How to import .key and .crt file to .jks file

Varalakshmi_Nanduru · October 26, 2015, 12:14pm

Hi ,

Please give me the exact keytool commands to convert .key and .crt files to .jks file of keystore. I am unable to import .key to .jks .

Please send me both commands

Holger_von_Thomsen · October 26, 2015, 2:12pm

Hi Varalakshmi,

cat .crt .key > .crt_with_key

Use keytool or Portecle for importing .crt_with_key into a .jks.

See ‘keytool -help’ for further informations.

Regards,
Holger

Varalakshmi_Nanduru · October 26, 2015, 2:32pm

Hi , I tried but got the below error. Please help me.

Error:

[wmuser@ajaxlwmm9004 bin]$ ./keytool -import -alias rsacceptance -file /tmp/SampleTestCert/wmrsreal.accp.apptoapp.org.der_with_wmrsreal.accp.apptoapp.org.key -keystore /tmp/JKSSTORE/VoyaRSAccpRealtime.jks
Enter keystore password:
keytool error: java.security.cert.CertificateParsingException: signed fields invalid

Holger_von_Thomsen · October 26, 2015, 2:40pm

Hi Varalakshmi,

this will not work with the DER-Format, only with the CER-Format.

Additionally, add a -trustcacerts parameter to the keytool-command to enable the CA-Certificates which are stored in the cacerts file of the jvm.

You can convert the certificate either locally on windows by opening it and and export as X.509-Cer (not binary Cer, which is the Der-format) or by using OPENSSL.

Regards,
Holger

Varalakshmi_Nanduru · October 26, 2015, 3:19pm

Hi Same error again. Tried with .crt file and added trustcacerts . I have placed both .crt and .key files in /tmp and trying. Please correct me if i am going wrong by steps/ command:

[wmuser@ajaxlwmm9004 bin]$ ./keytool -import -trustcacerts -alias rsacceptance -file /tmp/SampleTestCert/wmrsreal.accp.apptoapp.org.crt_with_wmrsreal.accp.apptoapp.org.key -keystore /tmp/JKSSTORE/VoyaRSAccpRealtime.jks
Enter keystore password:
keytool error: java.security.cert.CertificateParsingException: signed fields invalid

Holger_von_Thomsen · October 26, 2015, 6:06pm

Hi Varalakshmi,

is there any extra text in your certificates file?

If so, remove it.

It should only contain something similar to the following:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,

-----END RSA PRIVATE KEY-----

Proc-Type and DEK-Info are present if the key contains a password.

Can you share the output of ‘keytool -help’ please?

Eventually you have to use -imoprtcert instead of -import.

By which CA was the certificate signed? Is it self-signed or signed by an external CA?

Regards,
Holger