Search code examples
javassljvmcertificateaem

Add different p12 certificates to jvm

I've different services using SSL in my application, those services use different .p12 files to connect with different passwords. Right now java load the truststore and the keystore + the files on each call so I want to remove this behaviour and add the certificates to my JVM by default this is something I can do using 

-Djavax.net.ssl.keyStore="{mycert.p12}" -Djavax.net.ssl.keyStorePassword={mypassword} -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.trustStore="{cacertsroute}" -Djavax.net.ssl.trustStorePassword=changeit

But I've different p12 files so I need to concatenate them in one file because I cannot specify to jvm to use multiple p12 files and passwords in command line.

I created a new p12 file empty and I added one of the p12 file inside using keytool

keytool -importkeystore -srckeystore first.p12 -srcstoretype pkcs12 -srcstorepass firstp12pass -destkeystore newstore.p12 -deststoretype pkcs12 -deststorepass firstp12pass

After that I've a new keystore with just one p12 and it works with the service that is using first.p12 cert. I read that the keystore and the p12 should have the same password so for add the second p12 file I created a temp.p12 file that change the password of the second.p12 to the firstp12pass so now they've the same password and then I use the same command than before to add the temp.p12(which is second.p12) to newstore.p12.

Now I've just 1 file with the two entries for different services but when I use the certificate now is not working.

I debugged the ssl call and it seems that the CN is not fine. When I call with a p12 with just one entry it sends the right CN to the server but when I use 2 entries it doesn't select the right one.

Could someone help me with this? Maybe it's not possible to mix the files or there is another way to do that.

Thanks,

Solution

  • It seems you are doing this to enable mutual certificate authentication as opposed to setting up a simple HTTPS connector.

    I would suggest combining the certificates in a single .pfx by exporting them both as plaintext .pem files and concatenating them. This can also be used to manually create certificate chains as well.

    1. Convert PFX to PEM (convert both PFX file): openssl pkcs12 -in example.pfx -out example.pem -nodes
    2. Concatenate both PEM files including the BEGIN CERTIFICATE and END CERTIFICATE tags
    3. Convert the combined PEM file back to PFX: openssl pkcs12 -export -in example.pem -out example-concat.pfx