FreeKB - Java Keystore keytool import command (Import a certificate)
Java Keystore - keytool import command (Import a certificate)

If you are not familiar with the Java keytool command, check out our Getting Started article.

Before importing a certificate into a keystore file, you will want to determine the keystore type, which is typically JKS or PKCS12. The Java keytool command with the -list option can be used to determine the keystore type.

keytool -list -keystore "/path/to/keystore"

 

Which should return something like this. In this example, the keystore type is PKCS12.

Keystore type: PKCS12

 

The -import option can be used to import a certificate in a .cer, .crt, or .pem file into a keystore. In this example, the *.example.com certificate in the example.com.crt file is imported into the keystore. Notice in this example that the -storetype is PKCS12.

keytool -import -file "/path/to/example.com.crt" -alias "*.example.com" -keystore "/path/to/keystore.p12" -storetype pkcs12 -storepass "keystore_password"

 

If the certificate is successfully imported into the keystore, the following should be displayed.

Certificate was added to keystore

 

When importing a single server certificate, the certificate should be listed as a trustedCertEntry in the keystore, not a PrivateKeyEntry.

*.example.com, Mar 3, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): F3:3F:06:A8:86:95:6A:01:C8:2C:C2:52:FC:58:3F:46:8E:1B:0F:5A:67:12:7A:51:46:71:55:7E:B3:9A:03:13

 


The -importkeystore option can be used to import a certificate in a .p12 file into a keystore. In this example, the *.example.com certificate in the keystore1.p12 file is imported into keystore2.p12. 

keytool 
-importkeystore
-srckeystore "/path/to/keystore1.p12"
-srcstoretype pkcs12
-srcalias "*.example.com"
-srcstorepass "password to view the contents of the keystore1.p12 file"
-destkeystore "/path/to/keystore2.p12"
-deststoretype pkcs12
-deststorepass "password to view the contents of the keystore2.p12 file"
-destalias "*.example.com"

 

It's important to recognize that there are two different passwords at play here.

  • The password for the keystore file
  • The password for the key in the keystore file

If the password for the keystore file and the key in the keystore file is different, and the -destkeypass option is not used, the following will be returned.

keytool error: java.lang.Exception: The destination pkcs12 keystore has different storepass and keypass. Please retry with -destkeypass specified

 

The -destkeypass option can be included to resolve this issue.

-destkeypass "password"

 

If the desitnation keystore already contains a certificate with the same alias as being imported, the following will be displayed.

Existing entry alias *.example.com exists, overwrite? [no]:

 

echo yes can be used to pass the text "yes" onto the import so that the certificate is imported into the destination keystore.

echo yes | keytool -importkeystore -srckeystore "/path/to/keystore1.p12" -srcstoretype pkcs12 -srcalias "*.example.com" -srcstorepass "keystore_password" -destkeystore "/path/to/keystore2.p12" -deststoretype pkcs12 -deststorepass "keystore_password" -destalias "*.example.com"

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter abef8 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |