Certificates, keystores, java keytool utility and openssl

(Updated: four six typos fixed)

I)
From time to time I need a self-signed certificate. I use the java keytool utility to make one:

For a JKS (Java Key Store format):

keytool
-genkeypair
-keystore mihail.stoynov.jks
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-keysize 2048
-keyalg RSA
-sigalg sha1withrsa
-dname "cn=Mihail Stoynov,
ou=MyCompany Bulgaria, o=MyCompany, L=Sofia, S=Sofia, c=BG"
-validity 3650
-v

For a PKCS#12 keystore:

keytool
-genkeypair
-keystore mihail.stoynov.p12

-storetype pkcs12
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-keysize 2048
-keyalg RSA
-sigalg sha1withrsa
-dname "cn=Mihail Stoynov, ou=MyCompany Bulgaria, o=MyCompany, L=Sofia, S=Sofia, c=BG"
-validity 3650
-v

When the public certificate is needed separately, one can be exported in a file (mihail.stoynov.cer) like this:
(from a JKS)

keytool
-exportcert
-keystore mihail.stoynov.jks
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-file mihail.stoynov.cer
-v

 

(from a PKCS#12)

keytool
-exportcert
-keystore mihail.stoynov.p12

-storetype pkcs12
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-file mihail.stoynov.cer
-v

 

NOTE: keep storepass and keypass the same for easy importing into browsers

II)
Sometimes self-signed certificates are not enough and a CA root certificate must be made in order to sign a group of certificates.

First a Certificate signing request (CSR) must be made:
(from a JKS)

keytool
-certreq
-keystore mihail.stoynov.jks
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-v
>> mihail.stoynov.csr

(from a PKCS#12)

keytool
-certreq
-keystore mihail.stoynov.p12

-storetype pkcs12
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-v
>> mihail.stoynov.csr

(the output is directed to a file: mihail.stoynov.cer)

The file looks something like that:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICtTCCAZ0CAQAwcDELMAkGA1UEBhMCQkcxDjAMBgNVBAgTBVNvZmlhMQ4wDAYDVQQHEwVTb2Zp
YTEQMA4GA1UEChMHTWF0ZXJuYTEWMBQGA1UECxMNTWF0ZXJuYSBTb2ZpYTEXMBUGA1UEAxMOTWlo
YWlsIFN0b3lub3YwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ7XpdyHuF9ApZodSn
GS9/TiUtXqryPDD0elzlP2QreSkfYv8IaXnB1Xy1ZVmda/d+P4TZ/aHvAhDwQPcei4KaoRzJWX9I
Yz9hi4cmKksjg8ufDZzXUuMwtbVlricc5vWg1HcSsQJ8vpLCBIelliDJOxc4skDcT23LGQttiv0b
23pjMthEe2tJVp37Tnwr29SLz0AGziVwzb5cfAXU4PzpiASr8vF2A0c2DObS7zM5Wp7jXWIe71P5
BZgIMcUUGlCdfLQRoA7URWN2Yx2qH8gyiNaIaZYZB6o2ib8rH3UmDl/ErKJgWQyS7sr4bANY9WpA
m7H2nXfGs+X88xSbA0JRAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAIn81dCSpVbI7IDLO2L2p
MW1gnjvuRs9xm6M9rMV6Kwy0Nw05qL0H8tTsFaq4J7bLBXJeXmiREUbrtpbHxLUfjtaqs5q5Txxn
c7Cm5kj7t9PWeRTW0rbzRssgT+sHqUlMKMydB8E+gGEIMQdgwdurhjpD7aevOOeN5fvv9kV7Rszv
6nC8dixyrsiiWjLUGJRP7I9HrEAXKfk3JluSYKS/ZNhTIw5a7fKvhXbRPlN1lDSvdkJAtcaG/9dZ
3KlXL7ozL8sOQTjFxUhN6kS6QujJ1T7TlkWHu9/ivIAkuXBu8P/czyLyjf1JD9fnwGnxCO2FPmcX
9/2IpwG33mMpaAmXpA==
-----END NEW CERTIFICATE REQUEST-----

Did we forget something? Yes, there's no Root CA certificate. Let's make one:
(JKS)

keytool
-genkeypair
-keystore mycompany.root.ca.jks
-storepass "mycompany.root.ca"
-alias "mycompany.root.ca"
-keypass "mycompany.root.ca"
-keyalg RSA
-keysize 2048
-sigalg SHA1withRSA
-dname "cn=MyCompany Bulgaria, ou=Office No 5, o=MyCompany, L=Sofia, S=Sofia, c=BG"
-validity 3650
-v


(PKCS#12)

 

keytool
-genkeypair
-keystore mycompany.root.ca.p12

-storetype pkcs12
-storepass "mycompany.root.ca"
-alias "mycompany.root.ca"
-keypass "mycompany.root.ca"
-keyalg RSA
-keysize 2048
-sigalg SHA1withRSA
-dname "cn=MyCompany Bulgaria, ou=Office No 5, o=MyCompany, L=Sofia, S=Sofia, c=BG"
-validity 3650
-v

Problem No 1
Keytool cannot sign CSRs. Period.

Now what do we do?

I went to OpenSSL.

In order to sign with OpenSSL I needed the root certificate in the PEM format.
P12 (PKCS#12) -> PEM:

openssl
pkcs12
-in mycompany.root.ca.p12
-out mycompany.root.ca.pem

Sign the CSR with OpenSSL:

openssl
x509
-req
-in mihail.stoynov.csr
-CA mycompany.root.ca.pem
-out mihail.stoynov.signed.cer
-days 3650
-CAcreateserial

(I don't know what -CAcreateserial is but it works)

So now I have mihail.stoynov.signed.cer.

The last step is to import it to mihail.stoynov.p12 (or .jks) in order to override the self-signed certificate with the one signed by the MyCompany Root CA.

A Prerequisite step to that is to import mycompany.root.ca.cer into mihail.stoynov.p12 (or .jks) because every certificate in the chain must be contained in the certificate chain of mihail.stoynov.

Problem No 2
Importing mycompany.root.ca.cer into mihail.stoynov.p12 fails but importing it into mihail.stoynov.jks works?!

JKS:

keytool
-importcert
-keystore mihail.stoynov.jks
-storepass mihail.stoynov
-alias mycompany.root.ca
-keypass
mycompany.root.ca
-file mycompany.root.ca.cer
-v

(this one works)

PKCS#12

keytool
-importcert
-keystore mihail.stoynov.p12

-storetype pkcs12
-storepass mihail.stoynov
-alias mycompany.root.ca
-keypass
mycompany.root.ca

-file mycompany.root.ca.cer
-v

this one fails with:

Owner: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Issuer: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Serial number: 49b8c365
Valid from: Thu Mar 12 08:12:13 GMT+00:02 2009 until: Sun Mar 10 08:12:13 GMT+00:02 2019
Certificate fingerprints:
MD5:  1C:0C:82:0D:35:C8:1E:48:74:9F:13:43:C9:AE:D0:F7
SHA1: DB:BB:D7:DB:8C:33:AA:06:6D:CF:D2:5C:EB:64:01:D5:AD:AB:94:38
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]:  y 

keytool error: java.security.KeyStoreException: TrustedCertEntry not supported
java.security.KeyStoreException: TrustedCertEntry not supported
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineSetCertificateEntry(PKCS12KeyStore.java:620)
at java.security.KeyStore.setCertificateEntry(KeyStore.java:941)
at sun.security.tools.KeyTool.addTrustedCert(KeyTool.java:1958)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:818)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)

Actually P12 format does not permit trusted certificates. It is inteded to contain key/pairs only. So importing mycompany.root.ca.cer into mihail.stoynov.p12 failed.

I tried several things:

1) Importing mihail.stoynov.signed.cer directly into mihail.stoynov.p12:

keytool
-importcert
-keystore mihail.stoynov.p12
-storetype pkcs12

-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-file mihail.stoynov.signed.cer
-v

and the response was:

keytool error: java.lang.Exception: Failed to establish chain from reply
java.lang.Exception: Failed to establish chain from reply
at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2662)
at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)

2) Importing mycompany.root.ca.cer into cacerts:

keytool -importcert -trustcacerts -file mycompany.root.ca.cer

This again didn't fix the problem.

Solution to Problem No 2:
Transform P12 to JKS, import the root certificate and the signed certificate into JKS keystore, transform the modified JKS back to P12.

1) Transform P12 to JKS

keytool
-importkeystore
-srckeystore mihail.stoynov.p12
-destkeystore mihail.stoynov.jks
-srcstoretype pkcs12
-srcstorepass mihail.stoynov
-deststorepass mihail.stoynov

2) import the root certificate into the JKS keystore

keytool
-importcert
-keystore mihail.stoynov.jks
-storepass mihail.stoynov
-alias mycompany.root.ca

-keypass
mycompany.root.ca

-file mycompany.root.ca.cer
-v

3) import signed certificate into JKS keystore

keytool
-importcert
-keystore mihail.stoynov.jks
-storepass mihail.stoynov
-alias mihail.stoynov
-keypass mihail.stoynov
-file mihail.stoynov.signed.cer
-v

4) transform the modified JKS back to P12

keytool
-importkeystore
-srckeystore mihail.stoynov.jks
-destkeystore mihail.stoynov.p12
-deststoretype pkcs12
-srcstorepass mihail.stoynov
-deststorepass mihail.stoynov

it said something like:

Entry for alias mihail.stoynov successfully imported.
Problem importing entry for alias mycompany.root.ca: java.security.KeyStoreException: TrustedCertEntry not supported.
Entry for alias mycompany.root.ca not imported.
Do you want to quit the import process? [no]:  n
Import command completed:  1 entries successfully imported, 1 entries failed or cancelled

I clicked yes, and it worked.

Now let's see what's the difference between mihail.stoynov.jks and mihail.stoynov.p12:
JKS:

$ keytool -list -keystore mihail.stoynov.jks -storetype jks -storepass mihail.stoynov -v

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: mihail.stoynov
Creation date: Mar 12, 2009
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=Mihail Stoynov, OU=MyCompany Sofia, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Issuer: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Serial number: f0e465bb77420e30
Valid from: Thu Mar 12 09:29:19 GMT+00:02 2009 until: Sun Mar 10 09:29:19 GMT+00:02 2019
Certificate fingerprints:
MD5:  40:9D:C2:DE:AE:11:1E:01:92:F9:C8:01:C5:92:69:CB
SHA1: D2:D0:03:5C:50:BC:F8:6C:EB:C0:36:B6:B0:8D:A8:3B:9E:B6:7B:B4
Signature algorithm name: SHA1withRSA
Version: 1
Certificate[2]:
Owner: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Issuer: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Serial number: 49b8c365
Valid from: Thu Mar 12 08:12:13 GMT+00:02 2009 until: Sun Mar 10 08:12:13 GMT+00:02 2019
Certificate fingerprints:
MD5:  1C:0C:82:0D:35:C8:1E:48:74:9F:13:43:C9:AE:D0:F7
SHA1: DB:BB:D7:DB:8C:33:AA:06:6D:CF:D2:5C:EB:64:01:D5:AD:AB:94:38
Signature algorithm name: SHA1withRSA
Version: 3

*******************************************
*******************************************

Alias name: mycompany.root.ca
Creation date: Mar 12, 2009
Entry type: trustedCertEntry

Owner: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Issuer: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Serial number: 49b8c365
Valid from: Thu Mar 12 08:12:13 GMT+00:02 2009 until: Sun Mar 10 08:12:13 GMT+00:02 2019
Certificate fingerprints:
MD5:  1C:0C:82:0D:35:C8:1E:48:74:9F:13:43:C9:AE:D0:F7
SHA1: DB:BB:D7:DB:8C:33:AA:06:6D:CF:D2:5C:EB:64:01:D5:AD:AB:94:38
Signature algorithm name: SHA1withRSA
Version: 3

*******************************************
*******************************************

 

P12 (PKCS#12)

$ keytool -list -keystore mihail.stoynov.p12 -storetype pkcs12 -storepass mihail.stoynov -v

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: mihail.stoynov
Creation date: Mar 12, 2009
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=Mihail Stoynov, OU=MyCompany Sofia, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Issuer: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Serial number: f0e465bb77420e30
Valid from: Thu Mar 12 09:29:19 GMT+00:02 2009 until: Sun Mar 10 09:29:19 GMT+00:02 2019
Certificate fingerprints:
MD5:  40:9D:C2:DE:AE:11:1E:01:92:F9:C8:01:C5:92:69:CB
SHA1: D2:D0:03:5C:50:BC:F8:6C:EB:C0:36:B6:B0:8D:A8:3B:9E:B6:7B:B4
Signature algorithm name: SHA1withRSA
Version: 1
Certificate[2]:
Owner: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Issuer: CN=MyCompany Bulgaria, OU=Office No 5, O=MyCompany, L=Sofia, ST=Sofia, C=BG
Serial number: 49b8c365
Valid from: Thu Mar 12 08:12:13 GMT+00:02 2009 until: Sun Mar 10 08:12:13 GMT+00:02 2019
Certificate fingerprints:
MD5:  1C:0C:82:0D:35:C8:1E:48:74:9F:13:43:C9:AE:D0:F7
SHA1: DB:BB:D7:DB:8C:33:AA:06:6D:CF:D2:5C:EB:64:01:D5:AD:AB:94:38
Signature algorithm name: SHA1withRSA
Version: 3

*******************************************
*******************************************

 

Do you see the difference?
It's in italic - JKS format keeps an extra trusted certificate of MyCompany Root CA.

Anyway both mihail.stoynov.jks and mihail.stoynov.p12 work perfectly.

P.S.
Does someone know better solutions to Problem No 1 and Problem No 2?
Does someone know how to sign certificates but without the cumbersome CSR step?

19 thoughts on “Certificates, keystores, java keytool utility and openssl”

  1. Congrats about the tutorial - that's a known issue but there isn't a smart solution yet.

    We had to sign CSRs 2 years ago and there were no way to do it with keytool. We've solved the same way - via openssl. There were another 3rd party tool (java based), but I can't remember its name.

  2. Well, if you really really want to sign CSRs with java, you can always do it with code - using the JCE. 🙂

    As for problem 2, there are two mistakes I can find in your reasoning :
    1. "A Prerequisite step to that is to import mycompany.root.ca.cer into mihail.stoynov.p12 (or .jks) because every certificate in the chain must be contained in the certificate chain of mihail.stoynov." - why do you need to import the CA certificate into the keystore again? When the CA signs the CSR, it appends its own certificate to the certificate chain of the original. So, as can be seen from your examples, you have two keystores, the JKS one, and the PKCS12 one, both of which contain the signed CSR(with its proper certificate chain), but your JKS keystore contains one more certificate - namely that of the CA. This is useful, for example, if you would like to use the keystore as a truststore - but it's otherwise irrelevant(that's why both your keystores work perfectly). 🙂
    2. "Actually P12 format does not permit trusted certificates. It is inteded to contain key/pairs only." - this is blatantly false. The only thing PKCS12 lacks, is the notion of trust - it doesn't make a distinction between the certificates in the keystore, e.g. if they're trusted, or untrusted. The only reason you can't import the CA certificate as-is, is that keytool has been created primarily for working with the default java keystore type - JKS, and doesn't account for the differences in other keystore types.

    P.S. You forgot to anonymize "mycompany.root.ca.cer" 🙂

    1. >why do you need to import the CA certificate into the keystore again?
      It was never there in the first place. The CA cert is in another file.

      > "Actually P12 format does not permit trusted certificates. It is inteded to contain key/pairs only." – this is blatantly false.
      Can you put a cer file inside p12? Without a corresponding private key?

      >JKS, and doesn’t account for the differences in other keystore types.
      I guess so. But you can't use keytool to update the cert part of the certificate in the p12.

  3. First, I have anonymized your comment, I hope you don't mind. And thanks for the remark.

    About your first point: look at the blog post, there's an exception. If you can show me how to do it without importing the root CA cer, I'll readily use it from now on. Anyway I do agree that it doesn't make sense.

    About your second point: you may be right. My knowledge on this subject is limited. I copied a statement from Java Ranch thread 🙂

    Anyway keytool seems to be far too limited.

  4. I had the same problem with importing a trustedCertEntry into pkcs11 keystore/truststore....

    Seems this can never be done with keytool.. I instead used certutil to do the job (first you need to create a secmod.db with certutil -create)

    Now the problem is that I can only view the imported certificate using certutil or pktool. keytool still refuses to list the trustedCertEntry (because it has no associated private key ??) Consequently my java program cannot access the trusted certificate when I use pkcs11 keystore. Anyone has idea why the behaviour is so different in certutil/pktool and keytool ??

    (And ofcourse I have no problems with using JKS as my truststore )

  5. Hi, I'm still quite new to the SSL, and am still having trouble generating keys.

    After reading through your tutorial I am confused on how you generated "mycompany.root.ca.cer"

    I understand that "mihail.stoynov.signed.cer" needs to be imported back into the original generated keypair file, but why does "mycompany.root.ca.cer" need to be included? also how do i generate the file from which keypair?

    1. You need to put back mihail.stoynov.signed.cer, because it has changed - it was signed.

      >also how do i generate the file from which keypair?
      Check problem no2.

  6. Hi!

    This is the best tutorial I found so far but still lacks one very important thing I dont find the answer for. Once we have a p12 file containing the ca certificate, how can we use it. Using java ControlPanel, it just does not import it for me. Do you have any idea about it?

    Anyway I do all the key management (generation, sign, etc) with openssl. Creating a p12 file having only the ca certificate can be done using:
    openssl pkcs12 -export -cacerts -nokeys -in ca.cert.pem -out ca.cert.p12

    PS.
    -CAcreateserial openssl option is to create a usually ca.crl named file if not yet exists, which is used to note the last used serial number which was assigned to the last signed certificate. So that openssl can increment it and make sure that the serial number will be unique for the certificates signed by a given root ca.

    1. What do you mean use it? My use case was client ssl authentication against tomcat. With you it might be something else

      1. You are right. I am about to sign a java applet, which shall be deployed for some users. On the user(client) system I plan the generated root ca to be added/imported.

        I was guessing that java platform might behave in some similar way while importing a new trusted root ca. I guess you had to import yours as well somewhere for tomcat (which I am not familiar with) or else I dont see no much use of a root ca.

        1. I don't remember exactly but i think there is a centralized repository for every jvm installation. But that doesn't help your case.

          I used a ca because we wanted to log in all users with a valid certificate signed by our own ca.

          1. I guess that centralized repository for every jvm, is the one where java control panel will save any new root ca.

            I figured out anyway by now. I can import openssl produced pem file, event thought the file open dialog filters for p12 (and .csr which has no sense for me). So select all files filter and then the pem file works fine.

            Might help someone in the future.

            Thankyou for your answers.

          2. I didnt know it supported pem. When i wrote this we had to transform p12->pem->p12

  7. Thanks bro! Here's what I did per your awesomeness:
    ## Generate a new pair of keys in a new keystore
    ./jre/bin/keytool.exe -genkeypair -keyalg "RSA" -keysize 2048 -sigalg "SHA1withRSA" -alias "mycom" -dname "CN=MyCom.com,OU=CoreTech,O=My Company LLC,L=Nowhere,S=Pennsylvania,C=US" -ext "SAN=DNS:mycom.com" -keystore "./server-mycom.ssl" -storetype "PKCS12" -storepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q"
    ./jre/bin/keytool.exe -list -v -alias "mycom" -keystore "./server-mycom.ssl" -storetype "PKCS12" -storepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q"

    # Export Certificate from keystore
    ./jre/bin/keytool.exe -export -alias "mycom" -keystore "./server-mycom.ssl" -storetype "PKCS12" -storepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q" -file mycom.cer

    # Export Certificate Signing Request (CSR) from keystore
    ./jre/bin/keytool.exe -certreq -alias "mycom" -keystore "./server-mycom.ssl" -storetype "PKCS12" -storepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q" -file "mycom.csr"

    cat "mycom.csr"
    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIIC7zCCAdcCAQAwejELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTETMBEGA1UE
    BxMKQ2FyaW5icm9vazEXMBUGA1UEChMOTXkgQ29tcGFueSBMTEMxETAPBgNVBAsTCENvcmVUZWNo
    MRMwEQYDVQQDEwpXZWJTaWcuQ29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm+b4
    9D5QGz+sw3RgZekxBFKuVmz5v3QQHN53mWMxzifwutxHdeffCzIr0WqJ+wmEAY6vxE+vPSwrQoPs
    HTABFXsYOa4cWqC/CKdIKgQY27fsr9opW+CnFmYKlLllJxNZBWeAoiFq4WXtPzdo+Z/RiOXI+cyl
    xqSx/CLE+JFAidE01HNniHPBKbekm3k/sEIlx7jaYcUA+OLou8IFaeEcAhdD4txy4o1J6ZuYLilH
    HVZPulHaEeNNUW7fabr6KbkKIuVvKzlC3WKvLIkkVYTrcBd12wiDkz6SjAooYLJmmOGfJCmsgBLU
    yZvUpwCn94nYrugjqMGkwD5D/gVPJuSkpwIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4E
    FgQU6XD6yS0oVfWzJoPNPaDfbp1P9bowDQYJKoZIhvcNAQELBQADggEBAJPkSFxvp1Bky5pjxPtA
    CQitjaMaotfHVE8AFe9L0/SOrszlm5z6hn2oTjmZzw3qaT/XiaZAFGh+f83t9Ipy8l5BskEiZbgS
    AnGAiM9vLuUwwoR+hQUzdE+GzcSbCS92QGbhgJEOTwPzhveh0TffEZAg0YHAwyXDKq67TKVelMFy
    CgcFZyFK/VFhyFdPfep3t3mXhcOFh+n+pRXbmjB1TIXI4kWPKBP6tYbw0mQjxDBmcDi7ntzGUT5N
    JG+0ydgOuL5fxAHdatcM+lRjFsP0C/yic+pRUS7OryJB7/1gIgpkC21FMVKh05LZtQuEaFlo7eJ7
    E6XVgtAOxBZNtsSgHWA=
    -----END NEW CERTIFICATE REQUEST-----

    # Create Verisign Certificate using CSR and Symantec trustcenter website
    https://trustcenter.websecurity.symantec.com/process/retail/trial_initial?application_locale=VRSN_US&tid=symc_vrsn_ssl_try

    cat "mycom_verisign_cert.cer"
    -----BEGIN CERTIFICATE-----
    MIIFJDCCBAygAwIBAgIQaIyN6aSPAyiHmNUr2YMBijANBgkqhkiG9w0BAQUFADCB
    yzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTAwLgYDVQQL
    EydGb3IgVGVzdCBQdXJwb3NlcyBPbmx5LiAgTm8gYXNzdXJhbmNlcy4xQjBABgNV
    BAsTOVRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz
    L3Rlc3RjYSAoYykwOTEtMCsGA1UEAxMkVmVyaVNpZ24gVHJpYWwgU2VjdXJlIFNl
    cnZlciBDQSAtIEcyMB4XDTE1MDQwOTAwMDAwMFoXDTE1MDUwOTIzNTk1OVowejEL
    MAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTETMBEGA1UEBxQKQ2Fy
    aW5icm9vazEXMBUGA1UEChQOTXkgQ29tcGFueSBMTEMxETAPBgNVBAsUCENvcmVU
    ZWNoMRMwEQYDVQQDFApXZWJTaWcuQ29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
    MIIBCgKCAQEAm+b49D5QGz+sw3RgZekxBFKuVmz5v3QQHN53mWMxzifwutxHdeff
    CzIr0WqJ+wmEAY6vxE+vPSwrQoPsHTABFXsYOa4cWqC/CKdIKgQY27fsr9opW+Cn
    FmYKlLllJxNZBWeAoiFq4WXtPzdo+Z/RiOXI+cylxqSx/CLE+JFAidE01HNniHPB
    Kbekm3k/sEIlx7jaYcUA+OLou8IFaeEcAhdD4txy4o1J6ZuYLilHHVZPulHaEeNN
    UW7fabr6KbkKIuVvKzlC3WKvLIkkVYTrcBd12wiDkz6SjAooYLJmmOGfJCmsgBLU
    yZvUpwCn94nYrugjqMGkwD5D/gVPJuSkpwIDAQABo4IBUjCCAU4wJQYDVR0RBB4w
    HIIKV2ViU2lnLkNvbYIOd3d3LldlYlNpZy5Db20wCQYDVR0TBAIwADAOBgNVHQ8B
    Af8EBAMCBaAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NxLnN5bWNiLmNvbS9z
    cS5jcmwwZQYDVR0gBF4wXDBaBgpghkgBhvhFAQcVMEwwIwYIKwYBBQUHAgEWF2h0
    dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUFBwICMBkMF2h0dHBzOi8vZC5z
    eW1jYi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNV
    HSMEGDAWgBQoFxOKvdaitdwGLLe2jtoQZmBu5TA2BggrBgEFBQcBAQQqMCgwJgYI
    KwYBBQUHMAKGGmh0dHA6Ly9zcS5zeW1jYi5jb20vc3EuY3J0MA0GCSqGSIb3DQEB
    BQUAA4IBAQAokbeTLhtbfnjOuJfHbAMwgvjX+yu5HnU1MlSqiGOx51yWOVDGAyxj
    9ypbkKrEGU8a6StXfeoFRVh8LXYuAXKBARAPCJVD5s+JNb+S6Cg85dm/B4t1kA0A
    kUVrF2kjkHGe1hIvxVxuTMIIl1EdhLuRAGhx3eFGRdF496p+Ej0x+yVvtFKBGCup
    7PjaiOTbukj/wXCLUmyUqUuxZdWcPvhh11VDluq70zGrYjeLCwMXpBXGm1YVixnH
    UJdOwYbTh4UjOtf1YEqcIYq0kATskw5ScjAnoyFu2twr24Hm4TSyuaV7tamlB/S+
    83IdG77P4ph3O4JHLyOUV0kbj6eR67Dz
    -----END CERTIFICATE-----

    # Be sure to download the verisign root and intermediate certificates, storing in ./verisign_root_cert.cer and ./verisign_intermediate_cert.cer respectively

    # Convert the PKCS12 store to JKS (this is done to get the certificate chain to work under PKS12)
    ./jre/bin/keytool.exe -importkeystore -srcstoretype "PKCS12" -srckeystore "./server-mycom.ssl" -srcstorepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q" -deststoretype "JKS" -destkeystore "./server-mycom.jks" -deststorepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q"

    # Import Root CA into JKS keystore (which will fail for PKCS12 keystores)
    ./jre/bin/keytool.exe -import -trustcacerts -alias "root" -keystore "./server-mycom.jks" -storetype "JKS" -storepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q" -file ./verisign_root_cert.cer
    ./jre/bin/keytool.exe -list -v -alias "root" -keystore "./server-mycom.jks" -storetype "JKS" -storepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q"

    # Import Intermediate CA into JKS keystore (which will fail for PKCS12 keystores)
    ./jre/bin/keytool.exe -importcert -trustcacerts -alias "INTER" -keystore "./server-mycom.jks" -storetype "JKS" -storepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q" -file ./verisign_intermediate_cert.cer
    ./jre/bin/keytool.exe -list -v -alias "INTER" -keystore "./server-mycom.jks" -storetype "JKS" -storepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q"

    # Import Certificate into JKS keystore (which will fail for PKCS12 keystores)
    ./jre/bin/keytool.exe -import -trustcacerts -alias "mycom" -keystore "./server-mycom.jks" -storetype "JKS" -storepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q" -file ./mycom_verisign_cert.cer
    ./jre/bin/keytool.exe -list -v -alias "mycom" -keystore "./server-mycom.jks" -storetype "JKS" -storepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q"

    # Convert the JKS store to PKCS12 (so as to preserve the certificate chain in keystore)
    ./jre/bin/keytool.exe -importkeystore -srcstoretype "JKS" -srckeystore "./server-mycom.jks" -srcstorepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q" -deststoretype "PKCS12" -destkeystore "./server-mycom.p12" -deststorepass "eRLOdANr3u40O15aJx8W7i2YoQ0Fi8xIVDdcV85Q"

    # You will get warning messages such as this:
    # Problem importing entry for alias inter: java.security.KeyStoreException: TrustedCertEntry not supported.
    # Entry for alias inter not imported.
    # Do you want to quit the import process? [no]: no
    # Problem importing entry for alias root: java.security.KeyStoreException: TrustedCertEntry not supported.
    # Entry for alias root not imported.
    # Do you want to quit the import process? [no]: no
    # Entry for alias mycom successfully imported.
    # Import command completed: 1 entries successfully imported, 2 entries failed or cancelled

    # Update your tomcat connector to point to the converted PKCS12 keystore:

  8. I got this to work after many days of trial and error.
    At the beginning, you need to put your CA certs into a .DER encoded format with a .CER file extension.
    Convert from PKCS12 to JKS, then import all CA certs using the DER encoded versions, then
    convert the JKS back to PKCS12.
    --
    In MS Windows, to convert Symantec text files or .cer files to .DER
    Preliminarily, copy all Symantec cert txt files to new files with extension .CER.
    Open the root .cer file and view the certificate
    Select the Path tab, then select the root cert and view the certificate.
    For the root certificate, select the detail tab,
    select the Copy to File button and select the DER option and create a filename with "_der.cer" file
    extension. Once saved, close the root certificate.
    Select the intermediate certificate and perform steps above as for root.
    For the private User Certificate ssl_certificate_der.cer file, perform steps above as for root.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.