9

I'm trying to import a p7b file from a third party in to a java trust store. It looks like the p7b contains a root cert and a public key.

I'm trying to import it using a command similar to

keytool -importcert -file certs.p7b -keystore dave.jks -storetype JCEKS -trustcacerts

When the file was presented to me by the third party, they did not tell me what the alias of the public key is.

Am I right in thinking that I can't import it without knowing this information?

DaveH
  • 7,187
  • 5
  • 32
  • 53
  • 1
    p7b/p7c can contain only certs, not a bare publickey. (A Java keystore or truststore can't either.) It _often_ contains certs that form a chain: end-entity e.g. server, intermediate (usually one, sometimes more), root/anchor. But it makes no sense to import a chain to a relier truststore; you only need the anchor. Certs in a p7b/p7c don't have aliases, but Java keystore entries do, so you need to choose or default alias when you import a (one!) trusted cert to a truststore. To see what you have in the p7b, use `keytool -printcert -file whatever.p7b` or ... – dave_thompson_085 Jan 30 '19 at 18:07
  • ... if you have OpenSSL `openssl pkcs7 -print_certs [-text] -in whatever.p7b` – dave_thompson_085 Jan 30 '19 at 18:09
  • Thanks Dave - I've very shaky around the difference between certs and public keys so it's likely I've confused the terms. The keytool command you suggest gives `keytool error: java.lang.Exception: Failed to parse input` - the openssl command gave`unable to load PKCS7 object 13060:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: PKCS7`. I *can* open the file using the KeyStoreExplorer utility though – DaveH Jan 31 '19 at 06:50
  • 1
    Then either it's not a p7 or it's not PEM. If you look at it with a text editor does it consist of lines with one starting `-----BEGIN` then several lines of base64 followed by a line starting `-----END` and if so what is the word or words after BEGIN/END? If it's not text i.e. it's mostly undisplayed or 'dingbat' characters, try adding `-inform der` to the `openssl pkcs7` command. – dave_thompson_085 Feb 02 '19 at 11:35

1 Answers1

6

It is a quite old question. But I just faced the same problem, so I will post what I did.

We had a .p7b file from a public agency holding a certificate chain that had to be accepted in our system. As it had a certificate chain, it could not be imported directly to a p12 file, so, first, with openssl I inspected it:

 openssl pkcs7 -print_certs -inform der -in file.p7b

This command gives a list of aliases and base64-encoded certificates:

subject=LONG CERTIFICATE1 COMMONNAME WITH ESCAPE SEQUENCES
issuer=LONG CERTIFICATE1'S ISSUER COMMONNAME
-----BEGIN CERTIFICATE-----
long base64 string
-----END CERTIFICATE-----

subject=LONG CERTIFICATE2 COMMONNAME WITH ESCAPE SEQUENCES
issuer=LONG CERTIFICATE2'S ISSUER COMMONNAME
-----BEGIN CERTIFICATE-----
long base64 string
-----END CERTIFICATE-----

This list was quite long, as the .p7b file held several certificates.

The next step was to copy all fragments between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and store them in different files with a .pem extension:

certificate1.pem
certificate2.pem
...

And then import them to the keystore, using the long commonname as alias:

keytool -alias "LONG CERTIFICATE1 COMMONNAME WITH ESCAPE SEQUENCES" -importcert -trustcacerts -file certificate1.pem -keystore trustcerts.p12 -storetype PKCS12
keytool -alias "LONG CERTIFICATE2 COMMONNAME WITH ESCAPE SEQUENCES" -importcert -trustcacerts -file certificate2.pem -keystore trustcerts.p12 -storetype PKCS12

After this, we had a pkcs12 keystore with all the .p7b certificates.

SJuan76
  • 24,532
  • 6
  • 47
  • 87
Oscar Pérez
  • 4,377
  • 1
  • 17
  • 36