Importing Existing Certificates Into a KeyStore Using openssl

UPDATE: I have recently come across this great article: Everything You Ever Wanted to Know About SSL (but Were Afraid to Ask). It is very well written–I highly recommend you give it a proper read as well.

If you’re like me–unfamiliar with nitty gritty details that goes on in setting up a server–and having problems importing an existing certificate to your web container, then this article might be just for you.

This article is an all-in-one which show us how to convert certificates into a Java KeyStore (JKS) from A to Z, ready to be imported to your web container of choice (Tomcat, JBoss, Glassfish, and more).

• Certificates are typically issued by Certificates Authorities (like GoSSL and COMODO), issuing bodies which are trusted and relied on by leading web browsers to verify that your website is really who it claims to be.
• Certificate Authorities provide you with a chain of certificates to download: you would certainly have a root certificate and possibly one or more intermediate certificate†.
• The root certificate needs the intermediate certificates to work, and in a particular order! We’ll dive more in depth about this in the coming section(s).
• Furthermore, the root certificate is typically encrypted by a KeyStore (.keystore/.jks). This is usually generated by the owner buying the certificate and is NOT stored on the issuer’s side nor recoverable if it gets lost. You may need to ask for this file.

† The difference between root and intermediate certificates is beyond the scope of this how-to. There are great articles on the web which fully explain certificates in depth.

For the purpose of this article, let’s assume we have been provided the following chain certificate:

• int1.crt and int2.crt: the two intermediate certificates,
• domain.crt: the root certificate, and
• priv.keystore: the KeyStore bearing the encryption key for domain.crt.

Verifying the Files

This section helps you verify your certificates are correct. You can proceed to the next section if you’re confident the certificates are correct.

You can verify if a certificate is correct using openssl. The first intermediate certificate int1.crt can be easily verified:

$ openssl verify int1.crt
int1.crt: OK

‘OK’ means your certificate is valid! Now, if we were to attempt the same thing to int2.crt:

$ openssl verify int2.crt
error 20 at 0 depth lookup:unable to get local issuer certificate

Uh-oh, something is wrong! This generally means that int2.crt requires a preceding certificate (in our case, that’s int1.crt). However, int2.crt depends on int1.crt to be valid.

$ openssl verify -CAfile int1.crt int2.crt
int2.crt: OK

That is much better.

Now for the tricky part: your root certificate domain.crt depends on both intermediate certificates. We would therefore need to append both …

$ cat int1.crt in2.crt > int1int2.crt

… and then verify the root certificate:

$ openssl verify -CAfile int1int2.crt domain.crt
domain.crt: OK

Great—your certificates are correct and you’re ready to convert the certificate into a keystore in the next section!

Converting the certificate into a KeyStore.

We’re almost there! You’ll need to run openssl to convert the certificate into a KeyStore:

openssl pkcs12 -export -chain -CAfile int1int2.crt -in domain.crt -inkey priv.keystore -out <certificate>.keystore -name ssl -passout pass:<password>

In laymen’s terms, the above statement is requesting to export domain.crt into a keystore <cerificate>.keystore by chaining with the preceding two intermediate certificates int1int2.crt.

Not sure from where int1int2.crt has emerged? You might want to give the previous section —Verifying the Files — a quick read.

Of course, change the <certificate> and the <password> placeholders to your liking. Keep the password handy as you will need it later in your web container.

That’s it — I hope that helps! You can now use your KeyStore in your web container. There are plenty of articles on how to do this online, but the following are fine examples of the two leading web containers:

• Apache Tomcat 8: SSL/TLS Configuration HOW-TO
• Wildfly 8.x/9.x: Security Reams, Detailed Configuration

No one likes another outdated article. If you feel it can be improved or keep it up-to-date, I would very much appreciate getting in touch with me over twitter @mcac0006.