I would like to refresh a small Java keystore, updating dates to 10 years in the future.
My keystore contains 2 entries, seen with keytool -v -list :
Alias name: myCA
Creation date: Feb 5, 2018
Entry type: trustedCertEntry
...
Owner: contains all properties needed for myCA ...
Issuer: same properties as myCA (so self-signed certificate)
...
Alias name: myHost
Creation date: Feb 5, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=myhost, etc ...
Issuer: same properties as myCA
...
Certificate[2]:
Owner: same properties as myCA
Issuer: same properties as myCA
...
I only achieved to create 2 entries of type trustedCertEntry in my new keystore, I would like to create a trustedCertEntry and a PrivateKeyEntry
What commands can I do to create a myCA-signed private key and add it to the new keystore ?
PS will peers which are today validating myCa sefl-signed certificate validate the new one if I only use the same properties for myCA ? is it enough ?
With patience ....
openssl pkcs12 -export -out temp.p12 -inkey myHost.key -in myHost.crt -certfile myCA.crt
keytool -v -importkeystore -srckeystore temp.p12 -srcstoretype PKCS12 -destkeystore mystore
Related
I have a trusted certificate chain, a certificate issued by this chain and private key file for this certificate.
I want to create a P12 / PFX for this, so I can put it as client certificate in the windows store:
OpenSsl Pkcs12 -export -nokeys
-certfile mytrustedCertifcates.pem^
-inkey myPrivateKey.Key^
-in myCertificate.crt^
-out myCertificate.P12
Alas, the resulting file contains all trustedCertificates. If I import the P12 in my windows certificate store, I import the complete certificate chain, although they are already in the certificate store.
I also tried options: (from OpenSsl command line utilities, also in -help)
-nocerts don't output certificates.
-clcerts only output client certificates.
Alas, the P12 still contains the complete certificate chain, and importing the P12 imports the complete chain again.
BartonJs gave the answer in a comment (thank you BartonJs!):
leave out the --certfile parameter:
OpenSsl Pkcs12 -export -nokeys
-name some friendly name
-inkey myPrivateKey.Key^
-in myCertificate.crt^
-out myCertificate.P12
nokeys: leaves out the PEM password
name: the friendly name that will appear in column friendly name of the winstore
inkey and in are the input certficate with its private key
out is the name of the file to produce.
After importing it in the windstore (command: certlm.msc), It propertly says:
Issued to:
Issued by:
Expiration date
Intended purposes
Friendly name:
I wish to sign a .mobileconfig file using the following command:
openssl smime \
-sign \
-signer your-cert.pem \
-inkey your-priv-key.pem \
-certfile TheCertChain.pem \
-nodetach \
-outform der \
-in ConfigProfile.mobileconfig \
-out ConfigProfile_signed.mobileconfig
I have an SSL certificate which was requested and installed on my machine, and a code-signing certificate which was requested and installed on my machine.
Now which certificate should I be using (code signing or SSL?), and how do I get hold of the your-cert.pem,your-priv-key.pem and TheCertChain.pem files?
Visiting GoDaddy again just gives me a single .pem file, and I do not know which one that even is.
Running openssl x509 -in godaddy.pem -inform pem -noout -text on the .pem from GoDaddy gives the following:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
Validity
Not Before: Jun 29 17:06:20 2004 GMT
Not After : Jun 29 17:06:20 2034 GMT
Subject: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:de:9d:d7:ea:57:18:49:a1:5b:eb:d7:5f:48:86:
ea:be:dd:ff:e4:ef:67:1c:f4:65:68:b3:57:71:a0:
****REMOVED FOR BREVITY****
58:c6:44:7b:0a:3e:62:28:5f:ba:41:07:53:58:cf:
11:7e:38:74:c5:f8:ff:b5:69:90:8f:84:74:ea:97:
1b:af
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Subject Key Identifier:
D2:C4:****REMOVED FOR BREVITY****:A8:6A:D4:E3
X509v3 Authority Key Identifier:
keyid:D2:C4:****REMOVED FOR BREVITY****D:A8:6A:D4:E3
DirName:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
32:4b:f3:b2:ca:3e:91:fc:12:c6:a1:07:8c:8e:77:a0:33:06:
14:5c:90:1e:18:f7:08:a6:3d:0a:19:f9:87:80:11:6e:69:e4:
96:17:30:ff:34:91:63:72:38:ee:cc:1c:01:a3:1d:94:28:a4:
****REMOVED FOR BREVITY****
10:43:a6:a5:9e:0a:d5:95:62:9a:0d:cf:88:82:c5:32:0c:e4:
2b:9f:45:e6:0d:9f:28:9c:b1:b9:2a:5a:57:ad:37:0f:af:1d:
7f:db:bd:9f
You'll need to sign with your private key, cert, and chain.
your-cert.pem is the certificate that GoDaddy issued you.
your-priv-key.pem is the private key you generated on your keychain or on the command line to create the CSR.
TheCertChain.pem is GoDaddy's certificate chain, you can find that on their website
FYI here's example code on how I'm signing a .mobileconfig in Ruby https://github.com/AppBlade/TestHub/blob/master/app/controllers/devices_controller.rb#L31
I have this problem when I import a certification file into keystore:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
I do this this operation:
1) create my keystore on the server :
keytool -genkey -keystore C:\keystore\keystore -alias jboss -keyalg RSA
2) I have domain.pfx and convert it whit this command:
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain_encrypted.key
openssl rsa -in domain_encrypted.key -out domain.key
Now I have 3 new files:
domain.cer
domain_encrypted.key
domain.key
3) In the end, Import the domain.cer into C:\keystore\keystore in the jboss alias:
keytool -import -alias jboss -keystore C:\keystore\keystore -file C:\cert\domain.cer
But I have this error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
What is the problem?
A keystore comprises of two entries types:
Private Key Entry (which binds the private key stored in the keystore with the certificate imported in the keystore.) Here, the alias must remain the same which was used when the keystore file was created.
Trusted Entry :- This entry comprises of all the trusted certificate entries including the root and intermediate certificates.
If a keystore is binded to a domain in the server.xml file of tomcat, then it must contain the private key entry.
Now, as per your performed steps, you created a keystore first (a private key got generated in it) and then you tried to import the certificate in keystore. But in the command you didn't use the private key which you converted using openssl; you used the private key which freshly got generated when you generated the keystore.
As you have the domain.pfx with you, yo can straight away convert it using the below keytool command:
keytool -importkeystore -srckeystore domain.pfx -srcstoretype pkcs12 -destkeystore name_of_the_keystore_file.jks -deststoretype jks
Note: Make sure the keystore password and the key password remains the same.
Change the alias name as another entry with jboss alias should have already been created.
You can view the truststore and alias name in that by executing -> keytool -list -v -keystore . I am sure it will be resolved.
I had the same issue today. I resolved it by having a using a different alias when I imported the certificate. So I had alias1 when generating the keystone and alias2 when importing the certificate.
Really weird behaviour on a particular p12 file.
If I run
keytool -list -storetype pkcs12 -keystore my_debug_keystore.p12 -storepass debug
keytool -v -list -storetype pkcs12 -keystore my_debug_keystore.p12 -storepass debug
I get,
Alias name: 1
Creation date: Aug 17, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=sixminute, OU=, O=, C=IE
Issuer: CN=sixminute, OU=, O=, C=IE
Serial number: xxxxxxxxxxxxxxxxx
Valid from: Wed Nov 07 13:34:40 GMT 2012 until: Sun Nov 08 13:34:40 GMT 2037
Certificate fingerprints:
MD5: xxxxxxxxxxxxxxxxx
SHA1: xxxxxxxxxxxxxxxxx
Signature algorithm name: SHA1withRSA
Version: 3
and
Your keystore contains 1 entry
1, Aug 17, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): xxxxxxxxxxxxxxxxx
However, if I don't provide the password in the commands,
keytool -list -storetype pkcs12 -keystore my_debug_keystore.p12
keytool -v -list -storetype pkcs12 -keystore my_debug_keystore.p12
the output is different,
Alias name: 2
Creation date: Aug 17, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=sixminute, OU=, O=, C=IE
Issuer: CN=sixminute, OU=, O=, C=IE
Serial number: 2d36623161363935353a31336165303361636133313a2d38303030
Valid from: Wed Nov 07 13:34:40 GMT 2012 until: Sun Nov 08 13:34:40 GMT 2037
Certificate fingerprints:
MD5: xxxxxxxxxxxxxxxxx
SHA1: xxxxxxxxxxxxxxxxx
Signature algorithm name: SHA1withRSA
Version: 3
and
Your keystore contains 1 entry
2, Aug 17, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): xxxxxxxxxxxxxxxxx
Specifically a different alias for the same key (the MD5 and SHA1 are still the same for the keys).
Any idea at all why this would be the case?
Aliases are not quite a PKCS 12 concept. There is a Friendly Name attribute but it is very optional. So I would guess that Java is just making up the Alias names it reports. No idea why it would be different though, as the safe bag order should be the same.
When creating CSR, since the conf can take country and state info, I assume it will be embedded in the certificate. If so, how to display it after the certificate is signed? I tried "$ openssl x509 -in foo.crt -noout -text" but seems the information is not there. I also checked "-help". Any other way to print? Thanks a lot.
More found: it seems country and state information is removed when CSR is signed, correct?
For example, this is what I observe.
$ openssl req -text -noout -in server.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: Subject: DC=..., DC=..., C=..., ST=..., L=..., O=..., OU=..., CN=...
...
$ openssl x509 -text -noout -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=..., DC=..., O=..., OU=..., CN=...
Validity
Not Before: Dec 5 22:05:21 2013 GMT
Not After : Dec 5 22:05:21 2015 GMT
Subject: DC=..., DC=..., O=..., OU=..., CN=...
As seen, the fields of "C", "ST" and "L" in the Subject are missing in certificate.
You would use the same command you are already using (if you only care about subject information, you could use openssl x509 -subject -noout -in server.crt, replacing -text with -subject). The problem in your case is that, as you noted, the city and state information was removed by the signer. What information to place into the certificate is ultimately the prerogative of the issuer.
Country and state information is under Subject and in C and ST field respectively.
As per my knowledge, issuer does not remove any information present in CSR.
Display the contents of a SSL certificate:
openssl x509 -in certificate.crt -text -noout