How to import an existing X.509 certificate and private key in Java keystore to use in SSL?

Question

I have this in an ActiveMQ config:

<sslContext>
        <sslContext keyStore="file:/home/alex/work/amq/broker.ks"  
 keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts" 
 trustStorePassword="password"/>
</sslContext>

I have a pair of X.509 cert and a key file.

How do I import those two in order to use them in SSL and SSL+stomp connectors? All examples I could google always generate the key themselves, but I already have a key.

I have tried

keytool -import  -keystore ./broker.ks -file mycert.crt

but this only imports the certificate and not the key file and results in

2009-05-25 13:16:24,270 [localhost:61612] ERROR TransportConnector - Could not accept connection : No available certificate or key corresponds to the SSL cipher suites which are enabled.

I have tried concatenating the cert and the key but got the same result.

How do I import the key?

Answer 1

I used the following two steps which I found in the comments/posts linked in the other answers:

Step one: Convert the x.509 cert and key to a pkcs12 file

openssl pkcs12 -export -in server.crt -inkey server.key 
               -out server.p12 -name [some-alias] 
               -CAfile ca.crt -caname root

Note: Make sure you put a password on the pkcs12 file - otherwise you'll get a null pointer exception when you try to import it. (In case anyone else had this headache). (Thanks jocull!)

Note 2: You might want to add the -chain option to preserve the full certificate chain. (Thanks Mafuba)

Step two: Convert the pkcs12 file to a Java keystore

keytool -importkeystore 
        -deststorepass [changeit] -destkeypass [changeit] -destkeystore server.keystore 
        -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password 
        -alias [some-alias]

Finished

OPTIONAL Step zero: Create self-signed certificate

openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Cheers!