William Shallum

keytool notes

Posted Oct 15 2012, 11:21 by William Shallum [updated Apr 16 2013, 23:43]

this is about the java keytool

to import certificate & associated key, it needs to be in PKCS#12 format. From OpenSSL key & certificate:

openssl pkcs12 -inkey private.key -certfile cert.pem -export > pkcs12.pfx

Just ensure that the pkcs12 export password is the same as the keystore password. this will help since e.g. tomcat does not have two separate options for keystore & key password, instead it assumes both are the same.

DO NOT use blank export password, keytool will error out with division by zero when importing.

then import the pfx into the keystore

keytool -importkeystore -srckeystore pkcs12.pfx -srcstoretype pkcs12 -destkeystore keystore.jks

if you imported one certificate, but it wants a chain, create a p7b file first:

openssl crl2pkcs7 -nocrl -certfile cert.pem -certfile intermediate.pem [... more -certfiles ...] -out chain.p7b

Then (re-)import the certificate reply:

keytool -importcert -alias existingalias -file chain.p7b -keystore keystore.jks

To view:

keytool -list -v -keystore keystore.jks

Rename alias:

keytool -changealias -alias oldalias -destalias newalias

Change key password in case it doesn’t match keystore password:

keytool -keypasswd -alias keyalias