Sample code for 30+ languages & platforms
Tcl

Add Private Key to Java Keystore

See more Java KeyStore (JKS) Examples

Adds a private key to an existing Java keystore.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

# This requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

set jks [new_CkJavaKeyStore]

set jksPassword "myJksPassword"
set jksPath "/someDir/keyStore.jks"

# Load the Java keystore from a file.
set success [CkJavaKeyStore_LoadFile $jks $jksPassword $jksPath]
if {$success != 1} then {
    puts [CkJavaKeyStore_lastErrorText $jks]
    delete_CkJavaKeyStore $jks
    exit
}

# A JKS private key entry consists of both the private key,
# it's associated certificate (which contains the matching public key
# within the X.509 of the certificate), and the certificates in the
# chain of authentication to the root.
# 
# Therefore, to add a private key entry to a JKS requires
# a Chilkat certificate object that has a private key and which also
# has the certificate chain (up to the root) available.

# There are many ways to get a Chilkat certificate object
# that contains (within it) the private key and the certificate chain
# This example will show two possibilities:
# (1) Where the cert and issuing root are provided in PEM format in .crt files,
# and the private key is also provided in unencrypted PEM format (.key file).
# (2) Where the cert, private key, and issuing root are provided in a single PFX.

# First for the .crt / .key files:
set cert [new_CkCert]

# Chilkat will automatically determine the format of the cert file and load it correctly.
set success [CkCert_LoadFromFile $cert "/mycerts/alice.crt"]
if {$success != 1} then {
    puts [CkCert_lastErrorText $cert]
    delete_CkJavaKeyStore $jks
    delete_CkCert $cert
    exit
}

# Certificates required for building the chain of authentication can be
# added to an XML certificate vault object, and then provided as
# a source for obtaining certs when building the chain.
set certVault [new_CkXmlCertVault]

set success [CkXmlCertVault_AddCertFile $certVault "/mycerts/ca.crt"]
if {$success != 1} then {
    puts [CkXmlCertVault_lastErrorText $certVault]
    delete_CkJavaKeyStore $jks
    delete_CkCert $cert
    delete_CkXmlCertVault $certVault
    exit
}

set success [CkCert_UseCertVault $cert $certVault]
if {$success != 1} then {
    puts [CkCert_lastErrorText $cert]
    delete_CkJavaKeyStore $jks
    delete_CkCert $cert
    delete_CkXmlCertVault $certVault
    exit
}

# Now provide the associated private key to the certificate object.
# The Chilkat private key class provides methods for loading from many formats (both
# encrypted and unencrypted).
set privKey [new_CkPrivateKey]

set success [CkPrivateKey_LoadPemFile $privKey "/mycerts/alice.key"]
if {$success != 1} then {
    puts [CkPrivateKey_lastErrorText $privKey]
    delete_CkJavaKeyStore $jks
    delete_CkCert $cert
    delete_CkXmlCertVault $certVault
    delete_CkPrivateKey $privKey
    exit
}

# Provide the certificate object with the private key:
set success [CkCert_SetPrivateKey $cert $privKey]
if {$success != 1} then {
    puts [CkCert_lastErrorText $cert]
    delete_CkJavaKeyStore $jks
    delete_CkCert $cert
    delete_CkXmlCertVault $certVault
    delete_CkPrivateKey $privKey
    exit
}

# Our certificate object now contains all that we need to add it as a private key entry
# to the Java keystore:
set alias "alice"
set success [CkJavaKeyStore_AddPrivateKey $jks $cert $alias $jksPassword]
if {$success != 1} then {
    puts [CkJavaKeyStore_lastErrorText $jks]
    delete_CkJavaKeyStore $jks
    delete_CkCert $cert
    delete_CkXmlCertVault $certVault
    delete_CkPrivateKey $privKey
    exit
}

# Write the updated JKS, which contains the new private key entry w/ certificate chain.
set success [CkJavaKeyStore_ToFile $jks $jksPassword $jksPath]
if {$success != 1} then {
    puts [CkJavaKeyStore_lastErrorText $jks]
    delete_CkJavaKeyStore $jks
    delete_CkCert $cert
    delete_CkXmlCertVault $certVault
    delete_CkPrivateKey $privKey
    exit
}

puts "Added new private key entry (from .crt and .key files) to the JKS!"

# Now let's add a new private key entry from a PFX that contains a single
# private key with associated cert and cert chain.
set pfx [new_CkPfx]

set success [CkPfx_LoadPfxFile $pfx "/myPfxFiles/my.pfx" "pfxPassword"]
if {$success != 1} then {
    puts [CkPfx_lastErrorText $pfx]
    delete_CkJavaKeyStore $jks
    delete_CkCert $cert
    delete_CkXmlCertVault $certVault
    delete_CkPrivateKey $privKey
    delete_CkPfx $pfx
    exit
}

# This is easy -- simply add the PFX to the JKS
set alias "bob"
set success [CkJavaKeyStore_AddPfx $jks $pfx $alias $jksPassword]
if {$success != 1} then {
    puts [CkJavaKeyStore_lastErrorText $jks]
    delete_CkJavaKeyStore $jks
    delete_CkCert $cert
    delete_CkXmlCertVault $certVault
    delete_CkPrivateKey $privKey
    delete_CkPfx $pfx
    exit
}

# Write the updated JKS, which contains the new private key entry w/ certificate chain
# that came from the PFX.
set success [CkJavaKeyStore_ToFile $jks $jksPassword $jksPath]
if {$success != 1} then {
    puts [CkJavaKeyStore_lastErrorText $jks]
    delete_CkJavaKeyStore $jks
    delete_CkCert $cert
    delete_CkXmlCertVault $certVault
    delete_CkPrivateKey $privKey
    delete_CkPfx $pfx
    exit
}

puts "Added new private key entry (from PFX) to the JKS!"

delete_CkJavaKeyStore $jks
delete_CkCert $cert
delete_CkXmlCertVault $certVault
delete_CkPrivateKey $privKey
delete_CkPfx $pfx