Vladimir Bezugliy Vladimir Bezugliy - 1 month ago 14
Java Question

How to add certificate chain to keystore?

I have file with chain of certificates - certificate.cer:

subject=/C...
issuer=/C=US/O=VeriSign, Inc...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=VeriSign, Inc...
issuer=/C=US/O=VeriSign, Inc...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

subject=/C=US/O=VeriSign, Inc...
issuer=/C=US/O=VeriSign, Inc...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----


I need to add this chain of certificates to keystore.

What I do:

openssl x509 -outform der -in certificate.cer -out cert.der
keytool -v -importcert -alias mykey -file cert.der -keypass <passwd> -keystore keystore -storepass <passwd> -alias <myalias>


In result I have only 1 certificate in keystore.

But should have 3.

What could be wrong?

SOLUTION:

CA sent me certificates in PKCS#7 format.

I stored them in certificate.p7b file and then successfully added them to keystore by following command:

keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass <mypasswd> -alias "myalias"

Answer

From the keytool man - it imports certificate chain, if input is given in PKCS#7 format, otherwise only the single certificate is imported. You should be able to convert certificates to PKCS#7 format with openssl, via openssl crl2pkcs7 command.

Comments