My client send me three files from Go-Daddy (86f8ac00fcd77994.crt, 86f8ac00fcd77994.pem and gd_bundle-g2-g1.crt). I need create a jks keystore from this files. Is it possible? Thanks!
PD: Sorry for my english!
Asked
Active
Viewed 595 times
1 Answers
1
Yes but you don't want to.
Java uses keystore files like JKS, and KeyStore objects in memory, to store two (or three) different kinds of information but many people imprecisely call both of them certificates and don't understand the huge and critical difference. Specifically (and changing the order from the javadoc):
a TrustedCertificate entry contains "[one] certificate ... belonging to another party. .... This type of entry can be used to authenticate other parties."
a PrivateKey entry contains a privatekey PLUS a certificate CHAIN "used by a given entity for self-authentication".
for completeness, some keystores can contain a SecretKey entry, but JKS cannot, and even with those that can this capability is rarely used.
The files you have are all certificates (one in the hex-named files, several in the bundle file), not privatekeys. You can import each of them into a TrustedCert entry, but TrustedCert entries are only used to validate the other end of a communication -- i.e. when you connect to a server, the TrustedCert entries are used to validate that server's cert, and if you accept connection from a client and request client auth (which is not the default and is rare), the TrustedCert entries are used to validate that client's cert. But since this cert was issued by GoDaddy, if it is used correctly (with its chain) by a server or client you communicate with, you don't need any TrustedCert entries because it validates against a root already in Java's default truststore.
If you wanted to use this cert to authenticate 'yourself' (that is, your system) -- for example if you wanted to run a TLS server (possibly but not necessarily an HTTPS web server) identified by this cert -- you would need a PrivateKey entry, not any TrustedCert entries, and you can't create a PrivateKey entry because you don't have the privatekey. The person who obtained this certificate from GoDaddy does have the privatekey, because the certificate request process requires it, so they could e.g. run a server, but they didn't give it to you so you can't.
Thus the answer to the question you asked -- can you put these certs in a JKS -- is yes, you can. But it's a complete waste of time, because the resulting JKS cannot be used for anything and is worthless.
dave_thompson_085
- 34,712
- 6
- 50
- 70
-
Thanks! I understand! – Martin Amori Nov 13 '20 at 10:51