I have a p7b cert and I import into IIS and export into 3 .cer file as below.
- root.cer
- intermediate.cer
- servercertificate.cer
then I use following commands to insert all 3 cer into my keystore successfully.
keytool -import -alias root -keystore test.keystore -trustcacert -file root.cer
then I run my wildfly and the error “keystore does not contain any key” but when i list out the keystore, it has all the 3 keys inside. I’m not sure why it doesn’t work and hope someone can enlighten me on this.
Answer
A Java keystore can contain (at least) two different kinds of entries:
-
a ‘trustedCertEntry’ entry that contains a certificate
-
a ‘privateKeyEntry’ that contains a privatekey AND certificate chain
You created the first kind by importing lone certificates; look at the display from keytool -list
and these entries will be labelled trustedCertEntry
. An SSL/TLS server requires a privatekey AND certificate chain, in a privateKeyEntry
.
I don’t know ISS, but if you mean you generated the key and CSR in IIS, IIS normally uses the Windows keystore for some system account; I don’t recall which but it should be obvious in the config somewhere. You need to run MMC+CertMgr for that account, locate the correct entry (which has a yellow key on the left side of the cert icon), and export it with ‘Yes export the private key’ in format ‘PKCS#12 (PFX)’ ‘include … path’ to a file. In many cases Java/JCE can use a PKCS12 file directly as a keystore (instead of JKS) but if you need or prefer to convert to JKS use keytool -importkeystore
(not -importcert
).
See also near-dupe JBoss Https configuration with CER/P7b certificate fails
Attribution
Source : Link , Question Author : Osoto , Answer Author : dave_thompson_085