Importing Certificate Reply Back to KeyStore

This section provides a tutorial example on how to import a certificate reply sign by a CA back into a KeyStore, where the private key is stored.

When Amy receives the certificate from me, she should import her certificate into her KeyStore to keep it together with her private-public pair:

Amy lists what's in her KeyStore file:

C:\amy>\local\jdk\bin\keytool -list -keystore amy.jks -storepass AmyJKS

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

amy@xyz.com, Mar, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 78:D6:7B:3D:56:E6:50:C2:A8:4D:6F:8F...

Amy tries to import her certificate back to the PrivateKeyEntry:

C:\amy>\local\jdk\bin\keytool -import -keystore amy.jks 
   -storepass AmyJKS -file amy_xyz_com.crt -alias amy@xyz.com

keytool error: java.lang.Exception: Failed to establish chain from 
reply

Unfortunately, keytool wants to verify Amy's certificate with the root and intermediate CA certificates. So Amy should import my certificate and CAcert.org certificate into the KeyStore first:

C:\amy>\local\jdk\bin\keytool -import -keystore amy.jks 
   -storepass AmyJKS -file herongyang_com.crt 
   -alias herongyang.com

Owner: CN=herongyang.com
Issuer: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, 
   OU=http://www.cacert.org, O=Root CA
Serial number: 9dc82
...
Trust this certificate? [no]:  Yes
Certificate was added to keystore

C:\amy>\local\jdk\bin\keytool -import -keystore amy.jks 
   -storepass AmyJKS -file CACertSigningAuthority.crt 
   -alias CACertSigningAuthority

Owner: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, 
   OU=http://www.cacert.org, O=Root CA
Issuer: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, 
   OU=http://www.cacert.org, O=Root CA
Serial number: 0
...
Trust this certificate? [no]:  Yes
Certificate was added to keystore

Amy tries again to import her certificate back to the PrivateKeyEntry:

C:\amy>\local\jdk\bin\keytool -import -keystore amy.jks 
   -storepass AmyJKS -file amy_xyz_com.crt -alias amy@xyz.com

Certificate reply was installed in keystore

C:\amy>\local\jdk\bin\keytool -list -keystore amy.jks -storepass AmyJKS

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

amy@xyz.com, Mar, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 00:5D:79:5A:47:76:C7:1A:53:3C:30:90...
herongyang.com, Mar, 2011, trustedCertEntry,
Certificate fingerprint (MD5): 8C:DC:62:CE:D6:F0:54:A9:6E:A2:0B:F2...
cacertsigningauthority, Mar, 2011, trustedCertEntry,
Certificate fingerprint (MD5): A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20...

Notice that Amy's PrivateKeyEntry has been updated with Amy's certificate.

Last update: 2011.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with IE (Internet Explorer) 10

 Using HTTPS with Chrome 40

 Using HTTPS with Firefox 35

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 Certificate Stores and Certificate Console

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

PKI CA Administration - Issuing Certificates

 Root CA and Intermediate CA

 Requesting and Signing Personal Certificate

 Generating a Private-Public Key Pair for Amy

 Generating a CSR (Certificate Signing Request)

 Verifying Requester's Email Address

 Exporting a Private Key from a KeyStore File

 Signing a CSR into a Certificate

Importing Certificate Reply Back to KeyStore

 "bad decrypt:./crypto/evp/evp_enc.c:461" Error

 Requesting and Signing Server Certificate

 Digital Signature - Microsoft Word 2007

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Outdated Tutorials

 References

 PDF Printing Version