How to import an existing X.509 certificate and private key in Java keystore to use in SSL?

Question

I have this in an ActiveMQ config:

Answer 1

If you have a PEM file (e.g. server.pem) containing:

• the trusted certificate
• the private key

then you can import the certificate and key into a JKS keystore like this:

1) Copy the private key from the PEM file into an ascii file (e.g. server.key)

2) Copy the cert from the PEM file into an ascii file (e.g. server.crt)

3) Export the cert and key into a PKCS12 file:

$ openssl pkcs12 -export -in server.crt -inkey server.key \
                 -out server.p12 -name [some-alias] -CAfile server.pem -caname root

• the PEM file can be used as the argument to the -CAfile option.
• you are prompted for an 'export' password.
• if doing this in git bash then add winpty to the start of the command so the export password can be entered.

4) Convert the PKCS12 file to a JKS keystore:

$ keytool -importkeystore -deststorepass changeit -destkeypass changeit \
          -destkeystore keystore.jks  -srckeystore server.p12 -srcstoretype PKCS12 \
          -srcstorepass changeit

• the srcstorepass password should match the export password from step 3)