How do I import certs into keystore in Azul Zulu JDK 11.
Where is the default keystore used by keytool
/lib/security/cacerts
Took me a while to find it, but found the answer here: https://blogs.oracle.com/jtc/openjdk-10-now-includes-root-ca-certificates
From running Azul's Alpine OpenJDK11 container, FROM azul/zulu-openjdk-alpine:11, the cacerts file is located at /usr/lib/jvm/java-11-zulu11/jre/lib/security/.
But, to import new certs into it, you only need to specify the -cacerts switch and the command takes care of the rest.
Below is an example of a command I used in a recent Dockerfile:
keytool -importcert -file <my-crt-file-location> -cacerts -keypass changeit -storepass changeit -noprompt -alias <my-alias>
Path of java 11 trust store is C:\Program Files\Java\jdk-11.0.4\lib\security\cacerts
To import cert in windows use below command.
"C:\Program Files\Java\jdk-11.0.1\bin\keytool" -importcert -file C:\Polarion\bundled\apache\conf\certificate.crt -alias labs.polarion.com -keystore "C:\Program Files\Java\jdk-11.0.1\lib\security\jssecacerts" -storepass changeit
For more info visit, Click here
For MAC and LINUX openJDK11
first find the jdk location
echo $JAVA_HOME
since keytool and cacerts located in different folder we have to specify the path
go to keytool folder
/Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/bin/security
Sudo keytool -import -noprompt -trustcacerts -alias aliasName -file /Users/lilojoseph/Desktop/dev.ssk.cer -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/lib/security/cacerts -storepass changeit
for checking if certificate is added run below command on same folder
keytool -list -v -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/lib/security/cacerts -alias aliasName
for
adoptopenjdk/openjdk11#sha256:1cf34e59b4f6209c8513a1681a688bf8a90bf433993aa5b3914dcfdb100e9393
, the location for cacerts is:
/opt/java/openjdk/lib/security/cacerts
I installed Azul Zulu Java 8 and Java 11 through SDKMan.
The cacerts file for my instances were as follows:
Java 11
~/.sdkman/candidates/java/11.0.14-zulu/zulu-11.jdk/Contents/Home/lib/security
Java 8
Notice the extra jre/ folder
~/.sdkman/candidates/java/8.0.322-zulu/zulu-8.jdk/Contents/Home/jre/lib/security
Related
I'm getting below error in spark master
ERROR ==> If you enable SSL configuration, you must mount your keystore file and specify the location in SPARK_SSL_KEYSTORE_FILE. Default value: /opt/bitnami/spark/conf/certs/spark-keystore.jks
ERROR ==> If you enable SSL configuration, you must mount your trutstore file and specify the location in SPARK_SSL_TRUSTSTORE_FILE. Default value: /opt/bitnami/spark/conf/certs/spark-truststore.jks"
Below is what I have done.
Create truststore spark-truststore.jks using .pem files
# Enter store password when prompted
keytool -importcert -noprompt -keystore spark-truststore.jks -alias root -file rootCA.cert.pem -trustcacerts
keytool -importcert -noprompt -keystore spark-truststore.jks -alias intermediate -file issuingCA.cert.pem -trustcacerts
Create Keystore files
# First, make PKCS12 cert from crt & key .pem files
openssl pkcs12 -export -in spark.cert.pem -inkey spark.key.pem -name spark -out spark-pkcs12.p12
keytool -importkeystore -deststorepass REDACTED -destkeystore spark-keystore.jks -srckeystore spark-pkcs12.p12 -srcstoretype PKCS12
Create K8S secret
kubectl create secret generic sparksecret --from-literal=keystore_password=REDACTED --from-file=spark-keystore.jks=spark-keystore.jks --from-literal=truststore_password=REDACTED --from-file=spark-truststore.jks=spark-truststore.jks
In InitContainer, mount the K8S secrets and copy the park-keystore.jks & spark-truststore.jks files to /opt/bitnami/spark/conf/certs
I have an Azure function app. It works well with HTTP locally. Also it works well on production. I am trying to run it with HTTPS locally. I created a certificate but it's still showing a certificate error on the browser. I tried to add my certificate to KeyChain Access as well but the result is the same.
How can I run my function with an SSL certificate locally?
I'am trying to access my service from my mobile app but android is not allowing me to call a HTTP endpoint.
Thanks.
The command line arguments need to be set correctly, and then the Azure Functions can be started in Visual Studio with HTTPS and take advantage of the break point debugging without having to attach the func process in Visual Studio.
Install the tools for local Azure Function development:
Microsoft Azure Storage Explorer
Microsoft Azure Storage Emulator
Install the Azure Functions Core Tools
Or
npm install -g azure-functions-core-tools
Install the Azure Functions Visual Studio Extensions
Azure Functions and Web Jobs Tools need to be installed as an extension in Visual Studio.
Configure the Azure Functions project to use HTTPS
Create a certificate and add this to the operating system.
openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
openssl rsa -passin pass:x -``in server.pass.key -out server.key
openssl req -``new -key server.key -out server.csr
openssl x509 -req -sha256 -days 365 -``in server.csr -signkey server.key -out server.crt
or
New-SelfSignedCertificate -DnsName "server.com"``, "server.com" -CertStoreLocation "cert:\LocalMachine\My"
Get the thumbprint for later use
$mypwd = ConvertTo-SecureString -String "1111" -Force -AsPlainText
Get-ChildItem -Path cert:\localMachine\my\``"thumbprint from above" | Export-PfxCertificate -FilePath C:\server.pfx -Password $mypwd
Copy the pfx file to the Function project and then configure the properties to copy this to the output.
Configure the command line arguments for Debug.
The application arguments starts with host in Visual Studio and not func! This would be func in the command line.
Or just set this in the launchSettings.json
{
"profiles"``: {
"FunctionApp1": {
"commandName":` "Project",
"commandLineArgs": "host start --useHttps --cert \"server.pfx\" --password \"1111\""
}
}
}
When you start the Azure Function project with Visual Studio, the HTTPS URL will be used. This can be checked in the command line window which opens up after starting. Break point debugging is now possible as we started from Visual Studio.
If you start this from the console using the func start –useHttps –cert “server.pfx” –password “1111”, you need to attach the func process for break point debugging for using Visual Studio.
Am trying to import a .pem file in to the JKS, using below command
keytool -import -trustcacerts -alias nagar -file Downloads/nagardir.pem -keystore keystore.jks
The .pem file gets imported fine but, it is not creating a key pair.
When I try to change the password using
keytool -v -list -keystore keystore.jks -alias nagar -keypasswd
I get an error , Alias has no Key
How do I import the .pem file in a proper way. I would appreciate a Windows solution.
Main goal
I am trying to find a way to add licenses to a user using ubuntu linux; either by powershell or any other programmable method. My last resort is to use selenium with python.
Actual problem
I am trying to use Connect-MgGraph cmdlet with a certificate for unattended scripts. The information on this is here: https://learn.microsoft.com/en-us/graph/powershell/app-only?tabs=azure-portal
I already have app registered with exchange and admin access. I also already have a cert. I used it before when connecting to exchange online powershell.
When I try to run: Connect-MgGraph -ClientID $ApplicationId -TenantId $TenantId -CertificateName $Certificate
It Gives me an error: certificate was not found or has expired.
Here us what I tried:
I first tried using the certpath as a variable and then passing that - failed
$CertificateFilePath = "/home/tech/scripts/powershell_scripts/exchangecert/msexchange.pfx"
##other stuff
Connect-MgGraph -ClientID $ApplicationId -TenantId $TenantId -CertificateName $CertificateFilePath
### FAILED RESULT
Connect-MgGraph: /home/tech/scripts/powershell_scripts/exchangecert/msexchange.cer certificate was not found or has expired.
I tried using this bit of commands that I found from here:https://github.com/Azure/azure-powershell/issues/8675
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("/home/tech/scripts/powershell_scripts/exchangecert/msexchange.cer","apassword",$Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
### FAILED RESULT
Connect-MgGraph: [Subject]
CN=adomain.com
[Issuer]
CN=adomain.com
[Serial Number]
aserialnumber
[Not Before]
5/30/2021 2:51:16 PM
[Not After]
5/30/2022 3:01:17 PM
[Thumbprint]
athumbprint
certificate was not found or has expired.
Everything I have tried so far is failing. I know this would work on windows but I would really like to authenticate unattended on ubuntu.
Thanks everyone.
-CertificateName should be the subject name of the cert, not the path to the cert. But, you should probably try using the thumbprint instead. I think you're missing some more code for installing the cert. Try something like this, substituting your details in the beginning to generate the correct PFX. (i.e. Make sure key.pem and cert.pem exist in /etc/ssl/private/)
$CertPath = '/etc/ssl/private/'
$CertKey = $CertPath + 'key.pem'
$CertPublic = $CertPath + 'cert.pem'
$CertMerge = $CertPath + 'merged.pfx'
$CertPass = 'somepassword'
$CertExpire = 365
$CertName = 'somecertname')
# Generate new certificate and convert it to pfx format
openssl req -newkey rsa:2048 -new -nodes -x509 -days $CertExpire -keyout $CertKey -out $CertPublic -subj "/C=LV/ST=Some-State/L=LV/O=$CertName/OU=IT"
openssl pkcs12 -in $CertPublic -inkey $CertKey -export -out $CertMerge -passout pass:$CertPass
At this point, you should check to make sure merged.pfx got created. Then continue:
# Store certificate in certificate store
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($CertMerge, $CertPass, $Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
# Get cert thumbprint
$CertValue = [Convert]::ToBase64String($Certificate.GetRawCertData())
$Thumbprint = $Certificate.Thumbprint
Then use $Thumbprint to log in:
Connect-MgGraph -ClientID $ApplicationId -TenantId $TenantId -CertificateThumbprint "YOUR_CERT_THUMBPRINT"
Is there any possibility of encrypt sections in web.config with a specific certificate (not de default one), so I can read the same web.config in different machines?
Or... encrypt sections so two servers can decrypt automatically?
Both machines are Windows Server 2019
Thanks a lot.
According to your descritpion, I suggest you could try to follow below steps to encrypt the web.config and decrypt the web.config by using certificate.
1.Create a certificate to encrypt the config file.
$cert = New-SelfSignedCertificate -Type DocumentEncryptionCert -Subject "CN=DevConfig" -KeyExportPolicy Exportable -KeySpec KeyExchange
Export-Certificate -Cert $cert -FilePath ".\DevConfig.cer"
$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath ".\DevConfig.pfx" -Password $mypwd
$cert
2.Improt the encypt certificate:
Import-Certificate -Filepath ".\DevConfig.cer" -CertStoreLocation cert:\LocalMachine\My
3.Imprort the decrypt certificate:
$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText
Import-PfxCertificate -FilePath ".\DevConfig.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd
4.Install the WebConfigEncrypter NuGet package.
Install-Package WebConfigEncrypter -Version 1.1.0
5.Add below config into web.config file. Notice: you should find the thumbprint from the generated certificate file like below:
<configProtectedData>
<providers>
<add name="Pkcs12Provider" thumbprint="91cb0b7c611e54f6bfd43c4d8d178b542bc6557e" type="WebConfigEncrypter.Pkcs12ProtectedConfigurationProvider, WebConfigEncrypter" storeLocation="LocalMachine"/>
</providers>
</configProtectedData>
6.Run below command in the web.config file fodler:
aspnet_regiis -pef "connectionStrings" "." -prov "Pkcs12Provider"
7.You will find your web.config is encrypted, but if you improt the decrypt certificatie in the remote server, you will find your application work well.