Creating Keystores by Importing

This page outlines how to create a keystore by importing private keys and public certificates that you have received from somebody else into a local keystore so that you can use them for encrypted communication.

Importing a Public Key into a Keystore

Public keys will commonly be in a format called PEM. PEM files begin and end with a special delimiter line and consist of a body of Base-64 encoded binary.

Public keys will often have one of the following file extensions: .PEM, .CRT

The following is an example of what a PEM file should look like:
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIETWBDIDANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD
... some lines removed ...
4UJdLAICuodKr1YNzWOi+qu/C/toHkGIH3qqFlBwxYv+03VFy1ZeqqSFOS4yVZReXrNP9dpvIkcs
G9w7mJXpRj444RtF+sKQ15WYs7MmABnIrv9r/+mVbgXO1yawhEzc4rt4m/T5tGpiAE485mGUwZzo
7/5nr32KlhSkexwwuZCDpuzm3FC36g+puzVLUic32S1GZ50Z
-----END CERTIFICATE-----

The key may also be in a format known as DER, which is a binary format. To import a key file in either PEM or DER format into a keystore, issue the following command. The following arguments should be substituted for something appropriate:

  • -alias trust_app_alias refers to the name by which the key will be known to the keystore. It generaly doesn't matter what you put here as long as you choose something meaningful to the certificate you are putting in.
  • -file public.cert refers to the filename of the certificate. This file should be in one of the formats listed above.
  • -keystore keystore.jks refers to the name of the keystore you are putting the key in. If no file exists with this name, one will be created and given the keystore password that you specify at the prompt below. If this keystore already exists, the new certificate will be added to it, and the password you enter must match the password that this keystore was previously given.
$ keytool -import -alias trust_app_alias -file public.cert -keystore truststore.jks -storetype JKS
Enter keystore password: trustpassword
Re-enter new password: trustpassword
Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 50257625
Valid from: Fri Aug 10 16:59:17 EDT 2012 until: Thu Aug 10 16:59:17 EDT 2017
Certificate fingerprints:
      MD5: B9:5B:43:34:CA:00:82:EE:1F:7B:24:14:B6:3E:56:09
      SHA1: 98:56:ED:0B:E0:F2:A6:20:2D:DD:66:72:5F:DF:7D:CB:BC:98:C7:AE
      Signature algorithm name: SHA1withRSA
      Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore

Importing a Private Key into a Keystore

Private keys will often be provided using a format called PKCS#12. This is a format produced by the OpenSSL toolset. PKCS#12 files are generally provided using the extension .PFX or .P12.

The "openssl" tool can first be used to verify the contents of a PKCS#12 file. Note that the file itself will have a password which should be supplied by whoever supplies the file. In the example below, the password is "helloworld123".

$ openssl pkcs12 -info -in private_key.pfx -nokeys
Enter Import Password: helloworld123
MAC Iteration 2000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: le-d7ffb209-fb59-4e0c-bd42-75157dccc563
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
Enter PEM pass phrase: (hit enter)
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Certificate bag
Bag Attributes
localKeyID: 01 00 00 00
subject=/C=CA/ST=Ontario/L=Toronto/O=TestOrg/OU=TestOU/CN=testers.uhn.ca issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 -----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIETWBDIDANBgkqhkiG9w0BAQsFADBsMRAwDgYDVQQGEwdVbmtub3duMRAw
DgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYD
... many lines removed ...
4UJdLAICuodKr1YNzWOi+qu/C/toHkGIH3qqFlBwxYv+03VFy1ZeqqSFOS4yVZReXrNP9dpvIkcs
G9w7mJXpRj444RtF+sKQ15WYs7MmABnIrv9r/+mVbgXO1yawhEzc4rt4m/T5tGpiAE485mGUwZzo
7/5nr32KlhSkexwwuZCDpuzm3FC36g+puzVLUic32S1GZ50Z
-----END CERTIFICATE-----

In particular, the output above contains the "friendlyName" attribute value of "le-d7ffb209-fb59-4e0c-bd42-75157dccc563". This is a kind of alias which will be used to refer to the key when importing it into the keystore.

To import a PKCS#12 file into a keystore, use the following command. Note the following arguments:

  • -destkeystore otherside.jks tells keytool the filename for the destination keystore. This is the keystore that the key will be copied into
  • -deststorepass changeit tells keytool the password to use for the keystore. If this is a new keystore being created, this same password will need to be used for any subsequent modifications. If this is an existing keystore being added to, the password must match its pre-existing password
  • -srckeystore private_key.pfx refers to the name of the PKCS#12 file containing the private key
  • -srcalias le-d7ffb209-fb59-4e0c-bd42-75157dccc563 refers to the friendly name of the key within the PKCS#12 file. This can be obtained using openssl, as seen above.
  • -destalias lab_staging_system gives the key a friendly name (or alias) within the destination keystore. This should be a small ID which refers to the specific purpose for the key
  • -destkeypass changeit gives the key itself a password within the keystore.
$ keytool -v -importkeystore -destkeystore otherside.jks -deststorepass changeit -srckeystore private_key.pfx -srcstoretype PKCS12 -srcalias le-d7ffb209-fb59-4e0c-bd42-75157dccc563 -destalias lab_staging_system -destkeypass changeit
Enter source keystore password: helloworld123
[Storing otherside.jks]