Keytool Import PFX Certificate

>>-keystore SecretariatQA

Is that really where your keystore is as far as Tomcat is concerned?

How can i check if is my keystore for tomcat?

Don't specify a keystore location unless you're also doing that in the server config

On my Server.xml in Tomcat Directory have this lines:

    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="D:/Appls/Java/jre1.5.0_11/bin/secretariatqa"
               keystoreType="pkcs12"
               keystorePass="XxxXxXxX"/>

Its OK?

But i'm confused:

>> My actual certificate expired in January and i have a new Certificate in PFX Format.

>>keytool -genkey

Why are you generating one in that case?

>>keystoreFile="D:/Appls/Java/jre1.5.0_11/bin/secretariatqa"

Don't use a location inside the runtime - that's volatile. Also, that's not the exact path you used with genkey

Sorry i don't known what is the corrects steps.

What would be the correct steps to import the certificate again? Sorry but do not know this.

Try

keytool -importcert -alias tomcat -file x.pfx -keystore D:\Appls\Java\jre1.5.0_11\bin\secretariatqa

Select all Open in new window

(After having changed the keystore to something more sensible ;))

I see this error:

Illegal option:  -importcert

You could have a slightly different keytool than me. Run it without args to find out the format for the import command

I have this Arguments to import:

-import      [-v] [-noprompt] [-trustcacerts] [-protected]
             [-alias <alias>]
             [-file <cert_file>] [-keypass <keypass>]
             [-keystore <keystore>] [-storepass <storepass>]
             [-storetype <storetype>] [-providerName <name>]
             [-providerClass <provider_class_name> [-providerArg <arg>]] ...

I only need replace importcert for import and its ok?

>>I only need replace importcert for import and its ok?

Should be. Obviously the path to the certificate file has to be correct

yeap :)

I have this error:

D:\Appls\Java\jre1.5.0_11\bin>keytool -import -alias tomcat -file d:\Secreqa.pfx -keystore D:\Appls\Java\jre1.5.0_11\bin\SecretariatQA
Enter keystore password:  XXxxxx
keytool error: java.lang.Exception: Input not an X.509 certificate

You probably need

http://java.sun.com/webservices/docs/1.6/tutorial/doc/XWS-SecurityIntro6.html#wp526882

Sorry but i don't understand, i have the PFX (Certificate with private Key) i try import only .cer but when i import i restart tomcat service and i see the old certificate.

>>i try import only .cer

With what command?

keytool -import -alias tomcat -file d:\SecretariatQA.cer -keystore secretariatqa

Try using the full path to the keystore. If that doesn't work, attach that public key file to this question and i'll test to esnure it's doable

This is the tomcat5 Log.
catalina.2010-03-27.log

>> but when i import i restart tomcat service and i see the old certificate.

How do you determine that from the log file? The problem seems to be that there's something wrong with doing IO on the cert

Sorry, when i import a certificate now i can't see nothing i have an error "The page cannot be displayed".
But if i resotre the old keystore from a backup i can see old certificate but the site work OK.
apologize for my confusion.

What would be the steps to import a certificate from PFX Certificate to tomcat?

1 - Generate a Keystore if don't exist?, how?
2 - Import the certificate, how?

That error is having the certificate? if you need i can upload any file.

Currently the site is showing error page can not be displayed

Sorry but I am really confused with this. Thank you very much for helping me

First of all, list the keystore that you're using with Tomcat

keytool -list -keystore <path to keystore>

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

tomcat, Mar 27, 2010, trustedCertEntry,
Certificate fingerprint (MD5): A9:94:BD:38:01:C3:E9:1C:18:90:91:25:64:B0:5C:5D
mykey, Mar 27, 2010, keyEntry,
Certificate fingerprint (MD5): 87:36:A5:EC:DB:E7:9F:6F:A9:E1:C3:97:59:55:5C:B4

The first one is correct and shows that it has been imported. That's the one you attached to this question. Make sure you're using the correct alias (tomcat) in your server config

This is the config
server.xml

If you don't need that other thing in the keystore i'd delete it. Then restart Tomcat and watch the log

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Mar 27, 2010, trustedCertEntry,
Certificate fingerprint (MD5): A9:94:BD:38:01:C3:E9:1C:18:90:91:25:64:B0:5C:5D

and the log:


catalina.2010-03-27.log

I think the problem is with Public or Private Key with certificate? because when i import i use

 keytool -import -alias tomcat -file d:\Secre.cer -keystore .keystore


But .Cer no have private key. Its Possible?

I found a solution only need modify in server.xml full path to .pfx only. No need keystore.

                <Connector port="443" maxHttpHeaderSize="8192"
                           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                           enableLookups="false" disableUploadTimeout="true"
                           acceptCount="100" scheme="https" secure="true"
                           clientAuth="false" sslProtocol="TLS"
                         keystoreFile="D:/secreqa.pfx"
                         keystoreType="pkcs12"
                                                       keystorePass="XXxXxxxXxx"/>

But i think i have a problem with Private Key in my Original Keystore i found this article to Export PrivateKey from openssl.

http://www.readylines.com/openssl-one-liners-examples


Only I would be remiss to knowing how to generate the keystore with the private key and publishes both in order to replace the PFX.

You helped me a lot to find the solution, thank you very much for the help, I will accept the final solution is yours so you assign the points.

Thanks a lot

:-)

>  I will accept the final solution is yours so you assign the points.

Don't accept an answer that is wrong. That is not how EE works.
If you answer the question yourself you should accept your own for the benefit of others reading this question in the future.

http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Apache/Q_24785857.html?sfQueryTermInfo=1+import+pfx+tomcat

>>Since it is a public key file only, I see no cryptographic security risk, but there is potential identifying information in the certificate

... which of course will be available once the public key is made .. er .. public

> Since it is a public key file only

did you check it?  A certificate with just a public key is not much use to tomcat

> I found a solution only need modify in server.xml full path to .pfx only. No need keystore.

CEHJ actually suggested *not* doing that in his earlier comment

thanks mate :)

>>Some askers care and some don't (about the issue of anonymity).

OK - i see what you mean

1- Generate a Keystore:
keytool -genkey -alias tomcat -keyalg RSA -keystore D:\Appls\Tomcat5\Certs\secretariat

2- Generate a Request:
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore D:\Appls\Tomcat5\Certs\secretariat

3- Import a Root CA
keytool -import -alias root -keystore D:\Appls\Tomcat5\Certs\secretariat -trustcacerts -file D:\Appls\Tomcat5\Certs\Tenaris_Root_CA.cer

4- Import Second Chain:
keytool -import -alias root2 -keystore "D:\Appls\Tomcat 5.5\Certs\secretariat" -trustcacerts -file "D:\Appls\Tomcat 5.5\Certs\Tenaris_Intermediate_CA.crt"

5- Import Third Chain:
keytool -import -alias root3 -keystore D:\Appls\Tomcat5\Certs\ secretariat -trustcacerts -file D:\Appls\Tomcat5\Certs\TNSWPK03.tenaris.techint.net_Tenaris_Issuing_1_CA.crt

6- Import Four Chain:
keytool -import -alias root4 -keystore "D:\Appls\Tomcat 5.5\Certs\secretariat" -trustcacerts -file "D:\Appls\Tomcat 5.5\Certs\TNSWPK04.tenaris.techint.net_Tenaris_Issuing_2_CA.crt"

7- Import a Certificate:
keytool -import -alias secretariat -keystore "D:\Appls\Tomcat 5.5\Certs\secretariat" -trustcacerts -file D:\Appls\Tomcat 5.5\Certs\%CertificateName%

8- Edit Sever.xml in Tomcat Directory:
Add This Line (keystoreFile="D:\Appls\Tomcat5\Certs\secretariat" keystorePass="changeit") in:

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />

9- Reset Tomcat Service.