8

I received a new certificate in crt / cert format. When I open this file in a text editor they added the complete certificate chain to this file. Each certificate starts with:

-----BEGIN CERTIFICATE-----

And ends with:

-----END CERTIFICATE-----

There are no empty lines in between. Since I am not keen with openssl, I opened up the certificate into Windows and exported the certificate with the complete chain in PKCS#7 format (test.p7b). When I open this file all looks fine in Windows and the root, intermediate and the certificate are all their in the chain.

When I put the file test.p7b on the server and try to import this with keytool as follows:

keytool -import -trustcacerts -alias my.domain.com -keystore my.domain.keystore -keypass changeme -storepass changeme -file test.p7b

I get the following error:

keytool error: java.lang.Exception: Input not an X.509 certificate

When I test the P7B file I also get errors:

bash-4.1$ openssl x509 -in test.p7b -text
unable to load certificate
140009984849736:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE

or:

bash-4.1$ openssl x509 -in test.p7b -inform DER -text
unable to load certificate
140396587853640:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320:
140396587853640:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509_CINF
140396587853640:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:752:Field=cert_info, Type=X509

Can someone help me out?

Mark Veenstra
  • 4,691
  • 6
  • 35
  • 66

1 Answers1

4

When importing a certificate chain, keytool expects the certificates to be loaded in DER form. You can create such a bundle with openssl:

1 - Convert all certificates in DER format 

openssl x509 -in certificate.pem -outform DER -out certificate.crt

2 - Concat all DER certificates into one single file

cat cert1.crt cert2.crt ... > chain.der

3 - Now you can import the chain into your keystore with keytool 

keytool -importcert -trustcacerts -alias <myalias> -file chain.der -keystore keystore.jks -storepass <mypassword>

Note that myalias MUST be the same as the one used when the key was generated.

4 - verify that the chain was successfully imported

keytool -list -v -keystore keystore.jks
Jcs
  • 13,279
  • 5
  • 53
  • 70
  • This certificate is not our own certificate, but a certificate received from our client. Should I than ask our client which alias they used when the created the key? And with the key created question you mean the certificate signing request (CSR)? – Mark Veenstra Oct 28 '13 at 14:26
  • Also when I verify I get the following output: `Your keystore contains 1 entry`. Would that be correct? – Mark Veenstra Oct 28 '13 at 14:51
  • You can find the alias with the keytool list command `keytool -list -keystore keystore.jks`. `Your keystore contains 1 entry` is fine. The alias should be printed on the next line: `, Oct 28, 2013, PrivateKeyEntry,` – Jcs Oct 28 '13 at 15:15
  • 2
    That would be the alias I gave it. That would not be the alias that is the same when the key was generated. I am confused here – Mark Veenstra Oct 28 '13 at 15:26
  • It sounds like your keystore contains only the certificate and not the original corresponding private key. If that's true, you don't need the key entry alias. You can use whatever alias you want to specify the certificate entry in the keystore. – gtrig Oct 29 '13 at 06:14
  • 1
    "openssl -in" expects a .pem file and throws an error on .p7b – Pavel Laskov Mar 31 '15 at 09:07
  • 3
    I don't see how this solves the problem the OP asked. The command provided here doesn't even work with pb7 files, which is the whole point of the first question – uh_big_mike_boi Feb 09 '16 at 17:16