Import Trust Chain to the keypair or import it to keystore or both

Question

We are trying to get a valid SSL for our tomcat server and we are using the KeyTool to manage keystore

....but the I think any one with security background can help!!

---

1. I create a key store
2. Generate a public and private key pair in it.
3. Generate a CSR.
4. Submit the CSR and get Certificate and Trust Chain.
5. I import the Certificate
6. I must import Trust Chain

Set 6 is my problem. I have two options:

Append Certificate to key pair (named tomcat) Below:

Or import the CAs to Keystore. As below

Should I do both?! If first option ( Append Certificate to Key-pair) is enough, then why should some one need to add a certificate to key store?

Answer 1

A key pair is basically represented as private-key and certificate chain in a java keystore. And the certificates contains the public key. When you generate the keypair using the keytool command, it asks you for some details that are required to put on the self-signed certificate it will be generating and associating with that private-key. So in this case your certificate chain contains 1 certificate.

When you generate a CSR, and have received your signed certificate and the other chain-of-trust certificates (i.e: CA and SubCA's certs) in a single file like p7b, you will be adding them to your current key pair, i.e: you will be associating the certificate chain to its corresponding private-key. So, in this case, you would chose the Import CA Reply option on the keystore-explorer.

When you do that, the keystore-explorer will construct the certificate chain like this:

CA Certificate (self-signed)
|
|__ 2. Sub CA Certificate (signed by the above CA)
        |
        |__ 1. Sub-sub CA Certificate (if any) (signed by the above Sub CA)
                |
                |__ 0. End Entity Certificate (your certificate, signed by the above cert)

To see how it looks on the keystore using the keytool, when you -list the keystore contents, you will see a PrivateKeyEntry with Certificate chain length: x.

So to answer your option 1: When you want to edit this certificate chain, like add a certificate or remove a certificate, you can use the Edit Certificate Chain option the keystore-explorer provides.

To answer your option 2: Just like the key pair entries exist in a keystore, a certificate can also exist by itself. It is called Certificate Entry. When a keystore contains only certificates, it is called a truststore. You might have heard of cacerts file the java installation folder contains. It is the truststore file, which contains all the CA's and SubCA's certificates java would want to trust. When you have a new organization's certificate that you want java to trust, you would add that certificate in the cacert file. In this case you would chose the Import Trusted Certificate option.

If you are importing the CA's reply, you are technically supposed to associate it with it's corresponding private key. So you should be doing the Import CA's Reply.