Introduction
I can't believe people struggle so much with this and why there isn't a free tool to convert certificates from a Microsoft CA (pfx to jks) and steps for creating the associated certificate chain.
Get the cert
Pull the certficate from the Microsoft CA and pull it from you browser.
- From the Microsoft issued certs list, install in IE. You get to this via the View the status of a pending certificate request link on the MS CA.
- Export in pfx format from IE. IE -> Tools -> Internet Options -> Content -> Certificates
- Select the certificate and Export
- 'Yes. export the private key' and select PKCS #12. Select all check boxes
Import the chain
- Download the CA certificate chain from the Microsoft CA
- Open the chain and export each part of the chain individually in DER format
Do the techie stuff
--Convert the pfx to jks using Jetty
java -classpath %JETTY_HOME%/jetty-6.1.1/lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import www.mysecuredomain.com.pfx www.mysecuredomain.com.jks
--Verify the key is there
keytool -list -keystore www.mysecuredomain.com.jks
--change the default alias to something more readable
keytool -storepass changeit -keystore www.mysecuredomain.com.jks -changealias -alias longunreadblealphanumericstring -destalias www.mysecuredomain.com
--convert the cer/der to pem
openssl x509 -inform der -in MyCompanyPrimaryRootCA.cer -out MyCompanyPrimaryRootCA.pem
openssl x509 -inform der -in MyCompanyServerAuthenticationPolicyCA.cer -out MyCompanyServerAuthenticationPolicyCA.pem
openssl x509 -inform der -in MyCompanyServerAuthenticationEnterpriseCA.cer -out MyCompanyServerAuthenticationEnterpriseCA.pem
--import the root cert and all other certificates in the chain. The trustcacerts arguement tells keytool that you want to import this as a trusted certificate.
keytool -storepass changeit -keystore www.mysecuredomain.com.jks -import -v -noprompt -trustcacerts -alias MyComanyPrimaryRootCA -file MyComanyPrimaryRootCA.pem
keytool -storepass changeit -keystore www.mysecuredomain.com.jks -import -v -noprompt -trustcacerts -alias MyComanyServerAuthenticationPolicyCA -file MyComanyServerAuthenticationPolicyCA.pem
keytool -storepass changeit -keystore www.mysecuredomain.com.jks -import -v -noprompt -trustcacerts -alias MyComanyServerAuthenticationEnterpriseCA -file MyComanyServerAuthenticationEnterpriseCA.pem
--Check the chain length
keytool -v -list -keystore www.mysecuredomain.com.jks | grep chain
Enter keystore password: changeit
Certificate chain length: 4
--Check the certificates for the chain are all present
keytool -list -keystore www.mysecuredomain.com.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
mycompanyserverauthenticationenterpriseca, DateStamp, trustedCertEntry,
Certificate fingerprint (MD5): MD5String
mycompanyprimaryrootca, DateStamp, trustedCertEntry,
Certificate fingerprint (MD5): MD5String
mycompanyserverauthenticationpolicyca, DateStamp, trustedCertEntry,
Certificate fingerprint (MD5): MD5String
www.mysecuredomain.com, DateStamp, PrivateKeyEntry,
Certificate fingerprint (MD5): MD5String
Importing the root CA
Import Root CA into browser - you only need the root to be installed in the truststore, or the trusted certificate authorities.
- Firefox :: Certificate Manager -> Authorities -> Import...
- IE :: Certificates -> Trusted Root Certification Authorities -> Import...
- Chrome :: Certificates -> Trusted Root Certification Authorities -> Import...
Happy days.
