How to add a certificate chain to a JKS

Question

I have a certificate chain called: cert.cer with the content of:

subject= ... OU=MyCA
issuer= ... OU=MyCA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject= ... OU=Client
issuer= .. OU=MyCA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

---

I tried to add this chain to JKS by calling:

keytool -import -trustcacerts -file cert.cer -keystore sample.keystore -storepass 123456 -alias chain

, which only adds the top level certificate of OU=MyCA.

How do I add this chain correctly to the JavaKeyStore (JKS)?

Answer 1

Ok, I ran your command to combine certificate in PKCS7 format:

openssl > crl2pkcs7 -nocrl -certfile a.crt -certfile b.crt -out outfile.p7b

It Worked.
Then I tried to import the PKCS#7 file to JKS file using following command as you said:

keytool -import -trustcacerts -file outfile.p7b -keystore keystore1.jks -storepass 123456 -alias chain

It did not work.
Then I researched a little and found that, I need to the certificate chain in a file either in Base64 format or in Der format. I had Base64 format file. So, I tried to concat the file using following windows command:

copy /b a.crt+b.crt c.crt

The linux command would be:

cat a.crt b.crt > c.crt

So the output file looked like this:

-----BEGIN CERTIFICATE-----
..............................
..............................
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
...............................
...............................
-----END CERTIFICATE-----

Then, tried to import the certificate chain in JKS using the above command. It worked. Then, I try to see the the certificate list from the keystore. For that I ran following command:

keytool -list -v -keystore keystore1.jks

But it said, Only "1 entry is found" and one certificate was shown. As the keystore was not load with full certificate chain the experiment failed.
So, I tried to convert the PKCS#7 file in certificate chain by using following openssl command:

pkcs7 -print_certs -in outfile.p7b -out certificates.cer

The output file looks exactly like yours, started with subject dn and issuer dn and then header and footer. Then I tried to store the certificates from the 'certificates.cer' to a jks file 'keystore1.jks'. But, Again, after import, it is showing that, the keystore has only one certificate. So, the issuer dn and subject dn were not a problem.
Then I tried to convert the Base64 file to Der file and then tried to concat the data:

openssl x509 -in a.crt -outform DER -out aa.crt
openssl x509 -in b.crt -outform DER -out bb.crt
copy /b aa.crt+bb.crt cc.crt

Then, I tried to import the der concated file to JKS. But again only one certificate was imported.

I really thought about what could really wrong I am doing. So, I looked for the source code of KeyTool and found the method where the certificate or certificate chain was being imported.

Imports a JDK 1.1-style identity database. We can only store one certificate per identity, because we use the identity's name as the alias (which references a keystore entry), and aliases must be unique.

And I am surprised that, their code convert the inputstream to List of certificate but they work with only one certificate of the certificate (first one).

if (certs!=null && certs.length>0) {
      // we can only store one user cert per identity.
      // convert old-style to new-style cert via the encoding
         DerOutputStream dos = new DerOutputStream()
         certs[0].encode(dos);
         .............................

So there is nothing we can do to add multiple certificate at once. There policy is one certificate for one entry. So, if you have multiple certificate to entry you have to make entry them individually. Or, write some java code to make our work easy (I always do this).
Sorry for making this so long. But hopefully this will clear most of your confusion.

Answer 2

There are two kinds of entries in a JKS-type KeyStore:

• a PrivateKey entry contains a privatekey and the cert or chain of certs for that privatekey

• a TrustedCert entry contains exactly one cert and no privatekey

The generic KeyStore interface allows a third kind of entry for a SecretKey but it is not supported by JKS, only the much-less-used JCEKS and I believe a BouncyCastle format.

I found your other question https://security.stackexchange.com/questions/95945/how-to-add-a-certificate-chain-to-a-jks which explains why you correctly don't want a privatekey entry. However, most of the instructions you'll find for keytool etc. are about attaching a chain (usually returned from a CA) to a privatekey, and gloss over the fact that you cannot store a chain of certs as one entry without a privatekey.

So yes you must enter each cert separately. However, that does not necessarily mean you must fetch each cert separately. CertPathBuilder exists precisely to extract from a truststore such as (but not only) a JKS all the certs forming a valid chain. Unfortunately the bells and whistles needed to make CertPathBuilder (and specifically "PKIX") work right for SSL/TLS make it rather clumsy to use for simpler applications, so you might prefer to just fetch the certs.

PS- concatenated PEM certs do work where a chain is allowed (only with a privatekey) but the example you show is not valid. The -----BEGIN and -----END lines are supposed to be separate lines, NOT run together like you have them.