How to import a jks certificate in java trust store

Asked 28/7, 2012 at 10:17 Answered 8/11, 2018 at 10:1

How do I import a .jks file into the java security's truststore? All the tutorial I'm seeing is using a ".crt" file. However, I only have the ".jks" file which is also the keystore I generated using the keytool command.

Currently, I'm following this tutorial.

I was able to generate a Java keystore and key pair and generate a certificate signing request (CSR) for an existing Java keystore, which is based on the tutorial. But I cannot import a root or intermediate CA certificate to an existing Java keystore, and import a signed primary certificate to an existing Java keystore, because it is looking for a ".cert" file.

Am I missing something on the steps listed on the tutorial? How can I trust a certificate if the only file I have is the ".jks" file? And what is the use of the ".csr" file?

Please note that I'm using Windows.

Jilljillana answered 28/7, 2012 at 10:17 Comment(3)

Could you indicate what you are trying to achieve? Are you trying to set up a server? Or are you trying to use client authentication? Or both? Are you using a specific framework at the client and/or the server? – Calchas 28/7, 2012 at 11:2

I'm not using any framework. I'm trying to do a server authentication. I need to validate if the server I'm connecting to is legitimate given the certificate. – Jilljillana 28/7, 2012 at 11:27

So you have a client, no server and you've been given a .jks keystore to work with? If you are just the client and you are not using client authentication then you don't need to generate a key pair. – Calchas 28/7, 2012 at 11:33

The ".jks" is the truststore, or at least it should be if you assign it to JSSE. You should add the certificates from your CA to that file. The software will then look up the certificate chain by iterating through the certificates. The private key should remain in the (password protected) ".jks" file.

In other words, you should import certificates to the ".jks" not export certificates out of it. You may have to download the certificates of your specific provider separately if they are not included in the response of your certificate request. You proabably could export them from your favourite browser as well. Normally these are stored in X5.09 DER format (which should be compatible with the Java keytool).

Steps (in general):

Generate a key pair & cert request, store into new or existing key store (.jks)
Send the certificate request to be signed, obtain chain starting with the certificate that you requested
Import certificate chain into key store with private key
Generate new or use existing key store for the party that needs to do the verification (at least one or more clients when using SSL), and import the certificate chain
Trust a certicificate in the certificate chain in the above key store, probably the top most certificate (the "root" certificate).
Configure and test the parties, e.g. a server using the key store with the private key and multiple clients using the latter key store.

Calchas answered 28/7, 2012 at 10:35 Comment(4)

Thanks for clearing that out! I used to think that by adding a certificate inside a keystore means that you're actually adding the certificate inside JVM, not just a single keystore file. Can you teach me how to set Java to trust a self signed certificate when using HttpsURLConnection without setting it to trust all certificates? – Jilljillana 28/7, 2012 at 10:50

Nope, but I don't have to. Normally you would configure a Java application to use a specific key by alias. Java will only accept this alias if it can find the whole certificate chain, but for self signed certificates that chain will have a length of 1. You only need to trust certificates at the other end-point where you don't have the private key. E.g. when creating a connection a client will try and see if it can build a chain to a trusted certificate that is valid in particular time. For this you need to append to or create a key store, and import & trust the self signed certificate. – Calchas 28/7, 2012 at 11:1

Thanks! Yes, I'll be needing it because I'm developing the client side. – Jilljillana 28/7, 2012 at 11:33

Yes. Thanks, owlstead! But I'm still missing something. Will be searching for a solution for it first and if I can't I'll just post another question. Thanks again! – Jilljillana 29/7, 2012 at 5:52

#Use Keytool command to generate a self-signed certificate and install the certificate in Client Machine JDK Security Key store path.

# generate a certificate using JKS format keystore
keytool -genkey -alias selfrest -keyalg RSA -keypass pass123 -storetype JKS -keystore selfsigned.jks -storepass pass123 -validity 360 -keysize 2048

# To check the content of the keystore, we can use keytool again:
keytool -list -v -keystore selfsigned.jks

#Export Self signed certificate into .cer file
keytool -exportcert -alias selfrest -keystore selfsigned.jks -file selfsigned.cer

# (Run As Administrator- to open CMD.exe)
# Install self-signed certificate into Java JDK CA Certificate key store path
# to avoid giving certificate path in the client program.
keytool -import -alias selfrest -keystore "C:\Program Files\Java\jdk1.8.0_181\jre\lib\security\cacerts" -file selfsigned.cer

# List certificates stored in JDK Key store which you have just now imported into JDK Security path.
keytool -list -keystore "%JAVA_HOME%\jre\lib\security\cacerts

Pivoting answered 8/11, 2018 at 10:1 Comment(1)

That helped me trust the generated certificate in MacOS keychain after exporting the self-signed certificate. Thanks. – Sheridansherie 31/5 at 11:58

Recommended topics

Hot tags