0.1 If do not have a certificate, could create a self-signed certificate:
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
(you may add -sha256 to get SHA256 signarure)
openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt
1. If there is no a keystore then create one:
keytool -genkey -alias some_dumb_alias -keyalg RSA -keystore keystore.jks
2. Concat two pem files:
cat secret.key.pem certificate.pem > key.certificate.pem
3. Convert pem certificate into pkcs12 format:
openssl pkcs12 -export -in key.certificate.pem -out certificate.pkcs12 -name alias_to_be_used -noiter -nomaciter
3.1 If there are additional certificates for the trusted chain, then we need some extra steps:
3.1.1 Convert the certificate back to pem:
openssl pkcs12 -in certificate.pkcs12 -out certificate-2.pem -nodes -clcerts
3.1.2 Compose the certificate chain:
cat certificate-2.pem imtermediate1.pem intermediate2.pem root.pem > chain.pem
(need to ensure that every concatenated certificate starts on a new line)
3.1.3. Convert the chain to pkcs12
openssl pkcs12 -export -in chain.pem -out certificate.pkcs12 -name alias-to-be-used
4. Import pkcs12 keystore into jks:
keytool -v -importkeystore -srckeystore certificate.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks
Initial dumb key entry may be deleted now:
keytool -delete -alias some_dumb_alias -keystore keystore.jks
5. check that the resulting jks contains the certificate:
keytool -list -v -keystore keystore.jks
6. change alias if needed
keytool -changealias -keystore chain.jks -alias current_alias -destalias new_alias
|