Java keytool: import signed certificate to keystore
April 20, 2011 12:26:08 Last update: April 20, 2011 12:26:08
When you create a new key with Java
keytool, it wraps the public key in a self signed certificate. You can generate a certificate signing request with the keytool -certreq command. After a certificate authority (CA) signs the certificate request, you can import the certificate received (a .crt file) back into the key store. Instead of using a CA, you can sign the certificate request with another key (with openssl, for example).
- If the certificate is not signed by a CA, you'll receive an error:
$ keytool -import -alias android-root -file android.crt Enter keystore password: password keytool error: java.lang.Exception: Failed to establish chain from reply
- To fix the problem, import the certificate of the signer:
$ keytool -import -trustcacerts -file openssl.crt -alias AndroidRoot Enter keystore password: password Owner: CN=Android Root, OU=OWL, O=Sans Serif, L=Los Angeles, ST=CA, C=US Issuer: CN=Android Root, OU=OWL, O=Sans Serif, L=Los Agneles, ST=CA, C=US Serial number: ac538e7d69137861 Valid from: Wed Apr 20 14:23:56 EDT 2011 until: Sat Apr 17 14:23:56 EDT 2021 Certificate fingerprints: MD5: D0:B9:3D:81:82:E7:D7:44:09:69:0F:BD:DE:6E:79:39 SHA1: 3C:21:74:13:48:6C:BF:1D:F3:A5:95:6B:1F:36:36:BF:B0:8F:DB:88 Trust this certificate? [no]: yes Certificate was added to keystore
- Import the certificate again (alias is the alias of the private key whose certificate was signed):
$ keytool -import -alias android-root -file android.crt Enter keystore password: password Certificate reply was installed in keystore
