Import certificate as PrivateKeyEntry
I am installing SSL on a Tomcat server and am following these instructions from the issuer https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO16181 and it states:
Verify the following information:
The SSL certificate is imported into the alias with the "Entry Type" of
PrivateKeyEntry or KeyEntry. If not, please import the certificate into
the Private Key alias.
When I import the certificate (tomcat) I am using:
keytool -import -trustcacerts -alias your_alias_name -keystore your_keystore_filename
-file your_certificate_filename
but when I do so it imports as trustCertEntry
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
primaryca, Jul 26, 2014, trustedCertEntry,
Certificate fingerprint (SHA1): <snip>
tomcat, Jul 26, 2014, trustedCertEntry,
Certificate fingerprint (SHA1): <snip>
secondaryca, Jul 26, 2014, trustedCertEntry,
Certificate fingerprint (SHA1): <snip>
How can I make alias tomcat import as PrivateKeyEntry?
Answer
You try to add certificate and expect that it will be private key - its confusion between two different things.
Generally, when you create keystore (.jks) it include the private key inside. If its empty (deleted) you should generate bundle (.p12 file) from your key and certificates.
In order to create new free key and certificate you can use this this implementation of openSSl https://zerossl.com.
Then, you've got a key and certificate that you should generate (.p12) bundle file from them: (on linux machine)
openssl pkcs12 -export -in [filename-certificate] -inkey [filename-key] -name [host] -out [filename-new-PKCS-12.p12]
Now, just add the bundle file (.p12 file) to a keystore (.jks) by executing the following command:
keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12