Java keystore will not import cert as key entry after delete

That Random GuyThat Random Guy Member Posts: 69 ■■■□□□□□□□
edited May 2020 in Off-Topic
I have been tasked with enabling SSL traffic on a few RHEL (7.7) servers we have hosted on AWS for a project at work.

The good news is, I was able to obtain the certificate with ease.

The bad news is, I cannot for the life of me get these things to work for Oracle Weblogic (2.0.3).

I have created an identity store, created the key pair, created the CSR, got my signed "primary" cert, and finally imported the "full cert" incorrectly. Better said, the guide I was following mentioned to combine all "three" files into one file and save it as a .PEM. The problem is no guide I was following (around 3) ever mentioned what file was which. I was given two .crt and one .pem. I could not figure out which was root, which was primary, and which was bundle until after I made a batch effort to simply combine all those three files and import the file into the identity store.

As it turns out, I was wrong and I later discovered I was given the primary, bundle (intermediate+root), and the same primary as .pem. I was not given the root on it's own and had to grab that from the CA.


I didn't have the foresight to backup the identity store before importing the wrongly combined file. After thorough investigation, I have noticed that even though the wrongly combined file was in error, it still got imported successfully and was recognized as a key entry (only the first time). I copied the identity store and deleted the imported file so that I could then reimport the correct cert in the format that was correct. Now after doing this more than 5 times, I have come to the conclusion that deleting the certificate or entry on the alias that was attached to the initial created key with the same alias will permanently wipe out the private key. I have verified this even by importing the same "bad" file into the keystore after deleting it only once. All attempts to import anything after only deleting the existing key entry once will only import as ca entry. To me, this tells me that I have no other option but to create another CSR and to then get the CA to revoke my current "working" cert and to then get them to sign me a new cert using this new CSR to then finally import into the identity keystore?

Is this right? What kind of stupid system makes it so that you cannot delete an imported cert without also deleting the associated key under the same alias? AFAIK, JKSs do not let you look or touch the private key. They do not make anything transparent. It took me a bit of reading to understand that the JKS file is what actually holds the keys but you cannot ever actually export them without converting the JKS into something else. Am I missing something here or is this process just going to be long winded?
Sign In or Register to comment.