We have a requirement where we have my.crt file which we want to use it with cacerts.
I have checked the blogs and documentation its not clear on how to use my.crt file with cacerts
I have used -Dweblogic.security.SSL.trustedCAkeystore='/xxx/sr/cacerts' to change the path of the keystore , but cannot see it loading in the logs
Also when creating identity.jks and trust.jks from cacerts file I am getting :
keytool -importcert -alias mykey -trustcacerts -file trust.jks -keystore cacerts -storepass changeit
keytool error: java.lang.Exception: Input not an X.509 certificate
Also should I be using custom identity custom trust OR custom identity and command-line trust to get this working
you are giving wrong values to keytool command....
if you want to import your .crt file to cacerts then you must have to specify in keytool command but you are specifying trust.jks here....
Wrong:
keytool -importcert -alias mykey -trustcacerts -file trust.jks -keystore cacerts -storepass changeit
Correct: Use the below command.It must have to work
keytool -importcert -alias mykey -trustcacerts -file filename.crt -keystore cacerts -storepass changeit
Related
I am trying to establish node to node encryption. I am following datastax online guidance available for ssl encryption on below link- https://docs.datastax.com/en/security/5.1/security/secSetUpSSLCert.html
as per the documentation i have skipped first two steps and followed from step-3.
so, I have created the keystore, using below command-
keytool -genkeypair -keyalg RSA -alias node1 -keystore cassandra.jks -storepass cass123 -keypass cass123 -validity 365 -keysize 2048 -dname "CN=host1, OU=cluster1, O=org, C=US"
after creating the keystore, here the public certificate authority have two level of encryption or certs. first is root.cert and another is intermediate.cert.
when i have checked through below command, intermediate.cert is signed or verifyed by root.cert.
openssl verify -CAfile root.cert intermediate.cert , Got OK in Response.
after than with keystore(cassandra.jks), i have raise the certificate signed request (CSR):
keytool -keystore cassandra.jks -alias node1 -certreq -file cassandra.csr -keypass cass123 -storepass cass123 -dname "CN=host1, OU=cluster1, O=org, C=US"
then after uploading this CSR file (cassandra.csr) to public certificate authority i got in response one Cert.cer file.
so, then i checked whether the Cert.cer file get signed by root.cert or not.
openssl verify -CAfile root.cert Cert.cer
Got unable to load certificate in Response, with error message-
140044398696338:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c707:Expecting TRUSTED CERTIFICATE
Even I have Checked the Cert.cer with intermediate.cert-- got the same above error message.
Is this mean the Cert.cer which i got in response to csr request in not properly signed by certificate authority.
So i have stopped further steps here, which needed for cassandra ssl implementation.
Please, let me know, if i miss something or doing in wrong manner. much appreciated all help and suggestions
This issue is resolved, due to platform issue certs generated have extras carriage characters ^M. after removing this and merging root and intermediate certs together it works fine.
I have generated the CSR request on our wintel server ( we need to bind our application hosted on this server for Https) using below commands in keytool:
Keytool -genkey -alias <server name> -keyalg RSA -keysize 2048 -keystore <server name>.keystore
Enter keystore password - changeit
Confirm the password – changeit
Common Name: ******
Organization: ***
Organization Unit: **
Locality: ****
State: ***
Country: **
Enter key password or hit enter to keep same as keystore password
keytool -certreq -keyalg RSA -alias <server name> -file certreq.csr -keystore <server name>.keystore
Two files are generated
certreq.cer
.keystore
I send the two files to the concerned team, they got the SSL certificate and installed it on the same server.
Now the certificate is there in console root\certificates (local computer)\personal\certificates but its not appearing in IIS for binding. The team is now asking me for the private key to resolve the issue.
Can someone let me how to get the private key from the .cer and .keystore file?
And if you can point out the reason why certificate is not appearing in IIS and how to resolve it, I would really appreacite that.
P.S: I am not sure if this is the right place for this question. Help me out to know the right place if this is not.
Edit: For someone stuck with same questions, check out the answer
by garethTheRed here- https://serverfault.com/questions/943496/how-to-install-cer-and-p7b-certificates-to-use-in-iis/943500#943500
In my case, the certificate received from CA was directly installed, thats why it was not private key verified, and was not appearing in IIS also. We had to import the public key(the .cer file) to the keystore
keytool -importcert -file certificate.cer -keystore <server name>.keystore -alias <server name>
and then convert the keystore to a PKCS#12, with:
keytool -importkeystore -srckeystore <server name>.keystore -destkeystore <server name>.pfx -srcstoretype JKS - deststoretype PKCS12 -deststorepass <new password>
Then we imported the pfx in certificate store.
Following the go-daddy documentation :
https://www.godaddy.com/help/tomcat-4x5x6x-renew-a-certificate-5355
The flow:
I've create myDomain.csr and send it to GoDaddy , got reply from them with 3 files ( gd_bundle-g2-g1.crt , gdig2.crt.pem ,59a41eaec32d2046.crt)
I mentioned that the old cert which was expired has a chain structure , unfortunately Go-daddy give me only "flat" certificates.
I tried to make a chain by myself :
cat 59a41eaec32d2046.crt gd_bundle-g2-g1.crt gdig2.crt.pem >> myDomain.crt
after that :
sudo keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file myDomain.crt
sudo keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt
sudo keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
and change the server.xml exactly as in the documentation
I Attach pictures of how in my opinion it should appear
But Actually after my chain I had :
When I open the Browser GOT:
Secure Connection Failed
An error occurred during a connection to talenttribe.me. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Learn more…
Report errors like this to help Mozilla identify and block malicious sites
Don't understand what I'm missing...is it Chain creation or tomcat issues ??
BR,
You just need to replace tomcat certificate if your renew from existing vendor.
certificate name hexcode.crt Other no need to change. Its works for me.
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file filepath
The issue is that the tomcat.keystore is not being created with chaining intact. To correct that, you will need to isolate the root and intermediate certificates in separate files, and then import them in a specific order. To create a working example, here are some simplifying assumptions:
The 59a41eaec32d2046.crt file contains only the SSL certificate issued by Go Daddy, presumably for an internet facing web server.
The "gd_bundle-g2-g1.crt" file is a concatenation of the Go Daddy intermediate and root certificates.
The "gdig2.crt.pem" file contains a redundant copy of the Go Daddy root certificate.
There is only one intermediate certificate, and it is also the Issuer of your SSL certificate.
The crt files are the base 64 encoded, or "pem", format.
The tomcat.keystore file uses JKS format.
Here are the steps to create the tomcat.keystore, given the assumptions above:
List the contents of gd_bundle-g2-g1.crt:
sudo keytool -printcert -file gd_bundle-g2-g1.crt
The output will include delimiters for each certificate in the bundle. The delimiter for the first certificate will be "Certificate[1]:", and the delimiter of the second certificate will be "Certificate[2]:". Immediately following "Certificate[1]:", you will see the Owner and Issuer records for the first certificate. Likewise, following "Certificate[2]:", you will see the Owner and Issuer records for the second certificate. Also note:
The root certificate is unique in that the Owner is the same as the Issuer (in other words, it is self-signed).
The root certificate is also the Issuer of the intermediate certificate.
List the contents of gd_bundle-g2-g1.crt in "rfc" format:
sudo keytool -printcert -file gd_bundle-g2-g1.crt -rfc
Again, note the delimiters "Certificate[1]:" and "Certificate[2]:" are used with the same meaning as above. But in rfc format, the certificates are listed using base 64 "pem" format starting with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----". That is format that will be needed in the separate root and intermediate certificate files.
Redirect the output of step 2 to a temporary file. Then use a text editor to save the Go Daddy root certificate in a separate file named gd_root.crt.
Be certain to include the entirety of the text beginning with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----".
Likewise, save the Go Daddy intermediate certificate in a separate file named gd_intermediate.crt.
Use the "keytool -importcert" command to create the keystore incrementally:
sudo keytool -importcert -noprompt -file gd_intermediate.crt -alias intermed -keystore tomcat.keystore -storepass '!q#wDDfll'
sudo keytool -importcert -noprompt -file gd_root.crt -alias root -keystore tomcat.keystore -storepass '!q#wDDfll'
sudo keytool -importcert -noprompt -file 59a41eaec32d2046.crt -alias tomcat -keystore tomcat.keystore -storepass '!q#wDDfll'
The order of the commands above is important. You need to create the keystore first using the intermediate certificate used by the CA to issue (sign) your SSL certificate. (If there are additional intermediate certificates, those would be added next, until the final intermediate certificate, which is signed by the root certificate, is added.) Next, you add the root certificate. And finally, you add the SSL certificate issued by the CA for your application.
This will fix the issue with the tomcat.keystore file. You might also consider building a custom trust store file, which requires the truststoreFile and truststorePass options within the connector element, as an alternative to relying on Java's cacerts trust store. The commands to do that are similar to the fist 2 commands above, substituting the trust store file name along with the trust store password.
I have generated the certificate and added to trust store using the below commands
keytool -genkey -alias CERT-ALIAS -keyalg RSA -keysize 2048 -validity 365 -keystore Certificate_Online
keytool -certreq -v -alias CERT-ALIAS -keystore Certificate_Online.jks -file Certificate_Online.csr
keytool -export -alias CERT-ALIAS -file Certificate_Online.cer -keystore Certificate_Online
i modified my server.xml as below
server.xml:
<Connector port="2222" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/jdk1.6.0_32/bin/Certificate_Online.jks" keystorePass="changeit" />
still when i try to open the link in the broswer
it is showing This site can’t be reached ,ip refused to connect. please help me out . tried a lot but could find where the problem is.
thanks a lot in advance .
The reason that this is not working is that the certificate is not trusted. You generated a Certificate Signing Request, but it does not appear to have been signed (by a Certificate Authority).
In order to get around this for testing you can add your certificate to your own trusted certificate store. In Linux you should be able to do this by using the keytool -import command in your JRE. Something like this:
keytool -import -file /jdk1.6.0_32/bin/Certificate_Online.cer -alias CERT-ALIAS -keystore "/jre/lib/security/cacerts" -storepass changeit
In Windows you can double click on the .cer file, click "Install Certificate" and place the certificate in the "Trusted Root Certification Authorities" store.
I am trying to create the certificate on IBM JDK1.4 using bouncy castle as a provider, I am using this command to create the certs, with this commands private key is created , but I am not able to create public key for it.
Also I am looking for the information on hat is valid keystore and keystore providers for the BC can I use IBMJCE for bouncy castle
keytool -genkey -alias alias -keystore Maritz_sso_keys.bks -storepass password -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -sigalg SHA256withRSA -keyalg RSA