Java: Importing a .cer certificate into a java keystore

First let’s have a short look at what those certificates are and what you need them for. A certificate is basically a public key together with some additional identification information (e.g. country, location, company…). The certificate is signed by a Certificate Authority (CA) which guarantees that the information attached to the certificate are true. The .cer files are files containing a certificate.

Additionally to the certificate, you also need a private key. The receiver of the certificate will use the public key in the certificate to decipher the encrypted text sent you are sending. You will encrypt the text using the corresponding private key. The public key in the certificate is publicly available. But you are the only one having access to the private key (that’s why the keystore containing your private key is protected by a password). This allows everybody to check whether sent information really comes from you.

While developing your software you will most probably be working with self-generated certificates. These certificates do not allow the client application to check whether you are really who you say are but they allow you to test most certificate related functionality. You can generate such a certificate like this:

$JAVA_HOME/bin/keytool -genkey -alias ws_client -keyalg RSA -keysize 2048 -keypass YOUR_KEY_PASSWORD \
         -keystore PATH_TO_KEYSTORE/ws_client.keystore \
         -storepass YOUR_KEYSTORE_PASSWORD -dname "cn=YOUR_FQDN_OR_IP, ou=YOUR_ORG_UNIT, o=YOUR_COMPANY, c=DE" \
         -validity 3650 -J-Xmx256m

Note that the backslashes you see in there are only required so that this command is recognized as a multiline command. If you write it all on one line, you won’t need them.

The certificate generated above is valid for almost 10 years (3650 days).

The -J parameter is just in there so that you do not get such an error invoking keytool:

Error occurred during initialization of VM
Could not reserve enough space for object heap
Could not create the Java virtual machine.

Now, when you go into production, you’ll want to have a “real” certificate so that your users do not get more or less scary messages saying that your identity cannot be verified (i.e. has not been created by a trusted certificate authority). You’ll have to buy such a certificate or have your customer generate one if they can.

This is how you can display the certificates currently installed in your keystore:

$JAVA_HOME/bin/keytool -list \
         -keystore PATH_TO_KEYSTORE/ws_client.keystore \
         -storepass YOUR_KEYSTORE_PASSWORD -J-Xmx256m

It will return something like:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

ws_client, Apr 9, 2014, PrivateKeyEntry,

Certificate fingerprint (MD5): 4A:B5:07:64:A3:FF:16:E4:B9:28:A3:D9:BE:9D:7D:E6

You can export this certificate like this:

$JAVA_HOME/bin/keytool -exportcert -rfc -alias ws_client -file CER_FILE_PATH \
         -keystore PATH_TO_KEYSTORE/ws_client.keystore \
         -storepass YOUR_KEYSTORE_PASSWORD -J-Xmx256m

The rfc option means that the certificate will not be exported in binary form but as shown below.

The exported file looks like this:


In order to do get a certificate, you’ll have to provide the certifying authorities of the customer with a certificate request. This can be done using the keytool command like this:

$JAVA_HOME/bin/keytool -certreq -alias ws_client -file CSR_FILE_PATH -keypass YOUR_KEY_PASSWORD \
         -keystore PATH_TO_KEYSTORE/ws_client.keystore \
         -storepass YOUR_KEYSTORE_PASSWORD -J-Xmx256m

The certificate request file looks like this:


This certificate request file can then be sent to the person providing the certificate. Using this certificate request, he/she will generate a certificate which can then be imported this way:

$JAVA_HOME/bin/keytool -importcert -alias ws_client -file CER_FILE_PATH \
         -keystore PATH_TO_KEYSTORE/ws_client.keystore \
         -storepass YOUR_KEYSTORE_PASSWORD -J-Xmx256m 

You will need to answer y when prompted whether you trust this certificate:

Owner:, OU=Blog, O=amazingweb GmbH, C=DE
Issuer:, OU=HenriCA, O=amazingweb GmbH, C=DE
Serial number: 534565a5
Valid from: Wed Apr 09 17:22:13 CEST 2014 until: Sat Apr 06 17:22:13 CEST 2024
Certificate fingerprints:
         MD5:  4A:B5:07:64:A3:FF:16:E4:B9:28:A3:D9:BE:9D:7D:E6
         SHA1: 69:C5:C9:9D:08:AE:17:37:2E:58:F6:77:C9:7B:59:59:E3:29:49:74
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore

Note that whether you use a self-generated certificate or one generated by a trusted CA, you will need to reference the keystore file and provide the keystore password in the configuration of your servlet container or application server (e.g. in jbossweb.sar/server.xml for JBoss).

Leave a Reply

Your email address will not be published. Required fields are marked *