How to import a .cer certificate into a java keystore?

java

keytool

keystore

certificate

byAnton Shumikhin·Oct 17, 2024

To import a .cer certificate into a Java keystore, run the following command:

keytool -importcert -file my_certificate.cer -alias "mycert" -keystore my_keystore.jks

In the command above, replace my_certificate.cer with your certificate file, mycert with a unique alias for identification, and my_keystore.jks with your target keystore file. If the keystore doesn't exist, the system will prompt for a new password and create it. If it exists, you need to provide the existing keystore password.

Bear in mind, .cer files do not include the private key, essential for certain authentications like mutually authenticated SSL. To perform such authentications, you'd need a .pfx keystore file which houses the private key.

Quick insights: Certificates, private keys, and their roles

A certificate (such as a .cer file) in Java primarily acts to establish trust. Think of it as your application’s ID card, assuring others that it’s safe and genuine. However, it doesn't hold any private keys. For authentication purposes, where your application proves its identity to others, you will need the certificate coupled with the respective private key.

Therefore, a simple import of the .cer file will only ensure your application can recognize and trust the server. But if your application needs to authenticate itself to the server, you will require a .pfx file containing both the certificate and the private key.

Recipes for common scenarios

Beyond just importing a trusted certificate, you may stumble upon several other common scenarios. Let's sketch some key commands for each:

Importing a CA certificate:

keytool -import -alias "caAlias" -file "caCert.cer" -keystore "truststore.jks" -storepass "changeit"

Listing what's in the keystore (like reading a menu 😄):

keytool -list -v -keystore "my_keystore.jks"

Exporting a certificate from a keystore (the takeout option):

keytool -export -alias "mycert" -file "my_certificate.cer" -keystore "my_keystore.jks"

Automating the import using Java Code

To automate certificate imports, you can leverage the power of Java's KeyStore API. Here’s a step-by-step guide:

Initialize a new keystore:

KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null); // There's nothing like a freshly-wiped keystore!

Create a CertificateFactory for X.509 certificates:

CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");

Read your .cer certificate:

try (InputStream certInputStream = new BufferedInputStream(new FileInputStream("my_certificate.cer"))) {
    Certificate cert = certificateFactory.generateCertificate(certInputStream);
    trustStore.setCertificateEntry("myCertAlias", cert); // "myCertAlias" is the alias
}

Always handle exceptions gracefully. Your code can potentially throw GeneralSecurityException and IOException during keystore or certificate operations.

For a more user-friendly method, consider utilizing KeyStore Explorer. This GUI-based open-source tool simplifies keystore management by permitting direct import of .cer files.

Incredible extras: More than just a command-line tool

Command-line tools like keytool are efficient for interacting with keystores, but you may fancy a broader and more visual interface. KeyStore Explorer, an open-source application, grants that wish. You can: