-
Title
PulseNET - Trying to import a new primary key into the tomcat keystore -
Description
I've been following the process in the Install Guide for importing a new security certificate into PulseNET, but the new private key fails to install.
-
Cause
You cannot directly import a new private key, but there is a workaround.
For ages the keytool application shipped as part of Java could provide all the functionality to generate a private key and certificate sign request from a Java keystore, but the most basic function, importing a preexisting private key and certificate generated externally, remained overlooked.
This is fixed in Java 6, at long last.
-
Resolution
RESOLUTION:
The solution is to convert your existing certificate and key into a PKCS12 file, and then use the keytool functionality to merge one keystore with another one. Java 6 can treat a PKCS12 file as a keystore, so putting this together, you get this:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore my-keystore.jks -srckeystore cert-and-key.p12 -srcstoretype PKCS12 -srcstorepass cert-and-key-password -alias 1
The alias of 1 is required to choose the certificate in the source PKCS12 file, keytool isn't clever enough to figure out which certificate you want in a store containing one certificate.
In this case
· destkeystore is the PulseNET (Tomcat) keystore file
· srckeystore if the converted PKCS12 file
You can convert a cert and private key into a PKCS file using this command (from the OpenSSL toolkit)
openssl pkcs12 -export -in server.crt -inkey server.key \
-out server.p12 -name some-alias \
-CAfile ca.crt -caname rootMake sure you put a password on the p12 file - otherwise you'll get a null reference exception when you try to import it.