I am using keycloak-8.0.1 in standalone configuration . I am trying to enable SSL/Https for Keycloak server running on my Test machine (A.B.C.D) , token request will be requested from machine (X.Y.Z.P).
(Will there be any CORS/CSRF issue for the generated token , looks like yes ? And will Keycloak over SSL help to solve this?) Nevertheless i require SSL enabling .
So went ahead with https://www.keycloak.org/docs/latest/server_installation/#enabling-ssl-https-for-the-keycloak-server
Step 1 Run command :
keytool -genkey -alias localhost -keyalg RSA -keystore keycloak.jks -validity 10950
...
two files server.key and keycloak.jks got created.
Question : should i used localhost here or better to use IP A.B.C.D of my Test machine? Though documentation says localhost so went ahead with that.
Step 2 Generate a certificate request :
$ keytool -certreq -alias yourdomain -keystore keycloak.jks > keycloak.careq
I can also generate the cert request using localhost/A.B.C.D.
Step 3: Send the cert req created in above step to CA and download the root cert from CA(root.crt) and import using command:
keytool -import -keystore keycloak.jks -file root.crt -alias root
Do i have to skip this step for localhost and if not how to generate root.crt for localhost.
step 4: last step is to import CA generated certificate to keystore
$ keytool -import -alias yourdomain -keystore keycloak.jks -file your-certificate.cer
Question: Now i have only two files generated in very first step "server.key" and keycloak.jks
and from where i should get root.crt and your-certificate.cer ? I tried uploading the ca request to CAcert.org but they dont create certificate for localhost DNS.
I already went through lot of links link1 , link2 , link3 link4 and getting confused
Please help.
Answer 1-
If you are testing this in your local machine you can use localhost but better would be if you are using IP-address or host name
Answer 3
Again if its for your testing you can use Self Sign Certificate only,No need to go to Ads Certificate authority.
Answer 4-
So for localhost or your machine IP simple Create Certificate with the help of keytool
keytool -genkey -alias initcert -ext san=ip:xxx.xxx.xxx.xx -keyalg RSA -keystore keycloak.jks-validity 365 -keysize 2048
Export the certificates
keytool -export -noprompt -trustcacerts -keystore keycloak.jks -alias initcert -file keycloak.cer -storepass changeit
Import Certificates into Client machine Java Keystore
keytool -import -noprompt -trustcacerts -alias "initcert" -file keycloak.cer -keystore /workspace/tools/jdk/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/lib/security/cacerts
Related
I'm tinkering with a self-signed certificate on RH Linux 7 for a tomcat instance, but having a hell of a time so that I don't have browser warnings. I've followed this guys instructions here (Getting Chrome to accept self-signed localhost certificate) and tried importing the .crt into my tomcat instance using keytool. Using the following commands -
Create the keystore - keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
Import the myCA.pem file created in the stackoverflow steps - keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file myCA.pem
And finally import the .crt created from the stackoverflow - keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file signed.crt
Now on the Linux 7 box I can access server.domain.com:8443 or server:8443 with a warning, but on my Windows workstation I can only access server:8443, not the FQDN. I've imported both the myCa.pem and signed.crt into my computer as trusted root authorities.
What am I doing wrong? Thanks much!
What I could understand is . You have generated SSL certs and imported in you machine.
Hope you have updated the conf/server.xml with ssl information . After updating restart the service and check
I am trying to establish a secure connection for my application using jetty http server version 8.1.8.v20121106 with self signed certificate.
I am generating self signed certificate with the following command,
keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keypass password -keystore keystore.jks -storepass password
keytool -export -alias mykey -file server.cer -keystore keystore.jks -storepass password
keytool -import -alias mykey -file server.cer -keystore truststore.jks -storepass password
So, totally 3 files generate (keystore.jks,server.cer,truststore.jks)
After the server gets started, I got the following error in my browser. There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).
Could anyone help me to generate a trusted self signed certificate using keytool.
Thanks in advance.
It is the problem with java jdk. I have verified using java 1.8 and jdk1.7.0_79 it is working fyn for me. Change your java jdk version and verify. For further clarification, Please refer this link.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=398644
[EDIT]
I used those two commands to generate the csr:
keytool -genkey -alias tomcat -keyalg RSA -keystore XY.key
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore XY.key
gd_bundle-g2-g1.crt has 3 blocks in it, the other two have only 1.
[/EDIT]
I want to install the certificates. I want to use:
keytool -import -alias [AB] -keystore [CD.key] -trustcacerts -file [EF.crt]
I know CD; that's the keystore I generated, but what alias (AB) is correct for which certificate (EF)? The three certificates I get are:
b715e55ecaeeba39.crt
gd_bundle-g2-g1.crt
gdig2.crt
And after I did that correctly, am I right by using the:
keytool -import -alias tomcat -keystore <your_keystore_filename> -file certreq.csr
The file with which I requested the Certificate?
Thank you for your help.
You can use any alias you want as long as you specify it in the server.xml file (parameter keyAlias, case sensitive).
tomcat seems to be the default alias : https://docs.jboss.org/jbossweb/7.0.x/ssl-howto.html
I've been working on a client API using QuickFIX and I'm planning to use SSL and certificate based authentication. I generated self signed certificates for acceptor and initiator the following way:
1) Generate and export server/acceptor certificate:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -keystore server.jks
keytool -export -alias server -file server.cer -keystore server.jks
2) Generate and export client/initiator certificate:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias client -keystore client.jks
keytool -export -alias client -file client.cer -keystore client.jks
3) Import server/acceptor certificate to client keystore:
keytool -import -v -trustcacerts -alias server -file server.cer -keystore client.jks
4) Import client/initiator certificate to server/acceptor keystore:
keytool -import -v -trustcacerts -alias client -file client.cer -keystore server.jks
Acceptor config:
SocketUseSSL=Y
SocketKeyStore=server.jks
SocketKeyStorePassword=password
Initiator config:
SocketUseSSL=Y
SocketKeyStore=client.jks
SocketKeyStorePassword=password
Everything seems to work fine and data is getting encrypted. However, if I remove the initiator's client.jks keystore file, I will get a QuickFIX log entry saying "client.jks: keystore not found, using empty keystore". Strange thing, the initiator is still able to connect and establish a valid FIX session. I would expected the connection to be dropped immediately since no valid certificate is provided. Am I missing something?
The client certificate is not required by default, you must set this:
NeedClientAuth=Y
I am trying to setup SSL connection for my Play application. Here is the process I followed:
keytool -genkeypair -v -alias example.com -keystore example.com.jks
-keyalg RSA -keysize 2048 -validity 385
keytool -certreq -v -alias example.com -keypass password -storepass
password -keystore example.com.jks -file example.com.csr
Submitted the CSR to godaddy and downloaded the certificates.
keytool -import -v -alias root -file gdroot-g2.crt -keystore
example.com.jks -storetype JKS
keytool -import -v -alias intermed -file gdig2.crt -keystore
example.com.jks -storetype JKS
keytool -import -v -alias example.com -file 46826eerd8c69.crt
-keystore example.com.jks -storetype JKS
After this added 127.0.0.1 www.example.com to my /etc/hosts and started the play server as below.
./activator -Dhttps.port=9443
-Dhttps.keyStore=/tmp/ssl/example.com.jks -Dhttps.keyStorePassword=password run
Now when I try to access the url via browser https://www.example.com:9443, I see the following message. No errors on the server.
Unable to make a secure connection to the server. This may be a
problem with the server, or it may be requiring a client
authentication certificate that you don't have. Error code:
ERR_SSL_PROTOCOL_ERROR
I have no clue of what's happening. I followed the entire process twice, but still no luck.
Any help is appreciated.
The issue is because of accessing the application by adding 127.0.0.1 www.example.com to /etc/hosts. I followed the same procedure on a remove server and added it's ip to /etc/hosts, then things started worked fine.
Seems like for some reason the certificate is not getting accepted by loopback ip in /etc/hosts.