Import the CA Certificate into your Keystore

This procedure uses the Java keytool utility to import a CA-signed certificate into an existing keystore.

Before you begin

  • You need a certificate for your server signed by a Certificate Authority.
  • You need the trusted root CA certificate for the Certificate Authority.
  • You need to know the keystore name, password, and alias you used when you created the keystore.

To import the CA certificate into your Java keystore with a CA-signed certificate

  1. Use the -importcert option to add the root CA certificate (CAcert.cer in this example) to the Java keystore that you generated when you created your private key (newkeystore.jks in this example). Use a new alias (cacert in this example); if the alias does not point to a key entry, keytool assumes you are adding a trusted certificate entry. For example:

    keytool -importcert -alias cacert -file CAcert.cer -keystore newkeystore.jks

    Note: Some CAs issue an intermediate certificate along with the main certificate. If this is true for your CA, then import these certificates using unique aliases to your keystore.

  2. Use the -importcert option to add the server certificate you received from the CA (certnew.cer in this example) to your keystore. Use the alias you provided when you generated the keys; if the alias points to a key entry, keytool assumes you are importing a certificate reply. For example:

    keytool -importcert -alias webedition -file certnew.cer -keystore newkeystore.jks