Search code examples
ssltomcatoauth-2.0opensslkeystore

import keypair to an existing pkcs12 keystore under a new alias name

I am learning OAUTH2 and OpenID Connect and configuring multiply tomcat servers (a Client for the UI, and multiply Resource Servers for the APIs) to use SSL. So I have created a PKCS12 keystore with a self-signed certificate + private key the following way and then I pushed it under my 1st Tomcat:

(I know that the commands bellow can be simplify and combine into one (or two) but I deliberately keep tem separately because that way I can see and understand the steps better)

(1) The keypair was created with openssl this way:

openssl genrsa \
        -des3 \
        -passout pass:$phrase \
        -out id_rsa_$domain.key $numbits

(2) Then I created a Certificate Signing Request with this command:

openssl req \
        -new \
        -key id_rsa_$domain.key \
        -passin pass:$phrase \
        -subj "$subj" \
        -out $domain.csr

(3) After that I created a x509 certificate:

openssl x509 \
        -req \
        -days $days \
        -in $domain.csr \
        -signkey id_rsa_$domain.key \
        -passin pass:$phrase \
        -out $domain.crt

(4) Finnaly I have created a key-store in PKCS12 format:

pem=$domain.pem
cat id_rsa_$domain.key > $pem
cat $domain.crt >> $pem

openssl pkcs12 \
        -export \
        -in $pem \
        -passin pass:$phrase \
        -password pass:$keystore_pwd \
        -name $domain \
        -out example.com.pkcs12
rm $pem

At the end of this process I have the following files:

  • id_rsa_authserver.example.com.key: the private (and public) key
  • authserver.example.com.crt: the self signed certificate
  • example.com.pkcs12: the keystore

Inside the .pkcs12 file I only have one key-pair entry under the authserver.example.com alias. I have checked the result with KeyStore Explorer as well and everything looks fine and the 1st Tomcat works properly with that keystore.

Then I repeated the steps (1), (2) and (3) and I generated new files for order.example.com host machine and at the end I have two new files:

  • id_rsa_order.example.com.key
  • order.example.com.crt

Now I would like to add to my "root" example.com.pkcs12 keystore this new keypair + certificate under the order.example.com alias in order to I keep all certs that I use for my demo in one keystore. I can do it easily with the KeyStore Explorer tool via the tools > import key pair > openSSL > browse the private key and cert files, but this is not enough good for me. I would like to do the import via command line using OpenSSL.

Unfortunately I have not found the proper openssl command that I can use to ADD my 2nd key+cert to the existing keystore.

What is the command that I can use?

Solution

  • This doesn't work directly.

    After you created key and certifificate using openssl, you create a new temporarily pkcs12 key store using openssl.

    openssl pkcs12 -export -in my.crt -inkey my.key -out my.p12 -name myAlias -passin file:myInPasswordFile -passout file:myOutPasswordFile

    Then you merge the new temp keystore into the existing one using keytool:

    keytool -importkeystore -deststorepass:file destKeyStorePasswordFile -destkeystore destination.p12 -srckeystore my.p12 -deststoretype PKCS12 -srcstoretype PKCS12 -srcstorepass:file myOutPasswordFile -alias myAlias