If you are not familiar with the Java keytool command, check out our Getting Started article.
Before importing a certificate into a keystore file, you will want to determine the keystore type, which is typically JKS or PKCS12. The Java keytool command with the -list option can be used to determine the keystore type.
keytool -list -keystore "/path/to/keystore"
Which should return something like this. In this example, the keystore type is PKCS12.
Keystore type: PKCS12
The -import option can be used to import a certificate in a .cer, .crt, or .pem file into a keystore. In this example, the *.example.com certificate in the example.com.crt file is imported into the keystore. Notice in this example that the -storetype is PKCS12.
keytool -import -file "/path/to/example.com.crt" -alias "*.example.com" -keystore "/path/to/keystore.p12" -storetype pkcs12 -storepass "keystore_password"
If the certificate is successfully imported into the keystore, the following should be displayed.
Certificate was added to keystore
When importing a single server certificate, the certificate should be listed as a trustedCertEntry in the keystore, not a PrivateKeyEntry.
*.example.com, Mar 3, 2021, trustedCertEntry, Certificate fingerprint (SHA-256): F3:3F:06:A8:86:95:6A:01:C8:2C:C2:52:FC:58:3F:46:8E:1B:0F:5A:67:12:7A:51:46:71:55:7E:B3:9A:03:13
The -importkeystore option can be used to import a certificate in a .p12 file into a keystore. In this example, the *.example.com certificate in the keystore1.p12 file is imported into keystore2.p12.
keytool -importkeystore -srckeystore "/path/to/keystore1.p12" -srcstoretype pkcs12 -srcalias "*.example.com" -srcstorepass "password to view the contents of the keystore1.p12 file" -destkeystore "/path/to/keystore2.p12" -deststoretype pkcs12 -deststorepass "password to view the contents of the keystore2.p12 file" -destalias "*.example.com"
It's important to recognize that there are two different passwords at play here.
If the password for the keystore file and the key in the keystore file is different, and the -destkeypass option is not used, the following will be returned.
keytool error: java.lang.Exception: The destination pkcs12 keystore has different storepass and keypass. Please retry with -destkeypass specified
The -destkeypass option can be included to resolve this issue.
If the desitnation keystore already contains a certificate with the same alias as being imported, the following will be displayed.
Existing entry alias *.example.com exists, overwrite? [no]:
echo yes can be used to pass the text "yes" onto the import so that the certificate is imported into the destination keystore.
echo yes | keytool -importkeystore -srckeystore "/path/to/keystore1.p12" -srcstoretype pkcs12 -srcalias "*.example.com" -srcstorepass "keystore_password" -destkeystore "/path/to/keystore2.p12" -deststoretype pkcs12 -deststorepass "keystore_password" -destalias "*.example.com"