"keytool -importcert" - Certificate-Only Bundle

PKI Certificate Tutorials - Herong's Tutorial Examples

∟"keytool -importcert" - Certificate-Only Bundle

This section provides a tutorial example on how to create a PKCS12 bundle to store a certificate and its private/public key pair using the 'keytool -genkeypair' command.

"keytool" command from JDK also allows you to create a PKCS12 bundle file with a certificate only, without any private/public key pair:

1. Create a new PKCS12 bundle file with my certificate only.

herong$ keytool -importcert -file hy-cert.pem -alias hy-cert \
  -keystore cert-only.p12 -storetype pkcs12 -storepass TopSecret 

Owner: CN=Herong Yang, C=ZZ
Issuer: CN=ZZ Root CA, C=ZZ
Serial number: 1001
Valid from: Sun Nov 24 08:34:04 EST 2024 
until: Mon Nov 24 08:34:04 EST 2025
Certificate fingerprints:
   SHA1: 70:11:FD:05:83:2D:F2:A0:17:02:77:13:A9:2B:86:D4:0E:F6:7A:C9
   SHA256: C4:85:30:D1:65:F1:BD:23:A9:3C:49:88:ED:33:5B:00:27:FB:...
Signature algorithm name: SHA1withECDSA (weak)
Subject Public Key Algorithm: 384-bit EC key
Version: 1

Trust this certificate? [no]:  yes
Certificate was added to keystore

2. List items in the PKCS12 bundle using "keytool".

herong$ keytool -list -keystore cert-only.p12 -storepass TopSecret

Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry

hy-cert, Nov 24, 2024, trustedCertEntry, 
Certificate fingerprint (SHA-256): C4:85:30:D1:65:F1:BD:23:A9:3C:...

3. Print out information from the PKCS12 bundle using "openssl". Too bad. "openssl" expects the bundle to contain a key pair.

herong$ openssl pkcs12 -info -noout \
  -in cert-only.p12 -passin pass:TopSecret 

MAC Iteration 100000
MAC verified OK
PKCS7 Encrypted data: Error outputting keys and certificates