How to import a jks certificate in java trust store

java ssl https keytool jks
Arci picture Arci · Jul 28, 2012 · Viewed 59.8k times · Source

How do I import a .jks file into the java security's truststore? All the tutorial I'm seeing is using a ".crt" file. However, I only have the ".jks" file which is also the keystore I generated using the keytool command.

Currently, I'm following this tutorial.

I was able to generate a Java keystore and key pair and generate a certificate signing request (CSR) for an existing Java keystore, which is based on the tutorial. But I cannot import a root or intermediate CA certificate to an existing Java keystore, and import a signed primary certificate to an existing Java keystore, because it is looking for a ".cert" file.

Am I missing something on the steps listed on the tutorial? How can I trust a certificate if the only file I have is the ".jks" file? And what is the use of the ".csr" file?

Please note that I'm using Windows.

Answer

Maarten Bodewes picture Maarten Bodewes · Jul 28, 2012

The ".jks" is the truststore, or at least it should be if you assign it to JSSE. You should add the certificates from your CA to that file. The software will then look up the certificate chain by iterating through the certificates. The private key should remain in the (password protected) ".jks" file.

In other words, you should import certificates to the ".jks" not export certificates out of it. You may have to download the certificates of your specific provider separately if they are not included in the response of your certificate request. You proabably could export them from your favourite browser as well. Normally these are stored in X5.09 DER format (which should be compatible with the Java keytool).

Steps (in general):

  1. Generate a key pair & cert request, store into new or existing key store (.jks)
  2. Send the certificate request to be signed, obtain chain starting with the certificate that you requested
  3. Import certificate chain into key store with private key
  4. Generate new or use existing key store for the party that needs to do the verification (at least one or more clients when using SSL), and import the certificate chain
  5. Trust a certicificate in the certificate chain in the above key store, probably the top most certificate (the "root" certificate).
  6. Configure and test the parties, e.g. a server using the key store with the private key and multiple clients using the latter key store.

Related questions

Accept server's self-signed ssl certificate in Java client

It looks like a standard question, but I couldn't find clear directions anywhere. I have java code trying to connect to a server with probably self-signed (or expired) certificate. The code reports the following error : [HttpMethodDirector] I/O exception (javax.…

Read More
java.lang.Exception: Public keys in reply and keystore don't match

I have to access a webservice hosted at port 443.Service provider has shared three certificate with us. ABCD.cer CA_Certificate.cer CCA_Certificate.cer I have to add them to keystore by creating a form chain for the SSL …

Read More
IP address as hostname (CN) when creating a certificate? (HTTPS hostname wrong: should be <ipAddress>)

Possible Duplicate: How are SSL certificate server names resolved/Can I add alternative names using keytool? I created a certificate and set the CN to the IP address of my server which is in xxx.xxx.xxx.xxx format. But …

Read More