How to import a .cer certificate into a java keystore?

Quick insights: Certificates, private keys, and their roles

A certificate (such as a .cer file) in Java primarily acts to establish trust. Think of it as your application’s ID card, assuring others that it’s safe and genuine. However, it doesn't hold any private keys. For authentication purposes, where your application proves its identity to others, you will need the certificate coupled with the respective private key.

Therefore, a simple import of the .cer file will only ensure your application can recognize and trust the server. But if your application needs to authenticate itself to the server, you will require a .pfx file containing both the certificate and the private key.

Recipes for common scenarios

Beyond just importing a trusted certificate, you may stumble upon several other common scenarios. Let's sketch some key commands for each:

• Importing a CA certificate:

keytool -import -alias "caAlias" -file "caCert.cer" -keystore "truststore.jks" -storepass "changeit"


• Listing what's in the keystore (like reading a menu 😄):

keytool -list -v -keystore "my_keystore.jks"


• Exporting a certificate from a keystore (the takeout option):

keytool -export -alias "mycert" -file "my_certificate.cer" -keystore "my_keystore.jks"


Automating the import using Java Code

To automate certificate imports, you can leverage the power of Java's KeyStore API. Here’s a step-by-step guide:

1. Initialize a new keystore:

KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null); // There's nothing like a freshly-wiped keystore!


2. Create a CertificateFactory for X.509 certificates:

CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");


3. Read your .cer certificate:

try (InputStream certInputStream = new BufferedInputStream(new FileInputStream("my_certificate.cer"))) {
    Certificate cert = certificateFactory.generateCertificate(certInputStream);
    trustStore.setCertificateEntry("myCertAlias", cert); // "myCertAlias" is the alias
}


4. Always handle exceptions gracefully. Your code can potentially throw GeneralSecurityException and IOException during keystore or certificate operations.

For a more user-friendly method, consider utilizing KeyStore Explorer. This GUI-based open-source tool simplifies keystore management by permitting direct import of .cer files.

Incredible extras: More than just a command-line tool

Command-line tools like keytool are efficient for interacting with keystores, but you may fancy a broader and more visual interface. KeyStore Explorer, an open-source application, grants that wish. You can:

• View the contents of any keystore.
• Quickly import/export certificates. No command-line expertise required.
• Generate and manage keys and certificates within an intuitive GUI.