Generating a Java Keystore using SSL certificate, Private Key and Intermediate Certificate for HTTPS

Working with certificates can be a little confusing at times. This article aims to help give a brief understanding about the steps in creating a java keystore with the private key and a certificate signed by a certificate authority.

The article also discusses about how this changes when working with intermediate certificates and root certificates.

Step 1: Generate Private Key and Certificate Signing Request (CSR)

The openssl command can be used to generate a Private Key and Certificate Signing Request (CSR). A simple google search can reveal many articles on how to generate a Private Key and CSR using openssl based on the requirement, and more information can be gathered from the openssl documentation.

Step 2: Send the CSR to a Certificate Authority (CA) and obtain a Certificate

The generated CSR can be sent to a certificate authority such as DigiCert, VeriSign etc. and they will provide you with a certificate either in a .cer or .crt format.

Step 3: Generate the JKS using the Private Key and the Certificate from the CA

First we need to bundle the Private Key and the Obtained Certificate to form a pkcs12 archive. The following command can be used for this

openssl pkcs12 -export -inkey <GENERATED_PRIVATE_KEY>.key -in <CERTIFICATE_FROM_CA>.cer -out certificate.pkcs12

Next this bundled archive can be used to generate the java keystore with the following command.

keytool -importkeystore -srckeystore certificate.pkcs12 -srcstoretype PKCS12 -destkeystore <NAME_OF_JKS>.jks

Working with Intermediate and Root Certificates

Say you have already obtained a root certificate for <YOUR_DOMAIN>.com. Let’s call it as Now you plan on obtaining a certificate for <YOUR_SUB_DOMAIN>.<YOUR_DOMAIN>.com. Let’s call that as Now you have two separate certificates for these two domains. If you were to generate the JKS using only the certificate, it may not fully work in some scenarios. For this purpose, CA’s provide us with intermediate certificates.

An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate and ending with the SSL certificate issued to you. Such certificates are called chained root certificates   

So these intermediate certificates chain the root certificate with the certificate provided to you. In this case it chains the certificate with the certificate. The relevant intermediate certificate will be provided to you by the CA when you purchase the SSL certificate.

If this is the case, we can not conduct Step 3 as above. Instead the following two steps need to be conducted.

Step 3a: Concatenate the certificate, the intermediate certificates and the root certificate to form one certificate.txt file


Step 3b: Generate the JKS using the Private Key and the concatenated certificate file

As above, bundle the Private Key and the Concatenated Certificate file to form a pkcs12 archive with the following command,

openssl pkcs12 -export -inkey <GENERATED_PRIVATE_KEY>.key -in certificate.txt -out certificate.pkcs12

NOTE: Here certificate.txt is the concatenated certificate file

Next this bundled archive can be used to generate the java keystore.

keytool -importkeystore -srckeystore certificate.pkcs12 -srcstoretype PKCS12 -destkeystore <NAME_OF_JKS>.jks

Now this generated Java Keystore can be used for securing your application or environment.

Good Luck!