I'm a new ActiveMQ user trying to enable SSL over Stomp with ActiveMQ. Previously I've enabled SSL over openwire for a CMS and I've tried to use both the certificate setup for the CMS and a new one for Stomp.
Here is my certificate setup
Creating the broker keystore:
keytool -genkeypair -alias broker -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -validity 4383 -keystore AMQBroker.ks -storepass "password" -keypass "password" -dname "CN=localhost" -ext "SAN=DNS:localhost,DNS:%computername%.%userdomain%,IP:0.0.0.0,IP:127.0.0.1" -ext "BC:critical=ca:true" -ext "KU:critical=keyCertSign"
Creating the keystore for the CMS client:
keytool -genkey -alias client -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -validity 4383 -keystore AMQClient.ks -storepass "password" -keypass "password" -dname "CN=localhost" -ext "SAN=DNS:localhost,DNS:%computername%.%userdomain%,IP:0.0.0.0,IP:127.0.0.1"
Creating truststores and importing certificates for the Broker and Client
keytool -export -alias broker -keystore AMQBroker.ks -storepass "password" -file AMQBroker.crt
keytool -export -alias client -keystore AMQClient.ks -storepass "password" -file AMQClient.crt
keytool -import -alias client -keystore AMQBroker.ts -storepass "password" -file AMQClient.crt -noprompt
keytool -import -alias broker -keystore AMQBroker.ts -storepass "password" -file AMQBroker.crt -noprompt (This was for the network connector)
Converting the broker keystore to p12 format to export as .pem format for the CMS client:
keytool -importkeystore -srckeystore AMQBroker.ks -destkeystore AMQBroker.p12 -srcstoretype jks -deststoretype pkcs12 -srcalias broker -deststorepass "password" -destkeypass "password" -srcstorepass "password"
openssl pkcs12 -in AMQBroker.p12 -out AMQClient-ts.pem -password pass:"password" -nokeys
Converting the client keystore to p12 format to export as .pem format for the CMS client. I also grabbed the .key file for testing with Stomp.py
keytool -importkeystore -srckeystore AMQClient.ks -destkeystore AMQClient.p12 -srcstoretype jks -deststoretype pkcs12 -srcalias client -deststorepass "password" -destkeypass "password" -srcstorepass "password"
openssl pkcs12 -in AMQClient.p12 -passin pass:"password" -out AMQClient.pem -passout pass:"password"
openssl pkcs12 -info -in AMQClient.p12 -passin pass:"password" -out AMQClient.key -nodes -nocerts
Here's some certificates generated trying to use Stomp specifically
openssl genrsa -out AMQStomp.key 4096
openssl req -sha256 -new -key AMQStomp.key -out AMQStomp.pem -subj "/CN=localhost" -addext "subjectAltName=DNS:localhost,DNS:%userdomain%,DNS:%computername%.%userdomain%,IP:0.0.0.0,IP:127.0.0.1"
keytool -import -alias stomp -keystore AMQBroker.ts -storepass "password" -file AMQStomp.pem -noprompt
keytool -exportcert -rfc -alias broker -keystore AMQBroker.ks -file AMQStomp-ts.pem -storepass "password"
Here's how I've setup my connection with Stomp.py
brokerPort = 61612
stomp_key = 'C:/path/to/AMQStomp.key'
stomp_cert = 'C:/path/to/AMQStomp.pem'
ca_cert = 'C:/path/to/AMQStomp-ts.pem'
self.__conn = stomp.Connection(host_and_ports=[(brokerHost, brokerPort)],
auto_content_length=False,
use_ssl=True,
ssl_key_file=stomp_key,
ssl_cert_file=stomp_cert,
ssl_ca_certs=ca_cert,
ssl_version=ssl.PROTOCOL_TLSv1_2)
self.__conn.set_ssl(
for_hosts=[(brokerHost, brokerPort)],
cert_file=stomp_cert,
key_file=stomp_key,
ca_certs=ca_cert,
ssl_version=ssl.PROTOCOL_TLSv1_2)
I've also tried the CMS certificates.
stomp_key = 'C:/path/to/AMQClient.key'
stomp_cert = 'C:/path/to/AMQClient.pem'
ca_cert = 'C:/path/to/AMQClient-ts.pem'
Here's what's currently configured with my activemq.xml
<sslContext>
<sslContext
keyStore="C:/path/to/AMQBroker.ks"
keyStorePassword="password"
trustStore="C:/path/to/AMQBroker.ts"
trustStorePassword="password" />
</sslContext>
<transportConnectors>
<transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:61617?needClientAuth=true&maximumConnections=1000&transport.enabledProtocols=TLSv1.2&wireformat.maxFrameSize=104857600&wireFormat.maxInactivityDuration=-1"/>
<transportConnector name="stomp+ssl" uri="stomp+nio+ssl://0.0.0.0:61612?maximumConnections=1000&transport.enabledProtocols=TLSv1.2&needClientAuth=true"/>
</transportConnectors>
ACTIVEMQ_SSL_OPTS is set as:
-Djavax.net.ssl.keyStore=C:\path\to\AMQBroker.ks -Djavax.net.ssl.trustStore=C:\path\to\AMQBroker.ts -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password -Djavax.net.debug=ssl
Here's the error I'm getting when Trying to connect with Stomp
2021-01-18 19:35:40,184 | ERROR | Could not accept connection from null : {} | org.apache.activemq.broker.TransportConnector | ActiveMQ BrokerService[infrastructure] Task-10
java.io.IOException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)[activemq-stomp-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)[activemq-stomp-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)[activemq-broker-5.15.9.jar:5.15.9]
at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)[activemq-broker-5.15.9.jar:5.15.9]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)[:]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)[:]
at java.base/java.lang.Thread.run(Unknown Source)[:]
2021-01-18 19:35:40,184 | DEBUG | Reason: java.io.IOException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? | org.apache.activemq.broker.TransportConnector | ActiveMQ BrokerService[infrastructure] Task-10
java.io.IOException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)[activemq-stomp-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)[activemq-stomp-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)[activemq-broker-5.15.9.jar:5.15.9]
at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)[activemq-broker-5.15.9.jar:5.15.9]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)[:]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)[:]
at java.base/java.lang.Thread.run(Unknown Source)[:]
It would be quite hard to know from the data given what is going on between the client and broker over the wire which is where you are going to need to look in order to understand what is going wrong. The Broker STOMP module has a number of tests that run using an SSL configuration which you can see here:
One means of debugging is to set the JVM option to enable debug for SSL:
-Djavax.net.debug=ssl
Review the handshake information to see where the negotiation goes wrong.
I did get this running from a smaller test file
the following code snippet was modified from https://developers.redhat.com/blog/2018/06/14/stomp-with-activemq-artemis-python/
stomp_test.py
import time
import sys
import stomp
import ssl
class MyListener(stomp.ConnectionListener):
def on_error(self, headers, message):
print('received an error "%s"' % message)
def on_message(self, headers, message):
print('received a message "%s"' % message)
hosts = [('localhost', 61613)]
stomp_key = 'D:/FOSS/ActiveMQ/conf/AMQClient.key'
stomp_cert = 'D:/FOSS/ActiveMQ/conf/AMQClient.pem'
stomp_ca = 'D:/FOSS/ActiveMQ/conf/AMQClient-ts.pem'
conn = stomp.Connection(host_and_ports=hosts,
use_ssl=True,
ssl_key_file=stomp_key,
ssl_cert_file=stomp_cert,
ssl_ca_certs=stomp_ca,
ssl_version=ssl.PROTOCOL_TLSv1_2)
conn.set_ssl(for_hosts=hosts,
cert_file=stomp_cert,
key_file=stomp_key,
ca_certs=stomp_ca,
ssl_version=ssl.PROTOCOL_TLSv1_2,
password='password')
conn.set_listener('', MyListener())
conn.connect('admin', 'admin', wait=True,headers = {'client-id': 'clientname'} )
conn.subscribe(destination='A.B.C.D', id=1, ack='auto',headers = {'subscription-type': 'MULTICAST','durable-subscription-name':'someValue'})
conn.send(body=' '.join(sys.argv[1:]), destination='A.B.C.D')
time.sleep(2)
conn.disconnect()
I also had to add a few more extensions to my broker's keystore (I went a little overkill)
-ext KeyUsage=digitalSignature,keyEncipherment,keyCertSign -ext ExtendedKeyUsage=serverAuth,clientAuth -ext BasicConstraints=ca:true
keytool -genkeypair -alias broker -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -validity 4383 -keystore AMQBroker.ks -storepass "password" -keypass "password" -dname "CN=localhost" -ext "SAN=DNS:localhost,IP:0.0.0.0,IP:127.0.0.1" -ext KeyUsage=digitalSignature,keyEncipherment,keyCertSign -ext ExtendedKeyUsage=serverAuth,clientAuth -ext BasicConstraints=ca:true
I also removed nio from my stomp transportConnector in the activemq.xml
<transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:61613?maximumConnections=1000&transport.enabledProtocols=TLSv1.2&needClientAuth=true"/>
I hope this helps anyone with a similar issue.
Related
I configured SSL in kafka using the following commands:-
Generate CA
openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
Create Truststore
keytool -keystore kafka.server.truststore.jks -alias ca-cert -import -file ca-cert
Create Keystore
keytool -keystore kafka.server.keystore.jks -alias kafka -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost
Create certificate signing request (CSR)
keytool -keystore kafka.server.keystore.jks -alias kafka -certreq -file ca-request-zookeeper
Sign the CSR
openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-kafka -out ca-signed-kafka -days 3650 -CAcreateserial
Import the CA into Keystore
keytool -keystore kafka.server.keystore.jks -alias ca-cert -import -file ca-cert
Import the signed certificate from step 5 into Keystore
keytool -keystore kafka.server.keystore.jks -alias kafka -import -file ca-signed-kafka
and added the following properties in server.properties file:-
ssl.truststore.location=PATH-TO-YOUR-KAFKA-DIR/ssl/kafka.broker0.truststore.jks
ssl.truststore.password=vinodts
ssl.keystore.location=PATH-TO-YOUR-KAFKA-DIR/ssl/kafka.broker0.keystore.jks
ssl.keystore.password=vinodks
ssl.key.password=vinodks
security.inter.broker.protocol=SSL
ssl.client.auth=required
ssl.protocol=TLSv1.2
and SSL in kafka server running on localhost:9092 is successfully running.
I used the following commands for creating CA's for kafka-console-producer:-
keytool -keystore kafka.producer.truststore.jks -alias ca-cert -import -file ca-cert
keytool -keystore kafka.producer.keystore.jks -alias kafka-producer -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost
keytool -keystore kafka.producer.keystore.jks -alias kafka-producer -certreq -file ca-request-producer
openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-producer -out ca-signed-producer -days 3650 -CAcreateserial
keytool -keystore kafka.producer.keystore.jks -alias ca-cert -import -file ca-cert
keytool -keystore kafka.producer.keystore.jks -alias kafka-producer -import -file ca-signed-producer
added the following properties in producer.properties file:-
bootstrap.servers=localhost:9092
security.protocol=SSL
ssl.protocol=TLSv1.2
ssl.truststore.location=PATH-TO-YOUR-KAFKA-DIR/ssl/kafka.producer.truststore.jks
ssl.truststore.password=vinodts
ssl.keystore.location=PATH-TO-YOUR-KAFKA-DIR/ssl/kafka.producer.keystore.jks
ssl.keystore.password=vinodks
ssl.key.password=vinodks1
Now when i try to run the command:
kafka-console-producer.bat --topic ssl-topic ../../config/producer.properties --broker-list localhost:9092
I get:
Bootstrap broker localhost:9092 (id: -1 rack: null) disconnected (org.apache.kafka.clients.NetworkClient) In producer window and
get Failed authentication with /127.0.0.1 (SSL handshake failed) (org.apache.kafka.common.network.Selector) in kafka window.
Does anybody know what I am doing wrong? Thanks in advance
INFO [SocketServer listenerType=ZK_BROKER, nodeId=0] Failed authentication with /127.0.0.1 (channelId=127.0.0.1:9092-127.0.0.1:55412-1) (SSL handshake failed) (org.apache.kafka.common.network.Selector)
cd kafka/config
create a new ssl.config file and paste the below lines
ssl.endpoint.identification.algorithm=https
security.protocol=SSL
ssl.keystore.location=kafka/ssl/kafka.broker0.keystore.jks
ssl.keystore.password=password
ssl.key.password=password
ssl.truststore.location=kafka/ssl/kafka.broker0.truststore.jks
ssl.truststore.password=passWord
Now you try with(--command-config config/ssl.config)
sudo bin/kafka-topics.sh --list --bootstrap-server localhost:9092 --command-config config/ssl.config
it's working
I have installed ActiveMQ Artemis in Linux and configured broker.xml. I am using a certificate, but ActiveMQ Artemis uses keystore and truststore. How to create those and how to enable SSL for MQTT protocol?
Below shows configuration broker.xml
<acceptor name="mqtt">tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true
sslEnabled=true;
keyStorePath=home/certs/server-ks/server1.p12;keyStorePassword=abc#1234;
trustStorePath=home/certs/server-ks/server1.p12;
trustStorePassword=abc#1234;needClientAuth=true
</acceptor>
I have converted a certificate (.pem) to keystore and truststore
keytool -import -alias rootCA -trustcacerts -file certs/ca.pem -keystore certs/activeMQ-truststore.jks
openssl pkcs12 -inkey certs/server-cert/server1.pem -in certs/server-cert/server1.pem -name server1 -export -out certs/server-ks/server1.p12
keytool -importkeystore -deststorepass abc#1234 -destkeystore certs/server-ks/server-keystore1.jks -srckeystore certs/server-ks/server1.p12 -srcstoretype PKCS12
As above same I have created/converted for client keystore.
I need to connect broker using MQTT.FX client with self signed client keystore.
How to achieve this I am getting confused. Please help me if any one have idea.
In a self-signed configuration typically you'll create a certificate for both the broker and the client, export each, and then import the broker's cert into the client's truststore and import the client's cert into the broker's truststore. You can do all this using Java's keytool command.
Take a look at the example that ships with ActiveMQ Artemis in the examples/features/standard/ssl-enabled-dual-authentication directory. It demonstrates how to do this, e.g.:
keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
Your acceptor will need both sslEnabled=true and needClientAuth=true.
I have a Debian virtual machine with Tomcat installed. I would like to install an SSL certificate so that my website is in Https.
I received the following certificate files with my VM:
my-domain.cer my-domain.chain.crt.pem my-domain.crt.pem
my-domain.csr my-domain.key my-domain.ch.p7c
I created a keystore with the following command :
keytool -import -trustcacerts -alias tomcat -keystore keystore.jks -file my-domain.cer
Then, I modified the file conf/server.xml file with the following code:
<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true"
keyAlias="tomcat" keystoreFile="/usr/local/tomcat/ssl/keystore.jks" keystorePass="PASSWORD" keystoreType="JKS"
port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.3" SSLEnabled="true" clientAuth="false"/>
Unfortunately, I get the following error when starting tomcat :
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1055)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:585)
at org.apache.catalina.startup.Catalina.load(Catalina.java:608)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1103)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1116)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
... 13 more
Caused by: java.io.IOException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:330)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:104)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
I do not understand where it can come from. Because my alias is however the good one ...
Thank you in advance for your help
In my case, the cause of this issue was that the SSL key alias present in the application was not same as the alias passed while creating the certificate.
keytool -genkeypair -keyalg RSA -alias dummyApp -keystore dummy-app.p12 -storepass password -validity 3650 -keysize 2048 -dname "CN=dummy-app, OU=Enterprise, O=Test, L=Unknown, ST=Unknown, C=US" -storetype pkcs12
To fix, this I had to correct the value of the server.ssl.key-alias property. As per the above SSL generation example, its value should be dummyApp.
Just had this issue, only with .p7b.
This error means your keystore doesn't contain the original private key.
Please make sure your private key (.csr) is in the same keystore with the .p7b chain.
I followed these steps:
1. Generated a key with a keystore:
keytool -genkey -alias [alias_name] -keyalg RSA -keystore
[enter_keystore_name] -keysize 2048
This command creates not only a key entry, but also a private key in the keystore. That's why it's important to import the .p7b into the same keystore.
2. Generated a CSR from this entry:
keytool -certreq -keyalg RSA -keysize 2048 -alias [alias_name] -file
[csr_file_name] -keystore [keystore_name] -ext
san=dns:[FQDN_of_server]
3. Imported the received signed .p7b into the same keystore (I recommend you to download the .p7b into the same folder your .csr and keystore are in):
keytool -import -alias [alias_name] -trustcacerts -file
[ssl_certificate.p7b] -keystore [keystore_name]
If everything's done right, your keystore will contain the generated private key and the received .p7b.
you need to import private key to keystore.
Step1: You need to download openSSL and then move to C:\OpenSSL-win64\bin
Next, type this command:
openssl pkcs12 -export -in C:\Keystore\certificate.crt -inkey C:\Keystore\name_key.key -out C:\Keystore\server.p12 -name [name_alias] -CAfile C:\Keystore\rootCA.crt -caname root
Note: if you use alias "tomcat" in server.xml
keyAlias="tomcat"
keystoreFile="C:\Keystore\server.jks"
keystorePass="your pass"
then [name_alias] = tomcat
Step 2: use cmd and move to C:\program files\java\jdk..\ bin and type this command to convert p12 file to jks file:
keytool -importkeystore -deststorepass mypass -destkeystore C:\Keystore\server.jks -srckeystore C:\Keystore\server.p12 -srcstoretype PKCS12
Resart your tomcat server
Execute the following command
#First step
jmendoza#jmendoza:~$ openssl genrsa -aes256 -out electoralsystem-cakey.pem 2048 -alias electoralsystem-cakey.pem
Enter pass phrase for electoralsystem.key: jmendoza
#Second step
jmendoza#jmendoza:~$ openssl req -new -x509 -sha256 -key electoralsystem-cakey.pem -days 365 -out electoralsystem-cacert.pem
jmendoza#jmendoza:~$ openssl x509 -in electoralsystem-cacert.pem -text
#Third step
jmendoza#jmendoza:~$ openssl pkcs12 -export -in electoralsystem-cacert.pem -inkey electoralsystem-cakey.pem -out electoralsystem-store.p12 -name "electoralsystem-store"
Enter Export Password: jmendoza
#Fourth step
jmendoza#jmendoza:~$ keytool -importkeystore -destkeystore electoralsystem-store.jks -deststorepass jmendoza -srckeystore electoralsystem-store.p12 -srcstoretype PKCS12 -srcstorepass jmendoza -alias electoralsystem-store
Configuration example with Springboot (application.properties)
server.port=8081
server.ssl.key-alias=electoralsystem-store
server.ssl.key-password=jmendoza
server.ssl.key-store=/home/jmendoza/IdeaProjects/dummy/config/electoralsystem-store.jks
server.ssl.key-store-provider=SUN
enter image description here
I tried installing SSL certificate I purchased from Godaddy (CN = my domain) following below steps. And after the last step I did a GREP search for .jks in repository/conf directory and replaced all keystore configs (wso2carbon.jks) to my JKS and password. Restarted the server. It started giving a bunch of errors and server not started properly.. But when I changed ONLY catalina_server.xml's configuration and undo all others, it started and SSL was working only for 9443 port but when I checked the cert installation from a SSL checker tool, it said cert was not installed properly. And even API gateway endpoints were not working with SSL (browser rejects cert) and it was port 8244. What have I done wrong? Exception trace given below.
Create Keystore and the CSR
keytool -genkey -alias certalias -keyalg RSA -keysize 2048 -keystore newkeystore.jks
Create CSR - copy output and submit to Go Daddy.
keytool -certreq -alias certalias -keystore newkeystore.jks
Get the Certificates for tomcat you will get below certificates.
gd_bundle-g2-g1.crt - Root Certificate
gdig2.crt.pem - Intermediate Certificate
[randomNumber].crt - Domain Certificate
Convert crt to pem.
openssl x509 -in gd_bundle-g2-g1.crt -out gd_bundle-g2-g1.pem
openssl x509 -in [randomNumber].crt -out [randomNumber].pem
Join root and intermediate certificate
cat gdig2.crt.pem gd_bundle-g2-g1.pem >> clientcertchain.pem
Extract the key from the keystore.
keytool -importkeystore -srckeystore newkeystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias keys -deststorepass -destkeypass
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
Create pkcs12 keystore
openssl pkcs12 -export -out final.p12 -inkey key.pem -in [randomNumber].crt -CAfile clientcertchain.pem -name "cacertificates"
Create JKS from pkcs keystore.
keytool -importkeystore -srckeystore final.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
Replace it with wso2carbon.jks located in <WSO2AM_HOME>/repository/resources/security/
Go to <WSO2AM_HOME>/repository/resources/security/
Extract key file to add client keystore
keytool -export -alias cacertificates -keystore newkeystore.jks -file .pem
Add key to client-truststore.jks
keytool -import -alias cacertificates -file .pem -keystore client-truststore.jks -storepass wso2carbon
Good morning,
I recently requested a certificate from GoDaddy and they have sent me two sets of .pem and .spc files (SHA1 and SHA1) but when I try to import them to my codesignstore it says they are not X.509. Is there any way to convert them?
I used these commands to generate the files that I sent to GoDaddy.
Keystore
keytool -genkey -alias codesigncert -keyalg RSA -keysize 2048 -dname "CN=Corp,O=Corp,C=US,ST=FL,L=Orlando" -keystore codesignstore
Certificate Request
keytool -certreq -v -alias codesigncert -file codesign.pem -keystore codesignstore
Import
keytool –import –alias codesignecert –file NAME_OF_FILE_FROM_GODADDY –keystore codesignstore
I tried importing a trustcert using the below command and it worked for me.
keytool.exe -import -trustcacerts -alias "cert_alias_name" -file cert.pem -keystore "C:/Program Files/Java/jre1.8.0_291/lib/security/cacerts" -srcstorepass changeit -deststorepass changeit -v -noprompt
Certificate was added to keystore
[Storing C:/Program Files/Java/jre1.8.0_291/lib/security/cacerts]