Convert certificate in PKCS12 format for tomcat / JKS Keystore - linux

I have following wildcard certificate files from GlobalSign Authority.
root.crt
intermediate.crt
private.key
I want to configure tomcat HTTPS using above cert files. I believe Tomcat support PKCS12 format.
How do i convert those certificate files in PKSC12 format? also how do i import them in tomcat keystore, specially intermediate cert?

Use openssl to create your PKCS12 file
First create a single intcacerts.pem file with your intermediate(s) and CA, pasted one after each other (they must be in PEM format).
Then call openssl
openssl pkcs12 -export -in myservercert.pem -inkey private.key -certfile intcacerts.pem -name "aFriendlyName" -out keyandcerts.p12
(myservercert.pem is the server certificate in PEM, intcacerts.pem contains the intermediate(s) and CA as described above, private.key is the private key associated with the server certificate)
The documentation for openssl pkcs12 is here
To convert the generated PKCS12 into a JKS keystore, do something like this
keytool -importkeystore -srckeystore keyandcerts.p12 -srcstoretype PKCS12 -destkeystore myJKS.jks

Related

Fail to merge/extract OpenSSL certificates

I have 4 certificates with the following extensions
_com-bundle.pem
_com.der
_com.p7b
_com.pem
In my internal tool i need to add the SSL Cert and SSL key.
How can i merge/extract the correct cert and key from the above extensions?
i've tried the bellow command
openssl x509 -inform DER -in *_com.pem -outform PEM -out cert.pem
but i've received and error that the key file is incorrect

Converting cer or pem file to p12 (ERROR: Could not read private key from -inkey file)

I bought a (E-mail ID Business (S/MIME)) certificate from certum, hoping to use to sign pdf files more affordable.
They have send me the files in plain(pem) and in binary(cer).
Here is the file list I downloaded:
Certificate chain Certum Digital Identification CA SHA2.cer
Certificate chain Certum Digital Identification CA SHA2.pem
Certificate chain Certum Trusted Network CA.cer
Certificate chain Certum Trusted Network CA.pem
Certificate.cer
Certificate.pem
I tried to use below command to create p12 file.
"openssl.exe" pkcs12 -export -in D:\xampp_data\MIME\Certificate.cer -inkey D:\xampp_data\MIME\Certificate.cer -out Certificate.p12 -name "MyCert" -password pass:MyCert
When using the command with D:\xampp\php\extras\openssl\openssl.exe, windows 11 console does not gives any error. And there is no output file too.
When using the command with C:\Program Files\OpenSSL-Win64\bin\openssl.exe, windows 11 console gives below error. Win64 OpenSSL v3.0.5 Light
D:\xampp_data\MIME>"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -in D:\xampp_data\MIME\Certificate.cer -out Certificate.p12 -name "MyCert" -password pass:MyCert
Could not read private key from -in file from D:\xampp_data\MIME\Certificate.cer

Unable to Generate .pfx File For Azure App

We are trying to update an SSL certificate in our Azure Web App. Accordingly to the Private Certificate Requirements we need to use triple DES for a private key now. Here's are steps that I'm doing:
Generate private key on my PC using triple DES:
openssl genrsa -des3 -out privatekey.key 2048
Generate csr:
openssl req -new -key privatekey.key -out mycsr.csr
Re-key certificate on Godaddy Portal.
Using new crt-file generate a pfx:
openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in mycert.crt
Unfortunately, generated certificate is not accepted by Azure portal. I'm getting an error message "The password is incorrect, or the certificate is not valid".
Ubuntu 22.04 uses a yescrypt hashing algorythm. Try to generate the pfx on

I received .crt .pem and .p7b file from GoDaddy to setup SSL. How can I generate a .pfx file from them using openssl

I received .crt .pem and .p7b file from GoDaddy to setup SSL. How can I generate a .pfx file from them using openssl
It appears you are after a PKCS#12 file. In this case you should be able to do something like so:
openssl pkcs12 -export -in your.crt -inkey your.pem -out resulting.pfx
options are pretty self-explanatory. Depending on whether your source key is password-protected you might also need to supply that via -passin/-passout values

Two Way SSL Authentication in NodeJS

I am trying to integrate with a 3rd party API using two way SSL authentication. The documention provided by them is for JAVA and I am using NodeJS. I am new to this and really grasping at straw here. In document it is mentioned to generate a self signed certificate and use private key of that certificate with the public cetificate from them to create a PKCS 12 file and use it to call the API.
Below is the excerpt from the documentation to
Create a self signed certificate
keytool -genkey -keyalg RSA -alias <aliasName>-keystore selfsigned.jks -validity <days> -keysize 2048
Import JKS to key store
KeyDBs could be any format PFX, JKS or P12. Listing the certificates from > the Keystores, Go to bin directory of Java library, It should have a Private-> Cert entry in the List of the certificates.
Keytool -list -v -keystore <Keystore Name>
If the KeyDB is not present create a Keydb using the Private key and Public Certificate provided through openSSL.
Create P12 from key
openssl pkcs12 -export -in mycert.crt -inkey <mykey.key> -out mycert.p12 -name tomcat -CAfile <myCA.crt> -caname root –chain
Create JKS from P12
keytool -v -importkeystore -srckeystore <key.p12> -srcstoretype PKCS12 -destkeystore <key.jks> -deststoretype JKS
To Verify: KeyDBs could be any format PFX, JKS or P12. Listing the certificates from the Keystores, Go to bin directory of Java library, It should have a Private-Cert entry in the List of the certificates.
Keytool -list -v -keystore <Keystore Name>
I am facing problem in creating the PKCS 12 file. I created self signed certificate using openssl (provided with git) via below mentioned commmands
Creating request and private key
openssl req -new -newkey rsa:2048 -nodes -keyout privatekey.key -out certificatereq.cer
Creating Certificate using the request and key
openssl x509 -req -days 365 -in certificatereq.cer -signkey privatekey.key -out selfsigned.crt
Upon creation of certificate I used it to create PKCS 12 file as mentioned in documentation above via below mentioned command
openssl pkcs12 -export -in selfsigned.crt -inkey privatekey.key -out outpkcs12file.p12 -name myname -CAfile thirdpartypublic.crt -caname mycaname -chain
but getting the error Error self signed certificate getting chain. I tried by installing the self signed certificate in my system also and getting the same error. If I remove the -chain (not sure what it does, but found few commands without -chain) agrument there is no output in terminal. The third party's certificate is CA signed.

Resources