this is about the java keytool
to import certificate & associated key, it needs to be in PKCS#12 format. From OpenSSL key & certificate:
Just ensure that the pkcs12 export password is the same as the keystore password. this will help since e.g. tomcat does not have two separate options for keystore & key password, instead it assumes both are the same.
DO NOT use blank export password, keytool will error out with division by zero when importing.
then import the pfx into the keystore
if you imported one certificate, but it wants a chain, create a p7b file first:
Then (re-)import the certificate reply:
Change key password in case it doesn't match keystore password:
Random Notes >