- private key for SSL certificate sign request
- signed SSL certificate
- Root CA certificate
- Intermediate CA certificate (optional)
For importing a trusted certificate into JAVA keystore, I think create a new keystore and replace the original one seems like a good practice.
I believe you will know how to import Root CA and intermediate CA as trustcacerts into keystore.
However, if you only import the signed SSL certificate without the private key, then the entry will treat as "TrustCertEntry" instead of a "PrivateKeyEntry".
The tomcat server will start and listen to 443 but will refuse to serve connection.
Therefore we need to use openssl to combine the signed SSL certificate and private key as PKCS12 format.
Then import the PKCS12 format entry into the keystore.
openssl pkcs12 -export -in FQDN.crt -inkey private-ssl.key -certfile FQDN.crt -out FQDN.p12 -name tomcat
keytool -importkeystore -srckeystore FQDN.p12 -srcstoretype pkcs12 -destkeystore mynew_keystore -destalias tomcat -alias tomcat
The check point is, this signed SSL certificate and private key should be shown as "PrivateKeyEntry" instead of "TrustCertEntry" in the keystore.
You can use below command to check if certificates entry are correct.
keytool -list keystore
Is there any other better ways to import your signed SSL certificate more easily?
Let's see if there are further updates later. :p