For testing purposes, this dummy self-signed certificate will do, alias entry e.g. cas,
keytool -genkey -keyalg RSA -alias cas -keystore keystore.jks -validity 360 -keysize 2048
We have three files:
chmod 400 private_key.pkey chmod 444 certificate.crt chmod 444 issuer-concat-cert.crt
Converting the separated PKCS12/Apache certs to a centralized .p12 (also PKCS12), alias entry e.g. cas,
openssl pkcs12 -export -in certificate.crt -inkey private_key.pkey -out certificate.p12 -name cas -CAfile issuer-concat-cert.crt -caname root -chain (enter private key's passphrase, it's the same as for apache) (enter and confirm a storepass for the export, my advice is to use the same as the passphrase, since this also overrides the key passphrase!) chmod 400 certificate.p12
Note: the passphrase was changed during the export: it’s now the same as the export storepass!
No need to convert from PKCS12 to JKS for CAS which is able to read a P12 keystore too. However for other applications than CAS, if PKCS12 is no good, here’s a way to go,
#keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -srcalias cas -destkeystore certificate.jks -deststoretype jks -destalias cas #-deststorepass #chmod 400 certificate.jks
Check the keystore,
keytool -v -list -keystore certificate.p12 | grep -i alias #-storetype pkcs12 #-storepass #keytool -v -list -keystore certificate.jks
If you get this error when launching the CAS application with java,
javax.crypto.BadPaddingException: Given final block not properly padded
==> means wrong key (or bad passphrase)…