I received a new certificate in crt
/ cert
format. When I open this file in a text editor they added the complete certificate chain to this file. Each certificate starts with:
-----BEGIN CERTIFICATE-----
And ends with:
-----END CERTIFICATE-----
There are no empty lines in between. Since I am not keen with openssl
, I opened up the certificate into Windows and exported the certificate with the complete chain in PKCS#7
format (test.p7b). When I open this file all looks fine in Windows and the root, intermediate and the certificate are all their in the chain.
When I put the file test.p7b
on the server and try to import this with keytool
as follows:
keytool -import -trustcacerts -alias my.domain.com -keystore my.domain.keystore -keypass changeme -storepass changeme -file test.p7b
I get the following error:
keytool error: java.lang.Exception: Input not an X.509 certificate
When I test the P7B file I also get errors:
bash-4.1$ openssl x509 -in test.p7b -text
unable to load certificate
140009984849736:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
or:
bash-4.1$ openssl x509 -in test.p7b -inform DER -text
unable to load certificate
140396587853640:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320:
140396587853640:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509_CINF
140396587853640:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:752:Field=cert_info, Type=X509
Can someone help me out?
When importing a certificate chain, keytool expects the certificates to be loaded in DER form. You can create such a bundle with openssl:
1 - Convert all certificates in DER format
openssl x509 -in certificate.pem -outform DER -out certificate.crt
2 - Concat all DER certificates into one single file
cat cert1.crt cert2.crt ... > chain.der
3 - Now you can import the chain into your keystore with keytool
keytool -importcert -trustcacerts -alias <myalias> -file chain.der -keystore keystore.jks -storepass <mypassword>
Note that myalias
MUST be the same as the one used when the key was generated.
4 - verify that the chain was successfully imported
keytool -list -v -keystore keystore.jks