Import of PEM certificate chain and key to Java Keystore

Solution 1:

Concatenate all *.pem files into one pem file, like all.pem Then create keystore in p12 format with private key + all.pem

openssl pkcs12 -export -inkey private.key -in all.pem -name test -out test.p12

Then export p12 into jks

keytool -importkeystore -srckeystore test.p12 -srcstoretype pkcs12 -destkeystore test.jks

Solution 2:

This may not be perfect, but I had some notes on my use of keytool that I've modified for your scenario.

1. Import a root or intermediate CA certificate to an existing Java keystore:

   keytool -import -trustcacerts -alias root -file ca_geotrust_global.pem -keystore yourkeystore.jks
   keytool -import -trustcacerts -alias root -file intermediate_rapidssl.pem -keystore yourkeystore.jks 
   

2. Combine the certificate and private key into one file before importing.

   cat certificate.pem privatekey.pem > combined.pem
   

   This should result in a file resembling the below format.

   BEGIN CERTIFICATE
   ...
   END CERTIFICATE
   BEGIN RSA PRIVATE KEY
   ...
   END RSA PRIVATE KEY

3. Import a signed primary certificate & key to an existing Java keystore:

   keytool -import -trustcacerts -alias yourdomain -file combined.pem -keystore yourkeystore.jks
   

---

Solution 3:

keytool doesn't provide a way to import certificate + private key from a single (combined) file, as proposed above. It runs fine, but only certificate is imported, while private key is ignored. You can check it by keytool -list -v -keystore yourkeystore.jks - yourdomain entry type is TrustedCertEntry, not PrivateKeyEntry.

So to solve the initial problem, one should first create a PKCS#12 keystore using openssl (or similar tool), then import the keystore with keytool -importkeystore.