Java Keystore PrivateKeyEntry vs trustedCertEntry
I'm renewing a certificate used by my Hadoop cluster. Current JKS has one entry:
Your keystore contains 1 entry
Alias name: myalias
Creation date: Jan 10, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
I'm trying to create a new keystore from the new cert:
keytool -importcert -alias myalias -file newcertfile.crt -keystore newkeystore.jks
But I get asked about whether I trust this certificate (If I say no, keytool quits):
Trust this certificate? [no]: yes
And when I look at the result, it's no longer a PrivateKeyEntry but a trustedCertEntry:
keytool -list -v -keystore newkeystore.jks
...
...
Your keystore contains 1 entry
Alias name: myalias
Creation date: Feb 20, 2019
Entry type: trustedCertEntry
...
...
What am I missing here? Should I just use the JKS with the trustedCertEntry or is there a way to make it just like the old JKS (with PrivateKeyEntry)?
Answer
I eventually figured out that I have to supply the private key as well (As Roshith mentioned in the link he supplied).
So I started with first creating a pfx file:
openssl pkcs12 -export -out newcertbundle.pfx -inkey myprivate.key -in newcertfile.crt
And then converted it to jks:
keytool -importkeystore -srckeystore newcertbundle.pfx -srcstoretype PKCS12 -srcstorepass mypass -deststorepass mypass -destkeypass mypass -destkeystore newkeystore.jks
The only thing I couldn't figure out (but wasn't too important to me) was how to use an alias, so I went with a default one (when I tried specifying one I got: Alias does not exist. This is discussed here).