We have an asymmetric key in an NCipher HSM and want to export it to a JCEKS keystore
Is this possible ?
Related
I have a nshield HSM, my certificate and private key and public key are stored in it. When I read certificate from my HSM there isn't private key in it .I need this certificate to use in "AuthenticateAsServer". Also privateKey is not extractable from HSM, So what should I do?
Thanks in advance
Is it possible to recover certificate thumbprint (sha1 fingerprint) only from private key that will match original certificate thumbprint?
I can not find any information about how thumbprints are generated.
Private key material:
I have a .PFX file with single certificate and it's private key. From .PFX I export only private key:
openssl rsa -inform p12 -in cert.pfx -outform der -out cert.key.der
It is not possible to get a certificate fingerprint from the private key only. The private key matches only the public key in the certificate. There can actually be multiple certificates using the same public and private key, all having different certificate fingerprints. This is not uncommon - certificate renewals often use the same key pair as the previous (expired) certificate.
What would be possible is to get the public key fingerprint, but not the certificate fingerprint.
Normally a cacert is used as a truststore which means a base where we put certificates of other servers so that we will authenticate them (we trust connection from these servers only if they use the same certificate as in truststore).
Whereas, a keystore is normally used for storing keys (they are used when we behave as a servers).
But the problem is that I find in the internet commands for adding certificates too in keystore and that there's no basic functionality in keytool for adding a private key in keystore.
So, I start wondering if I did misunderstand the purpose of a keystore and it's role. Can anyone tell me if I'm wrong?
Technically a KeyStore and a TrustStore are of same type. They just serve different purposes based on what they contain.
A KeyStore is simply a database or repository or a collection of Certificates or Secret Keys or key pairs. When a KeyStore contains only certificates, you call it a TrustStore.
When you also have Private Keys associated with their corresponding Certificate chain (Key Pair or asymmetric keys), it is called a KeyStore.
There are different types of KeyStores the JCE provider supports:
JKS (Java Key Store) --> When you have only certifcates, it is a TrustStore. When you also have Private Keys associated with the certificate chain, it is a KeyStore.
JCEKS (Java Enhanced Key Store) --> These can store what JKS can store and additionally Secret Key (Symmetric Key) too. You cannot store secret keys in JKS type KeyStore's.
PKCS12 --> This is like a KeyStore but a different type called PKCS12. These can store Private Keys along with their certificate chains. But the standard is to have 1 Entry only, i.e, 1 Private Key and its associated certificate chain.
Their purposes can are broad, but generally used for these purposes:
JKS - Securing your web server.
JCEKS - Store your encryption keys (symmetric), can also be used to secure web server.
PKCS12 - When a web server is setup for Two-Way SSL, it requires the clients to authenticate to the server. In these cases, the client would generate a KeyPair, and generate a CSR (PKCS10) from it and have it signed by a Certificate Authority (CA). The client is then given a certificate chain, which the client associates it with his PrivateKey in a PKCS12 KeyStore. It can then be used to make the SSL connection.
I would like to import an SSL certificate on an Microsoft Azure Website.
I generated the .csr request file using the windows command "certreq" direclty on mylaptop (not on the server).
I retrieved an CER certificate using this .csr file.
But know I'm blocked, the Azure websites page wants a .pfx file and refuse the .cer file.
I tried to use www.sslshopper.com to transform my .cer certificate into a .pfx file but it needs the private key...
So Here are my questions :
* Can I transform a .cer to .pfx without a the private key ?
* how can I get the private key used by the certreq command of my laptop ?
Thanks !
As I known, certreq would store your private keys in your certificate store when it generates CSRs. And you need to finish the certificate request on the same computer where you generated the CSR request. There is issue about finding the private key after using certreq for CSR generation.
Based on your description, you could follow this tutorial to import your signed certificate into the windows local computer certificate store by using certreq, then click "Start > Run", type certmgr.msc to manage computer certificates, right click the certificate root node and choose "Find Certificates" to find your certificate as follows:
Click export your certificate, choose the option "export the private key", then export your certificate to .pfx file. Also, you could leverage DigiCertUtil to export your certificates.
Additionally, for more flexibility over your private key than certreq, you could use OpenSSL command line tool to generate your private keys and your certificate signing request instead of certreq. Also, for a simple way, you could use this GUI tool startcomtool to generate your CSR and export the certificates.
You need to associate private key with issued certificate. Depending on context used in certreq (current user or local machine context) run appropriate command:
certreq -user -accept path\certfile.cer
Or
certreq -accept path\certfile.cer
Followed steps to integrate Worklight with backend system. In 5.0.6 adapters should support mutual SSL.
Import cert into default.keystore with alias named cert1
Modified adapter's sslCertificateAlias as cert1
When using Worklight Studio to run deployed adapter connecting with server, it is complaining about "Unable to find certificate chain with alias: 'cert1'".
What are the steps missing?
Check "ssl.keystore.*" properties in "worklight.properties" file, after it check if the cert exists in the keystore file using keytool:
keytool -list -keystore default.keystore
Here is are steps to configure mutual SSL between adapter and backend server with self signed certificates:
generate adapter's private key in "default.keystore" and export its public certificate
import adapter's certificate into backend truestore file
in case backend hasn't CA signed certificate:
generate backend's private key in its keystore file and export public certificate
import backend's public certificate into "default.keystore" file on WL server
Check worklight.properties file. Make sure that ssl related setting point to a default.keystore.
Figured out yesterday. Have to config certificate chain in proper way.
All certifications (server cert, first level cert and root cert) have to combine into one in special order and import with private key into keystore. Then use one alias name so that Worklight adapter could find it.