I have a p7b cert and I import into IIS and export into 3 .cer file as below.
- root.cer
- intermediate.cer
- servercertificate.cer
then I use following commands to insert all 3 cer into my keystore successfully.
keytool -import -alias root -keystore test.keystore -trustcacert -file root.cer
then I run my wildfly and the error "keystore does not contain any key" but when i list out the keystore, it has all the 3 keys inside. I'm not sure why it doesn't work and hope someone can enlighten me on this.
Best Answer
A Java keystore can contain (at least) two different kinds of entries:
a 'trustedCertEntry' entry that contains a certificate
a 'privateKeyEntry' that contains a privatekey AND certificate chain
You created the first kind by importing lone certificates; look at the display from
keytool -list
and these entries will be labelledtrustedCertEntry
. An SSL/TLS server requires a privatekey AND certificate chain, in aprivateKeyEntry
.I don't know ISS, but if you mean you generated the key and CSR in IIS, IIS normally uses the Windows keystore for some system account; I don't recall which but it should be obvious in the config somewhere. You need to run MMC+CertMgr for that account, locate the correct entry (which has a yellow key on the left side of the cert icon), and export it with 'Yes export the private key' in format 'PKCS#12 (PFX)' 'include ... path' to a file. In many cases Java/JCE can use a PKCS12 file directly as a keystore (instead of JKS) but if you need or prefer to convert to JKS use
keytool -importkeystore
(not-importcert
).See also near-dupe JBoss Https configuration with CER/P7b certificate fails