I have a .pfx file that has multiple certificates, one of them is the signing CA certificate of a server certificate assigned to the IBM i Remote Command Server in DCM.
I managed to use openssl and certutil to display the content of such a certificate, as follows:
openssl x509 -passin pass:<password> -text -noout -in filename.pfx
openssl pkcs12 -in filename.pfx -passin pass:<password> -info -nokeys
certutil -v -dump DEVP20.pfx
All the above are working fine and displaying content, but the problem is that I don't know how to analyze such output.
Also, the keytool is reporting that there are no entries in the keystone:
keytool -list -v -keystore filename.pfx
Enter keystore password: <entery-password>
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 0 entries
All I want is to create a new trust store or use an existing trust store such as jssecacerts to add the signing CA Certificate to the trust store.
Note that in the output of the different commands above I see multiple certificates. I am not sure if they are part of the chain or related, and by checking the alias or friendly name, I can tell which one I want.
The objective is to be able to use the class SecureAS400 from IBM Toolbox for Java to open a secure connection to the IBM i and invoke a command. So we have to load the trust store with the JVM.
I appreciate your help.
First, you have to extract the CA certificate from the .pfx file using openssl:
openssl pkcs12 -in filename.pfx -passin pass:<password> -info -nokeys > filename.pem.
Double check that extraction worked:
openssl x509 -in test.pem -noout -text
Then either create new JKS using the key tool:
keytool -import -trustcacerts -keystore test.jks -storepass choose-password -file test.pem -alias CANAME
Or you can import the certificate into the existing trust store:
keytool -import -keystore cacerts -storepass changeit -file test.pem -alias CANAME -storetype JKS
Usually you would use openssl to interact with most certificate file formats and keytool with java key stores only (JKS)
==============.
Update
PKCS12 is an archive file format for storing private keys and X.509 certificates with filename extensions .p12 or .pfx
To be able to work with .pfx files you would use openssl pkcs12 command. I am guessing x509 command returns first certificate it finds.
PKCS12 wiki
keytool Manages a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates.
I think it only works with java keystores .jks or .bcfks (Bouncy Castle FIPS keyStore) etc..
I think you might actually be able to import certificates directly from .pfx file to a java keystore using keytool.
keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS
That could also import the private key if it's in the .pfx file but I am not sure.
Hope that helps.