCS12             -srcstorepass changeit    the srcstorepass password should match the export password from step 3

User · Answer

First convert to p12   openssl pkcs12 -export -in  filename-certificate  -inkey  filename-key  -name  host  -out  filename-new-PKCS-12 p12    Create new JKS from p12   keytool -importkeystore -deststorepass  password  -destkeystore  filename-new-keystore jks  -srckeystore  filename-new-PKCS-12 p12  -srcstoretype PKCS12

User · Answer

And one more      bin bash    We have      1   KEY   Secret key in PEM format   -----BEGIN RSA PRIVATE KEY-----      2   LEAFCERT   Certificate for secret key obtained from some      certification outfit  also in PEM format   -----BEGIN CERTIFICATE-----        3   CHAINCERT   Intermediate certificate linking  LEAFCERT to a trusted      Self-Signed Root CA Certificate      We want to create a fresh Java  keystore   TARGET KEYSTORE with the   password  TARGET STOREPW  to be used by Tomcat for HTTPS Connector      The keystore must contain   KEY   LEAFCERT   CHAINCERT   The Self-Signed Root CA Certificate is obtained by Tomcat from the   JDK s truststore in  etc pki java cacerts    The non-APR HTTPS connector  APR uses OpenSSL-like configuration  much   easier than this  in server xml looks like this     See  https   tomcat apache org tomcat-6 0-doc ssl-howto html         lt Connector port  8443  protocol  org apache coyote http11 Http11Protocol                   SSLEnabled  true                   maxThreads  150  scheme  https  secure  true                   clientAuth  false  sslProtocol  TLS                   keystoreFile   etc tomcat6 etl-web keystore jks                   keystorePass  changeit    gt       Let s roll       TARGET KEYSTORE  etc tomcat6 foo-server keystore jks TARGET STOREPW changeit  TLS  etc pki tls  KEY  TLS private httpd foo-server example com key LEAFCERT  TLS certs httpd foo-server example com pem CHAINCERT  TLS certs httpd chain cert pem    ----   Create PKCS 12 file to import using keytool later   ----    From https   www sslshopper com ssl-converter html    The PKCS 12 or PFX format is a binary format for storing the server certificate    any intermediate certificates  and the private key in one encryptable file  PFX   files usually have extensions such as  pfx and  p12  PFX files are typically used    on Windows machines to import and export certificates and private keys   TMPPW      Some random password  PKCS12FILE  mktemp   if          0     then   echo  Creation of temporary PKCS12 file failed -- exiting   gt  amp 2  exit 1 fi  TRANSITFILE  mktemp   if          0     then   echo  Creation of temporary transit file failed -- exiting   gt  amp 2  exit 1 fi  cat   KEY    LEAFCERT   gt    TRANSITFILE   openssl pkcs12 -export -passout  pass  TMPPW  -in   TRANSITFILE  -name etl-web  gt    PKCS12FILE    bin rm   TRANSITFILE     Print out result for fun  Bug in doc  I think    -pass   arg does not work  need  -passin   openssl pkcs12 -passin  pass  TMPPW  -passout  pass  TMPPW  -in   PKCS12FILE  -info    ----   Import contents of PKCS12FILE into a Java keystore  WTF  Sun  what were you thinking    ----  if    -f   TARGET KEYSTORE      then    bin rm   TARGET KEYSTORE  fi  keytool -importkeystore      -deststorepass    TARGET STOREPW       -destkeypass      TARGET STOREPW       -destkeystore     TARGET KEYSTORE       -srckeystore      PKCS12FILE       -srcstoretype  PKCS12      -srcstorepass    TMPPW       -alias foo-the-server   bin rm   PKCS12FILE     ----   Import the chain certificate  This works empirically  it is not at all clear from the doc whether this is correct   ----  echo  Importing chain   TT -trustcacerts  keytool -import  TT -storepass   TARGET STOREPW  -file   CHAINCERT  -keystore   TARGET KEYSTORE  -alias chain    ----   Print contents   ----  echo  Listing result   keytool -list -storepass   TARGET STOREPW  -keystore   TARGET KEYSTORE

User · Answer

Just make a PKCS12 keystore  Java can use it directly now  In fact  if you list a Java-style keystore  keytool itself alerts you to the fact that PKCS12 is now the preferred format   openssl pkcs12 -export -in server crt -inkey server key                  -out server p12 -name  some-alias                   -CAfile ca crt -caname root -chain   You should have received all three files  server crt  server key  ca crt  from your certificate provider  I am not sure what  -caname root  actually means  but it seems to have to be specified that way   In the Java code  make sure to specify the right keystore type   KeyStore getInstance  PKCS12     I got my comodo com-issued SSL certificate working fine in NanoHTTPD this way

[java] How to import an existing X.509 certificate and private key in Java keystore to use in SSL?

Examples related to java

Examples related to ssl

Examples related to jms

Examples related to activemq

Examples related to jks