On 1/22/21 3:06 PM, Christopher Schultz wrote:
You are telling keytool to read-in localhost-rsa-key.pem as a PKCS12
file, which is most likely wrong. You don't want to import a keystore,
you want to import a key. Unfortunately, keytool doesn't allow that.
But openssl does:
$ openssl pkcs12 -export -in localhost-rsa.crt -inkey
localhost-rsa-key.pem -certfile CA-intermediate.crt -out localhost.p12
-chain
Now you can import that keystore into your cacerts file:
$ keytool -importkeystore -srckeystore localhost.p12
-srcstoretype pkcs12 -destkeystore /tmp/key/cacerts.pkcs12
-deststoretype pkcs12 -srcalias tomcat -destalias tomcat
I presumed I was messing something up.
PEM files aren't keystores, so keytool can do almost nothing with
them. You cam import a PEM certificate, but not its key (directly).
Why are you copying everything from the JVM's cacerts file into your
keystore? Maybe I'm confused about what you are trying to do.
First for practice/sandbox. Then if it worked I could do the same to
actual cacerts and have the JVM find it without further ado.
I will take the remainder of your message under strong advisement.
Thank you, very very much.
(I'm not sure, but I think I can get away with a self-sign cert.)
