PKI Tutorials - Herong's Tutorial Examples - Version 2.10, by Dr. Herong Yang
Importing Certificate Reply Back to KeyStore
This section provides a tutorial example on how to import a certificate reply sign by a CA back into a KeyStore, where the private key is stored.
When Amy receives the certificate from me, she should import her certificate into her KeyStore to keep it together with her private-public pair:
Amy lists what's in her KeyStore file:
C:\amy>\local\jdk\bin\keytool -list -keystore amy.jks -storepass AmyJKS Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry amy@xyz.com, Mar, 2011, PrivateKeyEntry, Certificate fingerprint (MD5): 78:D6:7B:3D:56:E6:50:C2:A8:4D:6F:8F...
Amy tries to import her certificate back to the PrivateKeyEntry:
C:\amy>\local\jdk\bin\keytool -import -keystore amy.jks -storepass AmyJKS -file amy_xyz_com.crt -alias amy@xyz.com keytool error: java.lang.Exception: Failed to establish chain from reply
Unfortunately, keytool wants to verify Amy's certificate with the root and intermediate CA certificates. So Amy should import my certificate and CAcert.org certificate into the KeyStore first:
C:\amy>\local\jdk\bin\keytool -import -keystore amy.jks -storepass AmyJKS -file herongyang_com.crt -alias herongyang.com Owner: CN=herongyang.com Issuer: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA Serial number: 9dc82 ... Trust this certificate? [no]: Yes Certificate was added to keystore C:\amy>\local\jdk\bin\keytool -import -keystore amy.jks -storepass AmyJKS -file CACertSigningAuthority.crt -alias CACertSigningAuthority Owner: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA Issuer: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA Serial number: 0 ... Trust this certificate? [no]: Yes Certificate was added to keystore
Amy tries again to import her certificate back to the PrivateKeyEntry:
C:\amy>\local\jdk\bin\keytool -import -keystore amy.jks -storepass AmyJKS -file amy_xyz_com.crt -alias amy@xyz.com Certificate reply was installed in keystore C:\amy>\local\jdk\bin\keytool -list -keystore amy.jks -storepass AmyJKS Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries amy@xyz.com, Mar, 2011, PrivateKeyEntry, Certificate fingerprint (MD5): 00:5D:79:5A:47:76:C7:1A:53:3C:30:90... herongyang.com, Mar, 2011, trustedCertEntry, Certificate fingerprint (MD5): 8C:DC:62:CE:D6:F0:54:A9:6E:A2:0B:F2... cacertsigningauthority, Mar, 2011, trustedCertEntry, Certificate fingerprint (MD5): A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20...
Notice that Amy's PrivateKeyEntry has been updated with Amy's certificate.
Last update: 2011.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
Windows Certificate Stores and Console
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
►PKI CA Administration - Issuing Certificates
Requesting and Signing Personal Certificate
Generating a Private-Public Key Pair for Amy
Generating a CSR (Certificate Signing Request)
Verifying Requester's Email Address
Exporting a Private Key from a KeyStore File
Signing a CSR into a Certificate
►Importing Certificate Reply Back to KeyStore
"bad decrypt:./crypto/evp/evp_enc.c:461" Error
Requesting and Signing Server Certificate
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3