I have two file representing a certificate and the related private key. I have to do some tests in Jmeter non-GUI and I don't know how to set this two files separately, because I read that Jmeter uses keystore settings in system-properties file, but I can't merge certificate and private key files in one. Is there some parameters to be set to achieve this?
I can't merge certificate and private key files in one
that's not true, you can do this using i.e. OpenSSL tool like:
openssl pkcs12 -export -out jmeterkeystore.p12 -inkey your.private.key -in your.certificate
Once done you can add the next lines to system.properties file (lives in "bin" folder of your JMeter installation)
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=/path/to/your/jmeterkeystore.p12
javax.net.ssl.keyStorePassword=your_keystore_password_here
More information: How to Set Your JMeter Load Test to Use Client Side Certificates
Related
I have all the required files to import to my apache tomcat, that is:
the Certificate Request file (CSR file)
the RSA PRIVATE KEY file
the certificates (root, intermediates and Entity/Domain) that was sent to me by the Certificate Authority.
Now i need to import them to my apache tomcat server.
My question is, given that i havent created any key store to my server (the CSR and private key were sent to me, i didnt created them with e.g. keytool), what should be the next steps? Should i have to create a new keystore through keytool -genkey command (which alias?) ?
And if so, which of the files above should i import? As far as i can see the keytool command doesnt support to import an existing CSR.
The extension .crt is often but not always used for certificates in PEM format. First, set aside the CSR; you won't use it. Look at the contents of the privatekey file and each certificate file; do they each have (usually begin with) a line in the format -----BEGIN {one or more words}----- then several lines of base64 and then a similar END line? If so those are PEM files and the content you need is one privatekey and several certs, exactly as you listed. See also (cross) https://crypto.stackexchange.com/questions/43697/what-is-the-difference-between-pem-csr-key-and-crt and https://security.stackexchange.com/questions/183072/pem-cer-crt-p12-what-is-it-all-about .
As noted in the Q Piotr linked, modern Tomcat (8.5 and up) can directly use PEM files for privatekey and cert(s). Older Tomcats with the 'native' SSL option (aka APR, Apache Portable Runtime, which wraps OpenSSL) also do this.
To use PEM data in older Tomcat using Java SSL (JSSE), or other Java applications, see
Convert a CERT/PEM certificate to a PFX certificate
Importing the private-key/public-certificate pair in the Java KeyStore
How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?
Converting pem with multiple certificates to java keystore
Converting PEM Certificate for use in JAVA Spring Framework
Converting PEM to PKCS12 and import to Java Keystore
Note PFX is the same thing as PKCS12, and while in olden days it was often necessary to convert to PKCS12 using openssl pkcs12 -export and then to JKS using keytool -importkeystore, Java versions since 2017 should accept PKCS12 as a keystore and in fact j9 up make it the default for newly created keystores.
I'm attempting use "Use Your Own TLS Certificate" the "Use PEM Format" of the following web page: https://docs.bitnami.com/kubernetes/infrastructure/kafka/administration/enable-tls/
I'm trying to "helm install" kafka with TLS certificates using the above instructions which wants me to use the certificate, public key, and private key of the self-signed certificate I created using openssl. But, openssl does not create a public key. So, I believe this is why my "helm install" never works, i.e. the kafka-0 pod always ends up with a Status of 'CrashLoopBackOff". And, when I read the pods log file I see that the reason it crashed was because of 'Invalid PEM keystore configs' which I believe was caused by me using the CSR file, created by openssl as the public key file that kafka wants. The CSR file does contain the public key but it also contains other information.
The following openssl command will create a public key from the CSR:
sudo openssl req -in cert.csr -noout -pubkey -out public.key
where 'cert.csr' is the CSR file.
We use IIS 6.0 (Win2003 SP2) at work and needed to renew our SSL certificate.
I created a certificate request by using openssl. Therefor I'd created a 2048 bit key with openssl first. I did not use that certreq.txt request file, since that produced format errors at the website of our used CA.
That request has been accepted meanwhile and I got a .pem file from our organization's CA. So far so good. I even was able to import the certificate. But unfortunately the private key is missing now. I think, windows (or IIS) just doesn't know, where to look for it. The private key of course lives in a *.key file, that I used for creating the request.
But how may I integrate the key into the certificate or make Windows/IIS using it?
You should be able to build a PKCS#12 file using OpenSSL using:
openssl pkcs12 -export -in cert.pem -inkey file.key -out cert.p12
Then, using the .p12 file, import both the cert and its private key at the same time.
More info on openssl https://www.openssl.org/docs/apps/pkcs12.html
Since your running Windows Server take advantage of DigiCert's free utility (http://www.digicert.com/util).
You can create the CSR from OpenSSL if you plan to import it back to OpenSSL and were using Apache.
Otherwise you'll make the CSR request from IIS or running DigiCert Utility and clicking 'Create CSR' option. Once you have the new CSR, submit it to your CA in order to have them issue a new cert that will match the proper private key in IIS.
Once you receive the new cert file, use the 'Import' function on the utility to load the cert file on your local MMC.
Final step is binding the SSL cert to the site's port 443 connection in the IIS console.
If you happen to need the private key, you can use the 'Export' function to create a .key file or a PFX file which includes both your domain certificate and the private key.
Some firewall devices require a PKCS#12 file over the PFX. If so, rename file extension from .pfx to .p12
I'm am trying to create a very simple WCF client application which will send SOAP messages to a 3rd party service. All the messages must be digitally signed. It's really a proof of concept before I add the code to a larger application.
I have a .cer file containing the certificate and a .pem file containing the private key. What I have been trying to do is load the certificate using the .cer file then fire off a message. But I get the following error "The private key is not present in the X.509 certificate".
The problem, well one of the problems, is that I really know almost nothing about WCF, digital certificates, private keys and all that guff. I've done some reading, I've Googled till I'm blue in the face and I've not got anywhere.
If I open the .cert file there is a section labelled "BEGIN ENCRYPTED PRIVATE KEY" which suggests that the private key is included in the certificate. So, why am I getting a message saying that it is not present? Also, if the private key does need to be added to the certificate how do I do it?
Here basically what I'm doing. It's not my actual code, but it includes all the relevant stuff:
MyWSClient c = new MyWSClient();
c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(#"pathToFile.cer");
c.SomeValidCall();
How are you creating this cert / key pair? You can combine them into a PKCS#12 certificate using openssl:
openssl pkcs12 -export -in yourcert.crt -inkey yourprivkey.key -out newcert.p12
You may need to play with the input format to get it to work with a .pem private key.
My colleague has found a solution. I don't know why but using a .der file rather than a .cer file solves the problem. This is the command he used to generate the .der file using a certificate, private key and root certificate as.pem files:
openssl pkcs12 -export -in cert.pem -inkey private_key.pem -certfile root_cert.cer -out pkcs12.der
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I'm trying to install a GoDaddy SSL certificate on a new load balancer I'm setting up on Amazon AWS. I originally created the certificate at Godaddy using the keytool program for direct installation on a Glassfish 3.1 server (Amazon linux ami). I had no problems getting that setup directly on the server. I now need to move the certificate from the web server to the new load balancer. Amazon requires the private key and certs to be in PEM format, so I used the "rekey" tool at GoDaddy to create new certs. When I load those in the load balancer setup screen on AWS Mgmt Console, I get the error message: "Public Key Certificate and Private Key doesn't match."
Here is how I'm creating the keys:
$ openssl genrsa -des3 -out private.key 2048
$ openssl req -new -key private.key -out apps.mydomain.com.csr
I then submit the .csr file to GoDaddy during the "rekey" process. Once the rekey is complete, I download the 2 newly created certs (apps.mydomain.com.crt & gd_bundle.crt). I download them selecting (Apache) as the type of server (I've also tried "other" and "Cpanel" but the all look to be the same).
At this point, I remove the encryption from the private.key file by using the following command:
$ openssl rsa -in private.key -out private.pem
At this point, I go back into the AWS Mgmt console, create the load balancer, add the secure server redirect and put the contents of the following files in the respective fields on the screen where it asks to setup the ssl certificate:
private.pem --> Private Key
apps.mydomain.com.crt --> Public Key Certificate
gd_bundle.crt --> Certificate Chain
When I click the "continue button" I get the error "Error: Public Key Certificate and Private Key doesn't match."
-Is there a way that I can test that I'm getting a valid error message from Amazon? It seems odd to me that the keys wouldn't match when I'm following GoDaddy's instructions pretty closely.
I've tried creating the private.key file without RSA encryption prior to creating the .csr and that doesn't seem to make any difference.
I'm also assuming that the .crt files I'm downloading from GoDaddy are in .PEM format, but I'm not sure how to verify this.
Any ideas?
For me, it was an easy two-step:
Convert the private key to PEM:
openssl rsa -in yourdomain.key -outform PEM
Convert the certificate and certificate bundle to PEM:
openssl x509 -inform PEM -in yourdomain.crt
openssl x509 -inform PEM -in bundle.crt
Just for the record and anyone else who is trying to figure it out:
yourdomain.key
-> terminal command: sudo openssl rsa -in yourdomain.key -outform PEM -out yourdomain.pem
-> private key
yourdomain.crt
-> public key
gd_bundle.crt
-> certificate chain
and you're good to go :)
Looks like the issue was the way in which I was copying the contents of the key and certs into the AWS Management console. I was using an Ubuntu desktop running in Virtual Box on a Windows 7 desktop; copy and pasting the values from a gedit screen into the browser running on the Windows box. Once I opened the key and cert files on the same box as the web browser (Windows in this case) the certs went through just fine. I'm guessing some parts of the file aren't making it over correctly when using the shared clip board between Virtual Box client and host. Case closed.
We found an alternate solution to this problem. We were having the same symptoms with the same error.
Then we tried reentering the pem codes one more time, but this time we made sure to hit enter one time and make sure the cursor was on a blank line at the end of each window. Then we saved it.
IT WORKED.
This solved our problem, so it might solve it for others.
One little gotcha. I'm using a Windows box (Win 7 Pro) and when I used the windows port of OpenSSL, the outputted files had Unix style end-of-line characters (LF).
I had to convert the file to Windows style (CRLF) for the uploading of the private key.
I can suggest you with an alternative solution and an information to you folks.
Generally all certificates are of PEM file format. You can just open a notepad or any text editor and drag the files which you received in .crt file format. Which is normally called as .PEM file.If the certificate loaded in your keytool you can export the certificate as a pfx file from keytool. Then you can separate the pfx file from the private key from the pfx file. Because the pfx file is the combination of your certificate and the private key.So you can get separately the private key file and use it on your amazon aws.
I suspect there may be another way to install the certificate. May be you can contact the certificate authority and is there any way to get your certificate to be reissued.