Import PKCS7 (Chained Certificate) using KeyTool command to JKS

Rohit Sharma picture Rohit Sharma · Apr 4, 2013 · Viewed 59.1k times · Source

I have a CA issued CERT in PKCS#7 format. It has certificates (chained) within it. Keytool does not recognize the PKCS7 format. I have tried OpenSSL tool to convert PKCS7 format certificate to PEM format and it fails. I receive an error message "Unable to load PKCS7 object".

How do I import the PKCS7 cert chain to my JKS?

Answer

Sergio Pelin picture Sergio Pelin · Apr 5, 2013

As you can read in the keytool reference for -importcert command:

Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply) from the file cert_file, and stores it in the keystore entry identified by alias. If no file is given, the certificate or PKCS#7 reply is read from stdin.

keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type.

Try to import the PKCS7 cert as it is.

Though, it doesn't always work. If you have problems, try to do the following (using OpenSSL):

  1. Print all the certs it contains to a PEM file

    OpenSSL> pkcs7 -in initial_file.p7b -inform DER -print_certs -outform PEM -out certs_chain.pem

  2. Open the new PEM file (certs_chain.pem) with an editor and delete everything outside -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- boundaries (keep only the encoded content within the boundaries, the certificates themselves) and save it.

Now keytool should not have problems to import your cert, using certs_chain.pem as cert_file