I have a combined .pem file which looks like this:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
I think this is a combination of ssl, key and ca. I need to convert this to truststore.jks and keystore.jks for my service.
openssl pkcs12 -export -out cert.pkcs12 -in cert
keytool -importcert -v -trustcacerts -alias eb-srv -file cert.pkcs12 -keystore truststore.jks
However this throws:
keytool error: java.lang.Exception: Input not an X.509 certificate
java.lang.Exception: Input not an X.509 certificate
at sun.security.tools.keytool.Main.addTrustedCert(Main.java:2861)
at sun.security.tools.keytool.Main.doCommands(Main.java:1050)
at sun.security.tools.keytool.Main.run(Main.java:366)
at sun.security.tools.keytool.Main.main(Main.java:359)
Same happens if I try:
openssl x509 -outform der -in cert -out cert.der
keytool -import -alias eb-srv -keystore cacerts -file cert.der
The first command you have (openssl) will create a keystore in PKCS12 format for you. However for the truststore you need to add each of the certificate in the chain individually.
When you have a certificate chain that is in the below format, it is usually in this hierarchy.
-----BEGIN CERTIFICATE-----
User
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Sub CA/CA
-----END CERTIFICATE-----
...
What you should be adding to the truststore are the CA and Sub CA certificates. So you need to separate these certificates into different files, and run this command for each certificate. Note that you don't need to do this for the user certificate.
keytool -importcert -keystore truststore.jks -storepass [password] -file [certificate_file]
The first command will create the keystore in PKCS12 format. If you need it other format like jks, you can run this command:
keytool -importkeystore -srckeystore [pkcs12_keystore] -srcstorepass [pkcs12_password] -srcstoretype pkcs12 -destkeystore [jks_keystore_file] -deststorepass [jks_keystore_password] -deststoretype jks
Related
I recently received a signed certificate to use with haproxy SSL termination. In order for haproxy to use this, I needed to convert the jks file to a pem file. First, I converted the cer files I received into crt, as I had a previous error where haproxy was not able to find the crt files in the pem file. Do this for all certs:
$ openssl x509 -inform PEM -in <CER file here> -out <CRT output file>
I then import the root, intermediate, and service certs to the keystore, which already has the private key:
keytool -importcert -file $CERT -alias $ALIAS -keystore test.jdk
I then convert the jsk file to a p12 file, followed by converting that to a pem file:
$ keytool -importkeystore -srckeystore test.jks -destkeystore test.p12 -srcstoretype jks -deststoretype pkcs12
Enter destination keystore password:
Re-enter new password:
$ openssl pkcs12 -in test.p12 -out test.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
This generates a pem file with the following format:
Bag Attributes
friendlyName:
localKeyID:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName:
subject=
issuer=
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
subject=
issuer=
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
subject=
issuer=
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
localKeyID:
subject=
issuer=
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Obviously, there is a lot of information missing from this, as I do not want to share that online; however, the structure is pretty much identical.
When I link this to haproxy:
frontend https
maxconn 2000
bind 0.0.0.0:4000 ssl crt /home/user/config/cert/test.pem
And I run it with haproxy -d -f haproxy.cfg, I'm asked to enter the PEM pass phrase. I need to be able to start haproxy automatically on server start up, so I can't enter this every time I want to run it. Is there any way to remove the pass phrase, or generate a pem file without one? Or can I supply via a script? The script I use to start haproxy on server start up is just the command you see above, with nohup to redirect the output.
Also, when I go to one of the services fronted by haproxy, Chrome still warns me that the CA is not trusted, like when I used a self signed certificate. Is there anything else I need to do beyond what I have above?
You will need to copy the password protected key to a not password protected key.
openssl rsa -in test.pem -out test-password-less.key
To provide the PEM now to HAProxy will you also need the certificate.
cat both Files to one PEM File for haproxy.
cat $CERT test-password-less.key > haproxy-test.pem
or instead remove pem passphrase on e.g an Amazon EC2 Fedora Linux instance:
sudo ssh-keygen -p -f EC2.pem
Currently I am doing the API load test using the LoadRunner, where the mTLS is implemented on the server side. Also I am able to include the certficates(2 pem files) using the web_set_certificate_ex function by passing the cerificate paths(clientA-crt.pem and clientA-key.pem) - the calls works perfectly fine.
Now we are planning to use jmeter for load testing. As first step, I converted pem into p12 format using the following command
openssl pkcs12 -export -out Cert.p12 -in clientA-crt.pem -inkey clientA-key.pem -passin pass:root -passout pass:root
https://www.ibm.com/support/knowledgecenter/en/SSPH29_9.0.3/com.ibm.help.common.infocenter.aps/t_ConvertthepfxCertificatetopemFormat068.html
Then next step I am converting the cert.p12 into java keystore using the following command
keytool -importkeystore -srckeystore Cert.p12 -srcstoretype PKCS12 -srcstorepass root123 -keystore dex.jks -storepass root111
https://www.blazemeter.com/blog/how-set-your-jmeter-load-test-use-client-side-certificates/
The below error is encountered:
Importing keystore Cert.p12 to dex.jks...
keytool error: java.io.IOException: keystore password was incorrect
Can someone let me know where I am going wrong.
Contents of clientA-crt.pem
-----BEGIN CERTIFICATE-----
some alphanumeric values
-----END CERTIFICATE-----
Contents of clientA-key.pem
-----BEGIN RSA PRIVATE KEY-----
some alphanumeric values
-----END RSA PRIVATE KEY-----
You don't need to convert PKCS12 keystore into a JKS keystore, JMeter can deal with both types, moreover it's recommended to use PKCS12 as JKS is a proprietary format. You just need to "tell" JMeter to use PKCS12 format via system.properties file
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=Cert.p12
javax.net.ssl.keyStorePassword=root
If you want to use the .jks type for any reason you need to provide the same password as you specified during the keystore creation:
keytool -importkeystore -srckeystore Cert.p12 -srcstoretype PKCS12 -srcstorepass root -keystore dex.jks -storepass root111
It might be easier to use a GUI-based tool like KeyStore Explorer if you are not too familiar with OpenSSL and Keytool command-line utilities.
More information: How to Set Your JMeter Load Test to Use Client Side Certificates
I'm trying to
kubectl create secret tls foo-secret --key /tls.key --cert /tls.crt
From keys and certs I've used made from LetsEncrypt. This processes makes sense with self-signed certificates, but the files made by LetsEncrypt look like this:
cert.pem
chain.pem
fullchain.pem
privkey.pem
I can convert those pem files, I don't know if --key want's a public key or a private key, and the only option here is privkey.pem. I assume cert is cert.
I can convert private.pem with:
openssl rsa -outform der -in privkey.pem -out private.key
And cert.pem with:
openssl x509 -outform der -in cert.pem -out cert.crt
Is this the right process? Since I'll be using this secret for ingress oauth in place of __INGRESS_SECRET__, is this ingress suppose to have a private key? This ingress is acting as a TLS terminator for other things.
You are correct, you will need to provide your private key for the tls.key portion. However it's a good practice to automate the letsencrypt certificate generate process, using cert-manager. Check out this tutorial. Dong so will automatically create the tls secret resource for you on the cluster.
Your tls.key file is the private key and begins and ends like the following:
-----BEGIN RSA PRIVATE KEY-----
... [your private key]
-----END RSA PRIVATE KEY-----
And your tls.crt is going to be the concatenation of cert.pem and fullchain.pem, and it will look like the following:
-----BEGIN CERTIFICATE-----
...
[your cert content]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
[your fullchain cert content]
-----END CERTIFICATE-----
I m trying to get ssl file from pem file
I tried to the following
openssl x509 -outform der -in C:\Users\user\Desktop\ssl\abc.pem -out C:\Users\user\Desktop\ssl\ssl.crt
ssl.crt is generated. But i couldnt open the generated crt file in notepad.
i think there should be a file like the followin? Am i wrong
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
I tried installing SSL certificate I purchased from Godaddy (CN = my domain) following below steps. And after the last step I did a GREP search for .jks in repository/conf directory and replaced all keystore configs (wso2carbon.jks) to my JKS and password. Restarted the server. It started giving a bunch of errors and server not started properly.. But when I changed ONLY catalina_server.xml's configuration and undo all others, it started and SSL was working only for 9443 port but when I checked the cert installation from a SSL checker tool, it said cert was not installed properly. And even API gateway endpoints were not working with SSL (browser rejects cert) and it was port 8244. What have I done wrong? Exception trace given below.
Create Keystore and the CSR
keytool -genkey -alias certalias -keyalg RSA -keysize 2048 -keystore newkeystore.jks
Create CSR - copy output and submit to Go Daddy.
keytool -certreq -alias certalias -keystore newkeystore.jks
Get the Certificates for tomcat you will get below certificates.
gd_bundle-g2-g1.crt - Root Certificate
gdig2.crt.pem - Intermediate Certificate
[randomNumber].crt - Domain Certificate
Convert crt to pem.
openssl x509 -in gd_bundle-g2-g1.crt -out gd_bundle-g2-g1.pem
openssl x509 -in [randomNumber].crt -out [randomNumber].pem
Join root and intermediate certificate
cat gdig2.crt.pem gd_bundle-g2-g1.pem >> clientcertchain.pem
Extract the key from the keystore.
keytool -importkeystore -srckeystore newkeystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias keys -deststorepass -destkeypass
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
Create pkcs12 keystore
openssl pkcs12 -export -out final.p12 -inkey key.pem -in [randomNumber].crt -CAfile clientcertchain.pem -name "cacertificates"
Create JKS from pkcs keystore.
keytool -importkeystore -srckeystore final.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
Replace it with wso2carbon.jks located in <WSO2AM_HOME>/repository/resources/security/
Go to <WSO2AM_HOME>/repository/resources/security/
Extract key file to add client keystore
keytool -export -alias cacertificates -keystore newkeystore.jks -file .pem
Add key to client-truststore.jks
keytool -import -alias cacertificates -file .pem -keystore client-truststore.jks -storepass wso2carbon