Last Updated: February 25, 2016
· hab278

Converting a certificate chain and key into a Java Keystore for SSL on Puma/Java

So you have a signed certificate, an intermediate certificate, and a private key. You want to use some Java based server with SSL, like Puma on JRuby. You need a keystore file and you have no idea what to do, or maybe some idea, but all the docs are outdated and none of them fit your niche bill. Look no further, heres a step by step guide.

First concatenate intermediate certificate and your certificate into one crt file.

(cat intermediate.crt; echo; /etc/ssl/certs/ca-certificate.crt) >> allcacerts.crt

Note: crt files don't usually end in a newline, so adding a newline in between the intermediate certificate and root certificate is necessary.

Then import the new merged certificate into a pkcs12 keystore.

openssl pkcs12 -export -chain -CAfile allcacerts.crt //
        -in /etc/ssl/certs/ca-certificate.crt //
        -inkey /etc/ssl/certs/ca-certificate.key //
        -name domaincerts -out allcacerts.p12

This will prompt you for a password. This is the password for the pkcs12 keystore, which will be used again in the next command.

Finally, convert the pkcs12 into a java keystore.

keytool -importkeystore -srckeystore allcacerts.p12 //
        -srcstoretype PKCS12 -destkeystore keystore.jks

This will prompt you for a password for the Java keystore, and then once again to verify. After that, it will prompt you for the pkcs12 keystore password, that you defined in step 2. Once you complete this step, you have a Java keystore you can use.

Please check the references for more information or to give credit where it's due.


Say Thanks