We help IT Professionals succeed at work.

JRE keytool: how to import PrivateKeyEntry certificate?

I am trying to load some .cer files in to a java .keystore file, using the keytool command. For one of the .cer file, I am expecting to import it as a PrivateKeyEntry. However, the result of "keytool -list" command shows that all certificate are imported as trustedCertEntry.

In the "keytool -importcert" command I toggled off the -trustcacerts (idea from https://stackoverflow.com/questions/24974324/import-certificate-as-privatekeyentry ), but it didn't make a difference on the result for me.

Can you help me on clarifying these questions:
1. can "keytool -importcert" import PrivateKeyEntry into the .keystore file?
2. Is the type (PrivateKeyEntry/trustedCertEntry) of the imported certificates in .keystore decided by the way of importing? or by the .cer file itself?
3. If decided by the way of importing, how to do that?
4. If by the .cer file itself, how to check which type it is?

Thank you!
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2016

Commented:
According to THIS, you can't import a separate private key, but you might be able to merge per post 478 on that page
CERTIFIED EXPERT

Commented:
File extensions are arbitary, but in general a .cer is a certificate, and a .key is a private key for a certificate

If the csr for the certificate was generated with keytool from the keystore, the private key is already in the keystore.

This explains in more detail https://www.digicert.com/csr-creation-java.htm 

If you are trying to import a certificate and key into an existing keystore, then usualy one would use openssl to create a pks12 certificate (which combines the certificate and the key, and then importy the pks12 certificate

This explains in more detail https://coderwall.com/p/3t4xka/import-private-key-and-certificate-into-java-keystore
SSL/TLS Expert
CERTIFIED EXPERT
Commented:
Answering your questions :

Can you help me on clarifying these questions:
 1. can "keytool -importcert" import PrivateKeyEntry into the .keystore file?
Answer : No. Keytool -importcert is normally a step to import your certificate to the keystore. As for PrivateKeyEntry is actually your private key content inside your keystore which represent it with the label name alias. Normal step is to matching the import certificate with the private key designated alias as oppose to import directly as PrivateKeyEntry name.

 2. Is the type (PrivateKeyEntry/trustedCertEntry) of the imported certificates in .keystore decided by the way of importing? or by the .cer file itself?
Answer :
PrivateKeyEntry is a component inside your keystore that has been generated at the same time when you create a brand new keystore, This component itself the one that contain your private key information. So it is not decided by the way you import the cert or from the .cer

 3. If decided by the way of importing, how to do that?
Answer : You have to make sure you  have your private key file separate from the keystore. Also, the private key need to match with the issued certificate. If you do have the separate private key file and the certificate match with this private key then you can use OpenSSL to create as .p12 and then using Java to convert it to JKS. The instruction from above from ArneLovius cover this.

 4. If by the .cer file itself, how to check which type it is?
Answer : See number 2