PKI // Java keystore

Generating a Java keystore dummy certificate

For testing purposes, this dummy self-signed certificate will do, alias entry e.g. cas,

keytool -genkey -keyalg RSA -alias cas -keystore keystore.jks -validity 360 -keysize 2048

Converting PEM key and certificates to a Java keystore

We have three files:

chmod 400 private_key.pkey
chmod 444 certificate.crt
chmod 444 issuer-concat-cert.crt

Converting the separated PKCS12/Apache certs to a centralized .p12 (also PKCS12), alias entry e.g. cas,

openssl pkcs12 -export -in certificate.crt -inkey private_key.pkey -out certificate.p12 -name cas -CAfile issuer-concat-cert.crt -caname root -chain
(enter private key's passphrase, it's the same as for apache)
(enter and confirm a storepass for the export, my advice is to use the same as the passphrase, since this also overrides the key passphrase!)
chmod 400 certificate.p12

Note: the passphrase was changed during the export: it’s now the same as the export storepass!

No need to convert from PKCS12 to JKS for CAS which is able to read a P12 keystore too. However for other applications than CAS, if PKCS12 is no good, here’s a way to go,

#keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -srcalias cas -destkeystore certificate.jks -deststoretype jks -destalias cas
#-deststorepass
#chmod 400 certificate.jks

Check the keystore,

keytool -v -list -keystore certificate.p12 | grep -i alias
#-storetype pkcs12
#-storepass
#keytool -v -list -keystore certificate.jks

Troubleshooting

If you get this error when launching the CAS application with java,

javax.crypto.BadPaddingException: Given final block not properly padded

==> means wrong key (or bad passphrase)…

References