ssl - Import certificate as PrivateKeyEntry

Question

I am installing SSL on a Tomcat server and am following these instructions from the issuer https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO16181 and it states:

Verify the following information:

The SSL certificate is imported into the alias with the "Entry Type" of 
PrivateKeyEntry or KeyEntry.  If not, please import the certificate into 
the Private Key alias.

When I import the certificate (tomcat) I am using:

keytool -import -trustcacerts -alias your_alias_name -keystore your_keystore_filename
-file your_certificate_filename

but when I do so it imports as trustCertEntry

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

primaryca, Jul 26, 2014, trustedCertEntry,
Certificate fingerprint (SHA1): <snip>
tomcat, Jul 26, 2014, trustedCertEntry,
Certificate fingerprint (SHA1):  <snip>
secondaryca, Jul 26, 2014, trustedCertEntry,
Certificate fingerprint (SHA1):  <snip>

How can I make alias tomcat import as PrivateKeyEntry?

Answer 1

You try to add certificate and expect that it will be private key - its confusion between two different things.

Generally, when you create keystore (.jks) it include the private key inside. If its empty (deleted) you should generate bundle (.p12 file) from your key and certificates.

In order to create new free key and certificate you can use this this implementation of openSSl https://zerossl.com.

Then, you've got a key and certificate that you should generate (.p12) bundle file from them: (on linux machine)

openssl pkcs12 -export -in [filename-certificate] -inkey [filename-key] -name [host] -out [filename-new-PKCS-12.p12]

Now, just add the bundle file (.p12 file) to a keystore (.jks) by executing the following command:

keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12