Check duplicate certificates in a truststore - ssl-certificate

I'm working on import and solution to avoid duplicate certificates in a trust store.
I see that using keytool we can import same certificate multiple time by giving unique alias name.This will create duplicate certificates in a trust store and wanted to know a solution to avoid duplicate certs in the trust-store by validating during the certificate import ?
Please help..
Thanks,
KP

Related

Is Keytool certificate is for free?

In our application we are creating Client and server that talks with each other using SSL authentication. I done a POC which downloads certificate using following commnand:
keytool -genkey -keystore yourKEYSTORE -keyalg RSA
Need to know if the certificate created by above command is free to use ?
It's free to use but it is self-signed, which makes it basically useless unless you can go through all the steps required to get the peers to trust it.
Failing that, you need to generate a certificate request from this, get it signed, and import the resulting signed certificate into that keystore using the same alias you used here.

SSL Cert Vendor Change

I am trying to prepare for the switch in the SSL certificate vendors.
For the the SSL validation, Our Tomcat web application uses a JKS file created from a DigiCert certificate ( *.cer files). Our company is now switching to VeriSign next week. Since they have already provided the new *.cer files, can I simply add the new cert ( using keytool) to the existing JKS so that it works for both certificates. I am trying to avoid any downtime during the switch and prepare the server beforehand?
Any helps will be much appreciated.
You must install the certificate onto the same keystore you created the CSR from as the private key resides there. Otherwise it will not work. Please reference the article below on instructions on how to import into a tomcat server:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR234&actp=search&viewlocale=en_US&searchid=1369174910074

Import Self Signed Certificates into Netty

I need to set up SSL for my Netty server for which I am planning to use a self signed certificate. I wanted to know what are the steps involved in doing so ?
Use openssl to get a .key & .csr file.
Do I need to convert the .csr file into pem ?
How do I import the the certificate in the keystore? Is that cacerts on a linux machine?
Do I also need to import the keys into the keystore?
This tutorial shows the steps for using a certificate signed by StartSSL:
http://blog.hintcafe.com/post/33709433256/https-server-in-java-using-netty-and-keystore
I think the steps can be modified for using your self-signed certificate (or you could sign it for free using StartSSL.

verisign certificate into jboss server SSL

i'm trying to enable jboss to uses ssl protocol using a previously generated certificate from verisign, i imported both certificate, server certificate and ca certificate into the keytore file, and i configured the server.xml to use that keystore and activate ssl protocol, then when i run the jboss, I got this error "certificate or key corresponds to the SSL cipher suites which are enabled"
Question, reading some post on internet, i found that every example was made it generating a Certificate Request, it stricly necesary to do that if i already have the server certificate and that CSR has to be imported into the keystore as well ? at this point i'm very confused about this issue, i tried almost every solutions posted in several forums but till now i haven't any luck !! can you give me some tips in order to solve this problem.
thanks in advance
this are my keystore file: Keystore type: jks Keystore provider: SUN
Your keystore contains 2 entries
j2ee, Dec 29, 2009, trustedCertEntry, Certificate fingerprint (MD5): 69:CC:2D:2A:2D:EF:C4:DB:A2:26:35:57:06:29:7D:4C ugent, Dec 29, 2009, trustedCertEntry, Certificate fingerprint (MD5): AC:D8:0E:A2:7B:B7:2C:E7:00:DC:22:72:4A:5F:1E:92
You are almost certainly missing the concept of "private key". You need to have both the private key and the corresponding certified public key for your server. The usual way to do this is to generate a key with keytool with alias say 'mykey', export the pkcs#10 CSR with keytool, get this signed by Verisign (or whomever), then import the signed certificate back into the same keystore with keytool using the same alias 'mykey'. You can also import existing keypairs using keytool, but it can be more painful.
Finally i found a solution for this problem, as you said i need to have my private key, server certificate and ca certificate into my keystore, in this post they explains how to import this 3 existing elements (as in my case) into the keystore using a very useful tool called keyman. http://www.jguru.com/faq/view.jsp?EID=532461
cheers,

When using keytool to generate a CSR file, does it have to be generated on the hosting server?

I was under the impression that I could run it on any machine, but a guy from our hosting company is saying that the csr has to be generated on the server hosting the site.
Can anyone clear this one up for me?
Thanks.
The bottom line is you do not need to generate CSRs on the server hosting an SSL certificate. A CSR is a CSR and you could actually generate it using something like OpenSSL and then import both the key and certificate once it is created into the keystore. The problem is that they probably don't understand now to get the key into the keychain. See if this KeyTool and OpenSSL tips helps.
It's not entirely accurate. What does need to happen is the chain of key -> csr -> cert all needs to happen within the same keystore file. It is difficult to move key/cert in and out of the original keystore.