How to import an existing X.509 certificate and private key in Java keystore to use in SSL?
I have this in an ActiveMQ config:
<sslContext>
<sslContext keyStore="file:/home/alex/work/amq/broker.ks"
keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts"
trustStorePassword="password"/>
</sslContext>
I have a pair of X.509 cert and a key file.
How do I import those two in order to use them in SSL and SSL+stomp connectors? All examples I could google always generate the key themselves, but I already have a key.
I have tried
keytool -import -keystore ./broker.ks -file mycert.crt
but this only imports the certificate and not the key file and results in
2009-05-25 13:16:24,270 [localhost:61612] ERROR TransportConnector - Could not accept connection : No available certificate or key corresponds to the SSL cipher suites which are enabled.
I have tried concatenating the cert and the key but got the same result.
How do I import the key?
Answer
I used the following two steps which I found in the comments/posts linked in the other answers:
Step one: Convert the x.509 cert and key to a pkcs12 file
openssl pkcs12 -export -in server.crt -inkey server.key \
-out server.p12 -name [some-alias] \
-CAfile ca.crt -caname root
Note: Make sure you put a password on the pkcs12 file - otherwise you'll get a null pointer exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)
Note 2: You might want to add the -chain option to preserve the full certificate chain. (Thanks Mafuba)
Step two: Convert the pkcs12 file to a Java keystore
keytool -importkeystore \
-deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore \
-srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password \
-alias [some-alias]
Finished
OPTIONAL Step zero: Create self-signed certificate
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Cheers!