• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

Keytool import certificate – keytool importcert

March 23, 2022 by Mister PKI Leave a Comment

What is Java keytool?

The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to import a certificate into a keystore. In many respects, the java keytool is a competing utility with openssl for keystore, key, and certificate management. This article will demonstrate using keytool to import a cert into a keystore.

Use cases to import a certificate into a keystore.

You may want to import certificates into a keystore for three reasons:

  1. If you are using the keystore as a trust store, to add the first or an additional cert for your application to trust.
  2. To add a certificate response as a result of a Certificate Signing Request (CSR) signed by a third party Certification Authority (CA). See how to create a CSR. If you are in the market of buying a certificate, you can start here.
  3. You have changed web servers and the old configuration required a separate file for the private key and certificate. The new configuration requires you to use keytool to import into a PKCS12 (p12 or pfx) keystore.

What keytool command do I use to import a certificate into a keystore?

Use this command to import a certificate into a keystore using the java keytool. The result will be an updated keystore with an entry containing the imported certificate with the provided alias. Note that if the -file option is not provided, the certificate will be imported from stdin.

keytool -importcert \
 -noprompt \
 -alias example-import \
 -file example.crt \
 -keystore example.p12 \
 -storepass changeit \
 -storetype PKCS12 \
 -v

Note that this is the java keytool importcert command. For more ways of importing certificates (crt) and keys into a keystore, read our post containing an example of the java keytool import command. Adding the -storepass flag to the keytool importcert command will avoid the prompt.

You can use keytool to import multiple certificates by running this command for each one, making sure to provide a different and descriptive alias for each certificate entered.

To import certificate to cacerts, first find the path to the cacerts keystore in your installed JRE (Java Runtime Environment) and either copy it or navigate to the directory containing the cacerts keystore. Then run the above command to import a certificate, substituting the example.p12 name with cacerts: -keystore cacerts and changing the -storetype to JKS. That will import certificate into java keystore cacerts. This example has demonstrated how to use java to install a certificate in cacerts.

Java keytool options for -importcert:

-noprompt – Do not prompt.

-alias – The alias of the entry encapsulated in the keystore. The chosen value should enhance the readability of the keystore entries, especially when the keystore contains multiple entries.

-file – The file containing the X.509 certificate being imported.

-keystore – The filename of the keystore.

-storepass – The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

-v – Verbose output.

keytool import certificate
Java keytool import certificate

If you encounter Error: “java.lang.exception: Certificate reply does not contain public key for” it is likely you have either specified the wrong alias or the wrong keystore when importing the new cert to the existing private key entry.

Conclusion – Java Keytool import certificate

Hopefully this article has helped demonstrate how to use the Java Keytool to import a certificate into a keystore. If you would like to see additional examples of the keytool importcert command let us know in the comments. Head over to our Keytool page for more examples on other java keytool commands.

Read another post for detailed instructions on how to import a keystore into another keystore.

Read all of our blog content.

keytool,  SSL Certificates

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • Convert PEM to other formats
  • netsh http show sslcert
  • openssl pkcs12 legacy
  • SSH: No matching host key type found
  • pkcs12

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2023