For SpringBoot application we are using PKCS12 and then converting to JKS for Certificate renewal. But in WebLogic why PKCS12 to JKS conversion not working? Anyone having idea?
Is there anyway to create PKCS12 and converting to JKS in WebLogic?
P12 to JKS conversion not accepting in WebLogic. Why
Related
So I am working on a FIPS compliant java base image with JDK11. The requirement was to convert the default keystore from JKS to BCFKS.
This is my java.security setting:
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN
security.provider.4=SunRsaSign
security.provider.5=SunEC
security.provider.6=SunJSSE BCFIPS
security.provider.7=SunJCE
security.provider.8=SunJGSS
security.provider.9=SunSASL
security.provider.10=XMLDSig
security.provider.11=SunPCSC
security.provider.12=JdkLDAP
security.provider.13=JdkSASL
security.provider.14=Apple
security.provider.15=SunPKCS11
#
# Default keystore type.
#
keystore.type=BCFKS
So when I try to convert the default keystore from JKS to BCFKS with the following command:
keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts.orig -srcstoretype JKS \
-srcstorepass changeit -destkeystore /etc/ssl/certs/java/cacerts -deststorepass changeit \
-deststoretype BCFKS -providerClass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
--providerpath /usr/lib/jvm/java-11-openjdk-amd64/jar/bc-fips-1.0.2.3.jar
I get the following error:
Exception in thread "main" java.lang.StackOverflowError
at java.base/java.util.Dictionary.<init>(Dictionary.java:55)
at java.base/java.util.Hashtable.<init>(Hashtable.java:239)
at java.base/java.util.Properties.<init>(Properties.java:206)
at java.base/java.util.Properties.<init>(Properties.java:174)
at java.base/java.security.Provider.<init>(Provider.java:262)
at java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:138)
at java.base/sun.security.ssl.SunJSSE.<init>(SunJSSE.java:126)
at java.base/com.sun.net.ssl.internal.ssl.Provider.<init>(Provider.java:52)
at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:183)
at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
at java.base/sun.security.jca.ProviderList.getIndex(ProviderList.java:296)
at java.base/sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:280)
at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:286)
...
When I remove "BCFIPS" in provider.6, the error is gone, but I do need it to be there for the SSL to load BCFIPS as provider.
The same settings worked fine by my colleagues, but a notable difference is they use JDK8. Not sure if that's the reason.
Also I saw this https://github.com/bcgit/bc-java/issues/1000 who has exactly the same issue with me, unfortunately the workaround didn't work for me and there was no follow-up.
I've been stuck with this for days...HELP appreciated! Thank you!s
I tried the settings mentioned above, tried the keytool command, was expecting the keystore type converted correctly from JKS to BCFKS, but StackOverFlowError happened.
I am trying to setup 2 way ssl authentication. My requirement is broker should authenticate only specific clients.
My organization has a CA which issue all certificates in pkcs12 format. steps i followed are as follows.
get a certificate for the broker and configured it in the broker keystore
ssl.keystore.location=/home/kafka/certificate.p12
ssl.keystore.password=xxxxx
ssl.client.auth=required
get a certificate for the client and configured it in the client keystore
ssl.keystore.location=/home/kafka/certificate.p12
ssl.keystore.password=xxxxx
extracted the public certificate from the client certificate using keytool command
keytool -export -file cert -keystore certificate.p12 -alias "12345" -storetype pkcs12 -storepass xxxxx
imported the certificate into broker truststore. broker truststore contains only the client 12345 certificate.
keytool -keystore truststore.p12 -import -file cert -alias 12345 -storetype pkcs12 -storepass xxxxx -noprompt
configured the truststore in the broker.
ssl.truststore.location=/home/kafka/truststore.p12
ssl.truststore.password=xxxxx
configured the truststore in client. client truststore contains CA certificates.
ssl.truststore.location=/etc/pki/java/cacerts
ssl.truststore.password=xxxxx
When i run the broker and client i expect the broker to authenticate the client and establish ssl connection. but instead following error is thrown.
[2021-06-03 23:32:06,864] ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (abc.com/10.129.140.212:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2021-06-03 23:32:06,866] WARN [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error (org.apache.kafka.clients.admin.internals.AdminMetadataManager)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLProtocolException: Unexpected handshake message: server_hello
I tried various things but nothing seems to work. when i replace the broker truststore with /etc/pki/java/cacerts truststore file which contains only the CA certificate
then it works fine. but it will authenticate any client which has certificate issued by the CA.
what could be the issue ?
The default format is jks,
use keytool to create a Java KeyStore (JKS) with the certificate and key for use by Kafka. You'll be prompted to create a new password for the resulting file as well as enter the password for the PKCS12 file from the previous step. Hang onto the new JKS password for use in configuration below.
$ keytool -importkeystore -srckeystore server.p12 -destkeystore kafka.server.keystore.jks -srcstoretype pkcs12 -alias myserver.internal.net
Note: It's safe to ignore the following warning from keytool.
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.p12 -destkeystore kafka.server.keystore.jks -srcstoretype pkcs12"
Currently I am doing the API load test using the LoadRunner, where the mTLS is implemented on the server side. Also I am able to include the certficates(2 pem files) using the web_set_certificate_ex function by passing the cerificate paths(clientA-crt.pem and clientA-key.pem) - the calls works perfectly fine.
Now we are planning to use jmeter for load testing. As first step, I converted pem into p12 format using the following command
openssl pkcs12 -export -out Cert.p12 -in clientA-crt.pem -inkey clientA-key.pem -passin pass:root -passout pass:root
https://www.ibm.com/support/knowledgecenter/en/SSPH29_9.0.3/com.ibm.help.common.infocenter.aps/t_ConvertthepfxCertificatetopemFormat068.html
Then next step I am converting the cert.p12 into java keystore using the following command
keytool -importkeystore -srckeystore Cert.p12 -srcstoretype PKCS12 -srcstorepass root123 -keystore dex.jks -storepass root111
https://www.blazemeter.com/blog/how-set-your-jmeter-load-test-use-client-side-certificates/
The below error is encountered:
Importing keystore Cert.p12 to dex.jks...
keytool error: java.io.IOException: keystore password was incorrect
Can someone let me know where I am going wrong.
Contents of clientA-crt.pem
-----BEGIN CERTIFICATE-----
some alphanumeric values
-----END CERTIFICATE-----
Contents of clientA-key.pem
-----BEGIN RSA PRIVATE KEY-----
some alphanumeric values
-----END RSA PRIVATE KEY-----
You don't need to convert PKCS12 keystore into a JKS keystore, JMeter can deal with both types, moreover it's recommended to use PKCS12 as JKS is a proprietary format. You just need to "tell" JMeter to use PKCS12 format via system.properties file
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=Cert.p12
javax.net.ssl.keyStorePassword=root
If you want to use the .jks type for any reason you need to provide the same password as you specified during the keystore creation:
keytool -importkeystore -srckeystore Cert.p12 -srcstoretype PKCS12 -srcstorepass root -keystore dex.jks -storepass root111
It might be easier to use a GUI-based tool like KeyStore Explorer if you are not too familiar with OpenSSL and Keytool command-line utilities.
More information: How to Set Your JMeter Load Test to Use Client Side Certificates
Right now I am securing my installation of ElasticSearch using SSL.
In the guide they mention to secure the endpoint by importing an x.509 certificate using the following keytool command:
keytool -importcert -keystore node01.jks -file cacert.pem -alias my_ca
The problem is that I have a .pfx file generated by a CA authority. If I pass the .pfx file keytool bombs saying
Input not an X.509 certificate.
How can I fix this, is there a way to convert the .pfx into a .pem certificate?
You can do so easily using the following command:
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
You can also name the output certificate certificate.pem if you wish. PEM certificates can usually have any of the following extentions: .pem, .crt, .cer, and .key
I have read this good article on running tomcat in https and implemented it.
http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/
It is working fine and my tomcat is running in https mode.
But the problem is i got the certificate in BIN format. I need it in X509 format so that i can use it as an raw resource for my Android project
I have used java keytool to create it.Can i use OpenSSL to convert it into X509 Format or java keytool is sufficient?
I am new to this securities stuff.
Please point me in the right direction and clear my doubts.
I think keytool already handles certificates in X509 format only. You should have generated .keystore file. You can export certificate from it using command:
keytool -export -alias mycert -keystore mykeystore.bin -file certificatefile.cer
Yes of course, you can use OpenSSL to convert the certificate and keys to and from the following formats
Standard PEM
DER / Binary
PKCS#7 (aka P7B)
PKCS#12 (aka PFX)
In your case, given a private key file and digital certificate in standard PEM,
convert them both to pkcs12 format using the following steps:
Step 1: Convert the PEMs to a single PKCS12 file
OpenSSL> pkcs12 -export -in CE_cert.cer -inkey CE_prv_key_PEM.key -out
pkcs12_KeyStore.p12 -name ce_cert_prv_key
Heres the doc for OpenSSL PKCS12 command.
Step 2: Import the PKCS12 file created in step 1 into the new JKS
C:\>keytool -importkeystore -srckeystore pkcs12_KeyStore.p12 -srcstoretype pkcs12 -srcstorepass somepass -srcalias ce_cert_prv_key -destk
eystore path/to/JavaKeyStore_KS.jks -deststoretype jks -deststorepass somepass -destkeypass somepass
Now after having the certificate and private key in the JKS format, you can use this JSK key store in Tomcat.