Friday, January 6, 2017

Importing From OpenSSL to Keytool

Ignore the fact that this blog has been abandoned for months (or years!)!

I just need somewhere I can note this down without loosing it. Haha~

As it happens, the SSL certificate for the portal I was responsible for has expired on 15/12/2016. Well we did sent the renewal notice to the GPKI team a month earlier, but somehow our notice was lost in transit. Until we did a follow up on the day the certificate dies, we would never know it has been lost...

Before, the task of creating the CSR (Certificate Signing Request) file and what not are done by the vendor, but now with the vendor gone (and almost not replying to any of my messages) I took the liberty to get the job done myself. When the supplier request for a new CSR, since there was a problem with the previous CSR, I used OpenSSL to generate the key and CSR. I was entirely forgotten that Java already has Keytool.

The problem starts when the server domain was no longer accessible (was not sure whether its domain problem, or certificate problem..). Without knowing anything I simply import the certificate into a jks keystore. Simply!!

A Lesson on Keystore

Well.. in order for SSL to work for your browser, your server must have a keystore that keeps the following:

  • Your server certificate 
  • Your intermediate/CA (Certification Authority) certificate (or sometimes referred to as root certificate)
  • Your server public key
Mistake #1

I found out later in server.xml that the SSL connector uses the .jks keystore format (and I had no idea what keystore is even about.. sad..) The thing is... I generated the public key and CSR using OpenSSL when I should just have used Java Keytool. The CA got my certificate ready alright, but when I just simply import the certificate using Keytool I didn't know that the keystore should have the public key too, which, was created using OpenSSL..


After doing some digging on Google, I came across this solution. With the key that I created using OpenSSL and the certificate I got from the CA, I need to create a PKCS12 keystore first, then convert it into a JKS.

To generate the PKCS12 keystore, use to following command:
openssl pkcs12 -export -name  jks-alias -in servercertificate.crt -inkey server.key -out keystorename.p12
To convert from PKCS12 to JKS, use the following command:
keytool -importkeystore -destkeystore keystorename.jks -srckeystore keystorename.p12 -srcstoretype pkcs12 -alias jks-alias
Yeay! but I missed something, the intermediate certificate.

So I just imported the intermediate certificate to the JKS keystore using the keytool following command:
keytool -import -trustcacerts -alias jks-alias -file CAcertificate.crt
Use this command to verify JKS contents:
keytool -list -v -keystore keystorename.jks


My server certificate was validated, but my intermediate/CA certificate was not found, eventhough I have imported the intermediate/CA certificate. 

Seems like it just won't work like that.


I went digging again and this time I came across this solution. The problem in the post was similar. Turns out I need to make a certificate bundle  and generate another PKCS12 keystore.

Making a certificate bundle

Generally I followed the steps from this page. But, basically it is really simple. Using a text editor, copy all the certificates into one textfile in the following order:
  1. Your server certificate
  2. Your Intermediate certificate
  3. Your CA certificate (optional)
I only had 1 and 2. then I saved the file with .pem extension.

Then create another PKCS12 keystore using the same command, but with the .pem file:
openssl pkcs12 -export -name  jks-alias -in certificatebundle.pem -inkey server.key -out keystorename.p12
and use the same keytool command to convert the PKCS12 keystore to JKS keystore.


I restarted the Tomcat service et voila! My SSL works like a charm :)

No comments: