I generate a CA and a cert with cfssl but I am not able to import the cert in the JAVA keystore with keytool.
Is the generated cert incompatible with keycert/ Java x509 implementation? Or am I doing something wrong?
Generate the CA
# generate my-ca{,-key}.pem
cfssl print-defaults csr \
| cfssl gencert -initca - \
| cfssljson -bare my-ca
# import ca
keytool -importcert -alias my-ca -file my-ca.pem -storepass changeit -noprompt
Note: keytool -importcert works fine in this case
Generate the cert
cat cfssl.json
#{
# "signing": {
# "default": {
# "expiry": "87600h",
# "usages": ["signing", "key encipherment", "server auth", "client auth"]
# }
# }
#}
# generate cert
echo {} \
| cfssl gencert -ca=my-ca.pem -ca-key=my-ca-key.pem -config=cfssl.json -hostname=my-host - \
| cfssljson -bare my-host
# import cert
keytool -importcert -file my-host.pem -alias my-host -storepass changeit -noprompt
But now, it responds with:
keytool error: java.lang.Exception: Input not an X.509 certificate
This confuses me. Openssl seems happy with the cert:
openssl x509 -text -in my-host.pem
# output seems OK, ecdsa-with-SHA256, see gist
openssl x509 -in my-host.pem \
| diff my-host.pem -
# no diff between re-generated x509
-text output
More observations: CURL and webbrowsers are fine taking the cert. Only Java applications complain.
Info:
cfssl version
#Version: 1.2.0
#Revision: dev
#Runtime: go1.8.1
java --version
#openjdk 14.0.2 2020-07-14
#OpenJDK Runtime Environment (build 14.0.2+12-Ubuntu-120.04)
#OpenJDK 64-Bit Server VM (build 14.0.2+12-Ubuntu-120.04, mixed mode, sharing)
keytool -showinfo -tls
# see gist for full output
-showinfo -tls
