Hi all I have a keystore A and want to create a truststore B now all the certficiates are stored in A, I assume I would have to extract each certificate in their own .crt file and then
keytool -import -file C:\cascerts\firstCA.cert -alias firstCA -keystore myTrustStore
for each certificate this can be quite a chore, is there any easier way that given a keystore A create a truststore B?
Related
I have IIS server with pfx containing L1K cert. I need to request a new L1M cert for it, AND will need to also be able to import the returning cert to a java keystore as the URL in question will move from IIS to Apache Tomact.
Help!
I think I found the way to do this.
*credit to this site:
https://www.jamf.com/jamf-nation/discussions/4646/converting-a-windows-pfx-or-windows-pkcs12-keystore-to-a-jks-keystore
1 - use keytool to import PFX into JKS
keytool -importkeystore -srckeystore .pfx -srcstoretype pkcs12 -destkeystore .jks -deststoretype JKS
2 - get details such as Alias from PFX file
keytool -v -list -storetype pkcs12 -keystore .pfx
3 - generate CSR file from new JKS file
keytool -certreq -alias -keystore .jks -file .csr -storepass
So far the resulting CSR files are validated successfully by my CA Authority's online tool.
I know I may use
keytool -delete -alias alias -keystore .keystore
to remove some certificates from certificate storages. But I've got 109 certificates stored in cacerts: keytool -list result
How to remove them with one command? Or, in other words, how do you clear cacerts storage?
There is no one command from keytool to delete all the entries in a keystore. You have to do a few workarounds to achieve this.
You can do it either by writing a simple Java code using the KeyStore api:
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(new FileInputStream(new File("KEYSTORE_PATH")), "changeit".toCharArray());
Enumeration<String> aliases = ks.aliases();
while (aliases.hasMoreElements())
{
String alias = aliases.nextElement();
ks.deleteEntry(alias);
}
ks.store(new FileOutputStream(new File("KEYSTORE_PATH")), "changeit".toCharArray());
(Or)
Create a similar store, since you already know the type of cacerts keystore (minor workaround here).
Create a KeyStore with a keypair initially when creating the cacerts keystore file.
keytool -genkeypair -keystore cacerts -storepass changeit
Delete the initially create key pair entry.
keytool -delete -keystore cacerts -storepass changeit -alias mykey
Since the cacerts is the default keystore, you don't specify the other attributes in the keytool command, let java handle the default values for you. Now you should have an empty cacerts keystore.
https://docs.oracle.com/cd/E19683-01/817-2874/6migoia18/index.html
This worked for me:
sudo keytool -delete -alias cacertName -keystore $JAVA_HOME/lib/security/cacerts
No mentioning that you must know the keystore password of the cacert you are going to delete, otherwise you could not delete it.
I want to retrieve the csr file from jks or cer file (have lost the .csr file). Please let know if it's possible from keytool command.
You cannot generate a certificate request from a certificate file. You can only do it for a KeyPair that is in your keystore (jks). You can run this keytool command to generate a csr (pkcs#10)
keytool -certreq -keystore [KEYSTORE_PATH] -storepass [KEYSTORE_PASSWORD] -alias [KEYPAIR_ALIAS] -file [CSR_FILE]
You can see the content of the csr you generated by using the below command.
keytool -printcertreq -file [CSR_FILE]
I am using self signed certificate for HTTPS connection to and from Axis2 server. All of these connections works fine and as desired.
There is a part in my web service which is responsible for sending emails. I am using GMail for the purpose of sending mail.
The problem is when I try to send a mail using an SSL connection I get certificate error, i.e. GMail certificate is not trusted. I had faced a similar problem with JBoss as well. For once I was able to get around this problem downloading GMail certificate and than importing it into the Keystore using Keytool utility. For a long time this had worked.
But only recently I have started to get the Old problem again. I tried to use the old technique that fixed the problem last time, but this time that did not work. (not sure why)
I reckon that GMail uses a signed certificate which out of the box should be trusted by any of the servers, let it be JBoss or Axis2. I fail to figure out what the problem actually is. Is it because of using of Self Signed certificate? Or are there any specific way of creating it so that the Signed certificates are trusted?
Thanks for the help.
To have a SSL encrypted Server/Client communication we need to Keystores and Truststore for Server & Client. Following are the steps to create them.
#Creating Server keystore and exporting a certificate
keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass changeit -keypass changeit -dname "CN=test.com, OU=Test, O=Test, L=London, ST=London, C=UK"
keytool -export -alias serverkeys -keystore server.keystore -storepass changeit -file server.cer
#Creating Client keystore and exporting a certificate
keytool -genkey -alias clientkeys -keyalg RSA -keystore client.keystore -storepass changeit -keypass changeit -dname "CN=test.com, OU=test, O=test, L=London, ST=London, C=UK"
keytool -export -alias clientkeys -keystore client.keystore -storepass changeit-file client.cer
#Making a copy of cacerts file. These copies will be used for client/server truststore
cp /usr/java/jdk1.6.0_14/jre/lib/security/cacerts client.truststore
cp /usr/java/jdk1.6.0_14/jre/lib/security/cacerts server.truststore
#Copying server certificate to Client truststore
keytool -import -trustcacerts -v -keystore client.truststore -storepass changeit -file server.cer
#Copying Client certificate to Server truststore
keytool -import -trustcacerts -v -keystore server.truststore -storepass changeit -file client.cer
During the first few iteration I was not using cacert but directly create truststores from the certificate and that too worked well. Problems came up when we need to connect to some other services using SSL and connection could not be establised even when the service used a Signed Certificate.
For example connecting to GMail SMTP server would faile if the truststore were not created up from cacerts. Reason being even though GMail uses a signed certificate, we wold be using a truststore that would not know if the GMail certificate can be trusted. For this reason we used cacerts to create out truststore. After which we were able to connector any service that uses a Signed Certificate.
If in case we encounter a unsigned certificate we will then have to add them to the Components Truststore.
I'm trying to build a simple client/server system wich uses SSLSocket to exchange data. (JavaSE 6)
The server must have its own certificate, clients don't need one.
I started with this
http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
To generate key for the server and a self signed certificate.
To sum it up:
Create a new keystore and self-signed certificate with corresponding public/private keys.
keytool -genkeypair -alias mytest -keyalg RSA -validity 7 -keystore /scratch/stores/server.jks
Export and examine the self-signed certificate.
keytool -export -alias mytest -keystore /scratch/stores/server.jks -rfc -file server.cer
Import the certificate into a new truststore.
keytool -import -alias mytest -file server.cer -keystore /scratch/stores/client.jks
Then in my server code I do
System.setProperty("javax.net.ssl.keyStore", "/scratch/stores/server.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
SSLServerSocket sslServerSocket = (SSLServerSocket)sf.createServerSocket( port );
Socket s = sslServerSocket.accept();
I am basically missing some point because I get a "javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled." when I try to run the server.
Can it be a problem with the certificate? When using -validity in keytool the certificate gets self-signed, so it should work if I'm not wrong.
Reading the docs seems that setting the property "javax.net.ssl.keyStore" is sufficient for the SSLContext to setup correctly. Any suggestion?
I messed up things a little, complete solution is here: https://forums.oracle.com/forums/thread.jspa?threadID=1531716