3

I've created a keystore with an initial key-pair using keytool -genkeypair command, then generated the CSR using keytool -certreg command, then got it signed by our CA. Now that I got the CSR reply myCSRreply.cer, how do I incorporate the CSR reply with my original key-pair?

I've tried simply importing the CSR reply to my keystore using keytool -import command but that did not change my original key-pair. It simply added the CSR reply as another entry. I'm expecting it to change the issuer and thumbprint of my original key-pair.

I'm able to do what I want to achieve via KeyStore explorer as shown in the following screenshot but I need to know how to do this in command line.

enter image description here

If I tried importing where I specify the CSR reply file and the alias to my original key-pair, I'm getting the following error.

keytool error: java.lang.Exception: Failed to establish chain from 
reply

The command I used to import CSR back into my key-pair that generated that error:

keytool -keystore myKeyStore.pfx -importcert -file myCSRreply.cer -alias mykeypair

Question

  1. How do I import the CSR reply back into my key-pair via command line such that it's going to take the thumbprint and the issuer of the CSR reply as the new attributes of my original key-pair? (I'm just assuming this is the expected outcome because when I generate JWT using the private key that takes its thumbprint, authentication fails)
  2. Is CSR reply really meant to alter the thumbprint and issuer attributes of the key-pair in which the CSR was generated from?
supertonsky
  • 2,563
  • 6
  • 38
  • 68

1 Answers1

1

The command you're executing is fine. You don't have the complete certificate chain for the new certificate.

When you generated the mykeypair key pair, keytool wrapped mykeypair's public key in a self-signed certificate. (That's why you had to provide its expiration date and other details during generation.) As a result, it forms a complete certificate chain by itself; it's a root certificate. keytool always wants a complete certificate chain for every certificate.

When you attempt to import the CSR reply, you're importing a new certificate. At this time, keytool will try to build a certificate chain for it. keytool will search the key store and trust store until it reaches a trusted root certificate. If it can't do that, the import will fail.

Read the following documentation:

Import a Certificate for the CA

You now need to replace the self-signed certificate with a certificate chain, where each certificate in the chain authenticates the public key of the signer of the previous certificate in the chain, up to a root CA.

Before you import the certificate reply from a CA, you need one or more trusted certificates in your keystore or in the cacerts keystore file. See -importcert in Commands.

If the certificate reply is a certificate chain, then you need the top certificate of the chain. The root CA certificate that authenticates the public key of the CA.

If the certificate reply is a single certificate, then you need a certificate for the issuing CA (the one that signed it). If that certificate is not self-signed, then you need a certificate for its signer, and so on, up to a self-signed root CA certificate.

...

You import a certificate for two reasons: To add it to the list of trusted certificates, and to import a certificate reply received from a certificate authority (CA) as the result of submitting a Certificate Signing Request to that CA (see the -certreq option in Commands).

keytool Documentation

Rafael
  • 7,605
  • 13
  • 31
  • 46
  • I'm actually aware that the chain of certs need to be imported. I just need to know how to do this in command line. The GUI tool that I'm using is probably importing the cert chain automatically. But what's surprising is, once it's imported the chain, you won't see new certificates imported. Probably when it imports the CSR reply, it first imported the chain then removed the cert chain after importing the CSR reply. But of course, that's just my assumption as I couldn't think of any explanation how the GUI tool does it. – supertonsky Aug 15 '21 at 05:41
  • It's not up to KSE or keytool, though. Inspect the CA reply. Did the CA reply with a single cert or cert chain? – Rafael Aug 15 '21 at 18:27
  • Once you import the CA reply, the original self-signed cert is replaced. There's no point keeping it around. That defeats the purpose of getting it signed in the first place. – Rafael Aug 15 '21 at 18:41
  • Also, if the root CA is a public CA, you'll likely need to use the `-trustcacerts` option during import. – Rafael Aug 15 '21 at 19:28