Create java keystore from private key and CA certificate bundle
Asides: you have a certificate signed by the CA, but a cert is not a signed CSR. Some data in the cert is the same as some data in the CSR, but not the whole thing. Plus I wonder why you followed the digicert instructions for Apache/OpenSSL instead of those for Tomcat/Java, which would be much simpler because Jetty also is Java.
Anyway: the instructions on that Oracle page only work if you generated the privatekey and CSR with Java keytool as described in steps 1,2,3. Moreover, steps 4 and 5+6 are alternatives; although the text is not as clear as it could be, you do one or the other, not both -- and only after doing 1,2,3.
Given where you are now, your only option is converting the OpenSSL files to pkcs12, and probably then using keytool to convert pkcs12 to JKS. (Java crypto itself can use a pkcs12 directly, but not all Java crypto apps can invoke this option, and I don't know if Jetty can.)
You say you tried this and give no details about what you did, but I'll guess that most likely the "Digicert CA" file you have is an intermediate CA not a root, and to get a complete chain you need to add the root. (A complete chain isn't actually required for the pkcs12 format, and thus the openssl pkcs12
subcommand, but is highly desirable for SSL/TLS such as Jetty and thus you should do it.)
First check what your (immediate) CA is and what DigicertCA.crt
is with
openssl x509 -in $yourcert.crt -noout -issuer
openssl x509 -in DigicertCA.crt -noout -subject -issuer
If issuer of your cert matches the subject of DigicertCA, and they (both) include something like "intermediate CA" or "SSL CA", and issuer of DigicertCA has "CN" which is any of DigiCert Assured ID Root CA
, DigiCert Global Root CA
or DigiCert High Assurance EV Root CA
then you're in luck, as long as you (or anyone else) hasn't deleted the digicert root(s) from the default cacerts
in your Java (JRE) installation. Use keytool -exportcert
to copy that digicert root from the matching entry in JRE/lib/security/cacerts
into a file. Concatenate your privatekey, your cert, the intermediate "DigicertCA" cert, and the appropriate root cert into one file, and feed that to openssl pkcs12 -export [-name whatever]
and direct the output to a file, giving a nonempty password.
(Other cases: If DigicertCA.crt actually is a root and matches the issuer of your cert, that would be very weird. If it's a root and doesn't match the issuer of your cert, you are missing the intermediate CA cert (or possibly even more than one); you should be able to get it (them) from Digicert. If it (DigicertCA.crt) matches the issuer of your cert and is not a root but its issuer isn't one of the roots named above, you'll need more certs for your chain but without more data I can't advise which.)
With a pkcs12 file, do
keytool -importkeystore -srckeystore p12file -srcstoretype pkcs12 -destkeystore newjksfile
Here the steps I followed to install the certificate.
1.Created a PKCS12 with three files(private key file, my cert, CA cert) using OPENSSL tool.
openssl pkcs12 -export -out j2vproject.pkcs12 -inkey my_privatekeyfile.key -in star_xyz_abc.crt -certfile DigiCertCA.crt
2.Created a java keystore from PKCS12 using Keytool tool.
keytool -v -importkeystore -srckeystore j2vproject.pkcs12 -srcstoretype PKCS12 -destkeystore j2vprojectkeystore.jks -deststoretype JKS
3.added this keystore to server and it worked.