I know how to generate a .jks file from .crt & .key file . But the ssl that I have received contains three file (.crt,.p7b ,ca bundle file). How would I generate .jks file from these file for tomcat. Thanks in advance
Try sth like this:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
Related
I have generated pem and csr files using the below command.
openssl req -newkey rsa:2048 -keyout key.pem -out req.csr
After this, I sent csr file to the authority and got p7b certificate.
Now, I tried to convert p7b file to p12 format with the below commands.
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -out certificate.p12 -inkey key.pem -in certificate.cer
However, it gives the below error.
No certificate matches private key
error in pkcs12
How can I convert p7b file into p12 file format?
I think you must call privatekey file
openssl pkcs12 -export -inkey privateKey.key -out certificate.p12 -inkey key.pem -in certificate.cer
I tried installing SSL certificate I purchased from Godaddy (CN = my domain) following below steps. And after the last step I did a GREP search for .jks in repository/conf directory and replaced all keystore configs (wso2carbon.jks) to my JKS and password. Restarted the server. It started giving a bunch of errors and server not started properly.. But when I changed ONLY catalina_server.xml's configuration and undo all others, it started and SSL was working only for 9443 port but when I checked the cert installation from a SSL checker tool, it said cert was not installed properly. And even API gateway endpoints were not working with SSL (browser rejects cert) and it was port 8244. What have I done wrong? Exception trace given below.
Create Keystore and the CSR
keytool -genkey -alias certalias -keyalg RSA -keysize 2048 -keystore newkeystore.jks
Create CSR - copy output and submit to Go Daddy.
keytool -certreq -alias certalias -keystore newkeystore.jks
Get the Certificates for tomcat you will get below certificates.
gd_bundle-g2-g1.crt - Root Certificate
gdig2.crt.pem - Intermediate Certificate
[randomNumber].crt - Domain Certificate
Convert crt to pem.
openssl x509 -in gd_bundle-g2-g1.crt -out gd_bundle-g2-g1.pem
openssl x509 -in [randomNumber].crt -out [randomNumber].pem
Join root and intermediate certificate
cat gdig2.crt.pem gd_bundle-g2-g1.pem >> clientcertchain.pem
Extract the key from the keystore.
keytool -importkeystore -srckeystore newkeystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias keys -deststorepass -destkeypass
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
Create pkcs12 keystore
openssl pkcs12 -export -out final.p12 -inkey key.pem -in [randomNumber].crt -CAfile clientcertchain.pem -name "cacertificates"
Create JKS from pkcs keystore.
keytool -importkeystore -srckeystore final.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
Replace it with wso2carbon.jks located in <WSO2AM_HOME>/repository/resources/security/
Go to <WSO2AM_HOME>/repository/resources/security/
Extract key file to add client keystore
keytool -export -alias cacertificates -keystore newkeystore.jks -file .pem
Add key to client-truststore.jks
keytool -import -alias cacertificates -file .pem -keystore client-truststore.jks -storepass wso2carbon
This is a little bit of an unusual situation. I have a CentOS 7 server running tomcat 7 and I need to install a new SSL cert for it. I don't have control over the domain so the cert generated for me was given to me by the parent company and it's for a start cert (*.domain.com). Even though I sent them a csr, they ignored it and made a new one for me. The package they sent has a csr file, key, two formats of the cert (crt and p7s), and an intermediary pem.
I'm trying to create a new keystore using these files and am having difficulty doing it. I found this site https://makandracards.com/jan0sch/24553-import-private-key-and-certificate-into-java-keystore and have tried:
openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile my-ca-file.crt -name "my-domain.com" -out my.p12
I changed the CAfile to use the pem file supplied, but I get "unable to load certificates"
Anyone have any ideas?
EDIT:
I used this to make the p12 and then import it in the keystore but I don't know how to include the intermediate cert.
openssl pkcs12 -export -in my.crt -inkey myh.key -certfile my.crt -name "tomcat" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
EDIT2:
I'm trying this command to get a pfx file and then
EDIT3:
My intermediate cert had a bunch of spaces preceding the "-----BEGIN CERTIFICATE-----" which was causing an error.
Looks like all I had to do was this:
openssl pkcs12 -export -in my.crt -inkey myh.key -certfile intermediary.pem -name "tomcat" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
Didn't even need to put in the intermediate cert.
I want to use GnuTLS certtool to convert a PEM public and private key to a PKCS12 pfx bundle. I don't have openssl available to me on the target system. The equivalent command with openssl is:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
$ certtool --load-certificate certificate.pem --load-privkey certificate.pem --to-p12 --outder --outfile certificate.pfx
I am trying to import a certificate and a key file into the keystore but I'm unable to do that.
How can I create a keystore by importing both an existing certificate (abc.crt) and abc.key files?
The easiest is probably to create a PKCS#12 file using OpenSSL:
openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12
You should be able to use the resulting file directly using the PKCS12 keystore type.
If you really need to, you can convert it to JKS using keytool -importkeystore (available in keytool from Java 6):
keytool -importkeystore -srckeystore abc.p12 \
-srcstoretype PKCS12 \
-destkeystore abc.jks \
-deststoretype JKS
You must use OpenSSL and keytool.
OpenSSL for CER & PVK file > P12
openssl pkcs12 -export -name servercert -in selfsignedcert.crt -inkey serverprivatekey.key -out myp12keystore.p12
Keytool for p12 > JKS
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercert
Adding to #MK Yung and #Bruno's answer.. Do enter a password for the destination keystore. I saw my console hanging when I entered the command without a password.
openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12 -name localhost -passout pass:changeit
In addition to #Bruno's answer, you need to supply the -name for alias, otherwise Tomcat will throw Alias name tomcat does not identify a key entry error
Sample Command:
openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.p12 -name localhost
Ideally you should have received 3 files:
ca_bundle.crt yourname.crt yourname.key
Use the following command to create the pk cs 12 version of it with:
openssl pkcs12 -export -out yourname.pfx -inkey yourname.key -in yourname.crt -certfile ca_bundle.crt
Then you will need to import it into key store that is easy to configure in Apache
keytool -importkeystore -srckeystore yourname.pfx -srcstorepass yourpassword -srcstoretype pkcs12 -destkeystore yourkeystore.jks -deststoretype jks -deststorepass yourkeystorepassword
If the keystore is for tomcat then, after creating the keystore with the above answers, you must add a final step to create the "tomcat" alias for the key:
keytool -changealias -alias "1" -destalias "tomcat" -keystore keystore-file.jks
You can check the result with:
keytool -list -keystore keystore-file.jks -v