Developer Documentation

How do you Import a P12 (i.e.: PKCS12) Certificate Chain into a BridgeGate Java KeyStore (JKS)

*******************************************

Importing a P12 (i.e.: PKCS12) Certificate Chain into a BridgeGate Java KeyStore (JKS)

*******************************************

Keytool path:   C:\bridgegate\java\bin\keytool.exe

Openssl path:   C:\bridgegate\utils\openssl\openssl.exe

P12 Certificate Chain:  C:\data\cert\Bridgegate_HUBCertificates.p12

BG Staging JSK KeyStore:        C:\data\cert\bridgegate.jks

 

*** Note:  The Alias used in the JKS does not need to match the Common Name (CN) of the Client System Key.  The more important thing is that the BridgeGate Java KeyStore (JKS) does not contain duplicate aliases.  ***

 

1) List and verify P12 Certificate Chain contents:

c:\bridgegate\java\bin>keytool -v -list -storetype pkcs12 -keystore C:\data\cert\Bridgegate_HUBCertificates.p12

Enter keystore password:

 

*****************  WARNING WARNING WARNING  *****************

* The integrity of the information stored in your keystore  *

* has NOT been verified!  In order to verify its integrity, *

* you must provide your keystore password.                  *

*****************  WARNING WARNING WARNING  *****************

Keystore type: PKCS12

Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: Bridgegate_HUB

Creation date: Jul 11, 2014

Entry type: SecretKeyEntry

 

2) IF the P12 Certificate Chain file is not password locked, you will need to recreate is with a password:

*** Export you current certificate to a password less pem type.  Note:  Leave the ‘Import Password’ field empty in this step.

c:\bridgegate\utils\openssl>openssl pkcs12 -in C:\data\cert\Bridgegate_HUBCertificates.p12 -out C:\data\cert\export.tmp.pem -nodes

Enter Import Password:

MAC verified OK

*** Convert the password less pem to a new pfx file with password:

C:\bridgegate\utils\openssl>openssl pkcs12 -export -in C:\data\cert\export.tmp.pem -out C:\data\cert\Bridgegate_HUBCertificates.locked.p12 -name “Bridgegate_HUB”

Loading ‘screen’ into random state – done

Enter Export Password:

Verifying – Enter Export Password:

 

3) Confirm Alias name is new password locked P12 Certificate Chain.  Step 2 creates alias based on -name argument, if this is left out, the alias name can be “1”.

*** Confirm Chain length of 3 and the Owner/Issuer of each Certificate are in the proper order.  ****

c:\bridgegate\java\bin>keytool -v -list -storetype pkcs12 -keystore C:\data\cert\Bridgegate_HUBCertificates.locked.p12

Enter keystore password: ******

Keystore type: PKCS12

Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: bridgegate_hub

Creation date: Jul 14, 2014

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Owner: CN=Bridgegate_HUB ClientSystem, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=uat CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

.

Certificate[2]:

Owner: CN=uat CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

.

Certificate[3]:

Owner: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

Issuer: CN=ICA Root CA, OU=IT, O=ICA, L=Nashville, ST=TN, C=US

 

4) Import the P12 Certificate Chain into your BridgeGate Java KeyStore (JKS).

**** Note: You can alter the Alias name with the -alias and -destalias arguments. ****

c:\bridgegate\java\bin>keytool -importkeystore -destkeystore C:\data\cert\bridgegate.jks -srckeystore C:\data\cert\Bridgegate_HUBCertificates.locked.p12-srcstoretype PKCS12

Enter destination keystore password:

Enter source keystore password:

Entry for alias Bridgegate_HUB successfully imported.

Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

 

5) Verify the JKS contains the new Certificate under the correct Alias.

*** WARNING: This password field is displayed on screen as clear text!  ***

c:\bridgegate\java\bin>keytool -v -list -storetype jks -keystore C:\data\cert\bridgegate.jks > c:\data\cert\out.txt

Enter keystore password:  *********