There are three primary uses for this command:

  • To import a certificate that has been signed by a certification authority into the key store in which the key pair was generated. It is imported into a private key entry, and it should be imported as a certificate chain rather than just the end-entity certificate.
  • To import a trusted issuer certificate into a trust store. It is imported into a trusted certificate entry and is a single certificate rather than a chain.
  • To import a certificate chain along with the private key for the end-entity certificate. This can be used to import certificates that were generated through some other library like OpenSSL.

In addition to the arguments used to provide information about the key store and the alias into which the certificate (or certificate chain), this command accepts the following arguments.

Argument Description

--certificate-file <path>

The path to the file containing the certificate to be imported. The certificate can be in either PEM or DER format, and it can be a single certificate or a certificate chain. This argument can also be provided multiple times when importing a certificate chain if the certificates in the chain are in separate files.

--private-key-file <path>

The path to a file containing the private key that corresponds to the certificate at the head of the chain that is being imported. The private key can be in either PEM or DER format.

--no-prompt

Indicates that the certificate should be imported without prompting for confirmation. By default, a summary of the certificate is displayed, and you must confirm that you actually want to import it.

For example, you can use the following command to import a signed certificate into the key store used to generate the certificate signing request.

$ bin/manage-certificates import-certificate \
     --keystore config/keystore \
     --keystore-password-file config/keystore.pin \
     --alias server-cert \
     --certificate-file ds1-cert.pem \
     --certificate-file ca-cert.pem
 
The following certificate chain will be imported into the keystore into alias 'server-cert', preserving the existing private key
associated with that alias:
 
Subject DN:  CN=ds.example.com,O=Example Corp,C=US
Issuer DN:  CN=Example Root CA,O=Example Corp,C=US
Validity Start Time:  Sunday, November 10, 2019 at 09:09:23 PM CST (4 minutes, 16 seconds ago)
Validity End Time:  Monday, November 9, 2020 at 09:09:23 PM CST (364 days, 23 hours, 55 minutes, 43 seconds from now)
Validity State:  The certificate is currently within the validity window.
Signature Algorithm:  SHA-256 with ECDSA
Public Key Algorithm:  EC (secP256r1)
SHA-1 Fingerprint:  02:51:25:43:3e:68:f5:71:36:e3:5d:df:74:de:f6:a1:5a:db:0f:eb
SHA-256 Fingerprint:  1d:b5:eb:3c:f5:ff:bf:79:a2:a5:86:b8:e4:33:76:4d:d7:50:dc:a4:34:95:37:be:89:45:86:1f:5d:79:c3:93
 
Subject DN:  CN=Example Root CA,O=Example Corp,C=US
Issuer DN:  CN=Example Root CA,O=Example Corp,C=US
Validity Start Time:  Sunday, November 10, 2019 at 09:00:07 PM CST (13 minutes, 32 seconds ago)
Validity End Time:  Saturday, November 5, 2039 at 10:00:07 PM CDT (7299 days, 23 hours, 46 minutes, 27 seconds from now)
Validity State:  The certificate is currently within the validity window.
Signature Algorithm:  SHA-256 with ECDSA
Public Key Algorithm:  EC (secP384r1)
SHA-1 Fingerprint:  0e:5c:21:c9:a5:36:0a:24:eb:aa:55:b6:a5:94:0e:e0:56:03:22:e6
SHA-256 Fingerprint:  77:cf:66:d7:3c:8a:fd:67:2d:b7:36:fd:60:1d:ca:eb:1b:03:b1:12:7b:10:1f:26:05:b7:b9:0d:02:e0:38:3e
 
Do you want to import this certificate chain into the keystore? yes
 
Successfully imported the certificate chain.

Although the tool displays information about the certificates to be imported if you don’t provide the --no-prompt argument, you might want to see more information about the certificate before it is imported. You can do so with the display-certificate-file subcommand, which offers the following arguments.

Argument Description

--certificate-file <path>

The path to the file containing the certificate to view.

--verbose

Indicates that verbose information about the certificate should be displayed.

The output of this subcommand has the same format and content as the list-certificates subcommand.