My domain provider only alowes me to set common name and country in CSR, but with keytool emty atributes will always be set to [Unknown].
Is there a poisibility to set these attributes emty?
Or can i generate CSR for glassfish with Openssl?
There is an option to supply the DN value as you wish, instead of the keytool constructing it for you.
You could use the -dname option, like this:
keytool -genkeypair -keystore test.jks -storepass password -dname 'CN=localhost,C=US' -keyalg rsa -keysize 2048
Related
I need to create a self signed certificate with my own the Subject DN. Example: I want to set username in Subject DN. I will retrieve this information using
X509Certificate.getSubjectDN().getName().
I was able to set the IssuserDN using -dname option of the keytool.
keytool -genkey -keyalg RSA -dname "CN=MyApp ACES CA 2, OU=MyApp Public Sector, O=MyApp, C=US" -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
getIssuerDN().getName()
getSubjectDN().getName()
prints following:
CN=MyApp ACES CA 2, OU=MyApp Public Sector, O=MyApp, C=US
CN=MyApp ACES CA 2, OU=MyApp Public Sector, O=MyApp, C=US
Not sure how to set the Subject DN using java keytool or openssl.
Thanks
I would like to make my Liberty application to connect the Bluemix Secure Gateway'sdestination with TLS Mutual Auth. I tried to create a key store and import a cert and a secret key into the key store by keytool, but I don't know the keyalias of the secret key. I can't execute the command which imports the secret key into the The key store. (The cert and the secret key were provided by Bluemix Secure Gateway's destination with TLS Mutual Auth(*))
*Bluemix Secure Gateway
https://www.ng.bluemix.net/docs/services/SecureGateway/index.html
Could you teach me how to know the keyalias of the secret key ?
Or could you teach me any other way by keytool (not java code) to create keystore and import the secret key and cert but the following procedure ?
[the files provided by Bluemix Secure Gateway's destination]
destination_id_key.pem
destination_id_cert.pem
[procedure]
1. create a key store and import the cert into the key store at once
# keytool -import -file *destination_id*_cert.pem -keystore myKeyStore.jks -storepass password -alias mutual_cert
2. import the secret key nto the key store
# keytool -importseckey -keyalias XXXXX -keystore myKeyStore.jks -storepass password -storetype jks -importfile *destination_id*_cert.pem
There is an example using openssl in the documentation to create a key store using the destination cert and key.
https://www.ng.bluemix.net/docs/services/SecureGateway/sg_023.html#sg_007
As far as I'm aware, the alias value is a name that you set to identify that particular key within your own keystore. The key/cert does not have its own alias, so it's completely up to you what alias to use. Later if you need to remove that key/cert, or perform some other action on it, then you use your custom alias in the command. So you can just do something like this:
# keytool -importcert -alias myCustomAlias -file *destination_id*_cert.pem -keystore myKeyStore.jks -storepass password -storetype jks
Afterwards, use the command keytool -list -keystore myKeyStore.jks to see a list of your keys/certs. Each entry will be listed under the alias that you chose for that key/cert, e.g.:
myCustomAlias, 01-Jul-2015, trustedCertEntry,
Certificate fingerprint (SHA1): AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD
Note: -importseckey1, -keyalias and -importfile that you have used in your example command are not valid options for keytool. -importcert, -alias and -file are the correct option names, but they may just have been typos on your part when creating the question.
As per this : http://en.wikipedia.org/wiki/Certificate_signing_request the CSR can contain an email address.
My question is how can I add such e-mail address field considering I`m generating the CSR with keytool ?
Thank you.
When generating the key pair you can pass the Distinguished Name as a parameter with the -dname flag and thus add the EMAILADDRESS attribute.
keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048 -dname "CN=Your Name, EMAILADDRESS=your.name#example.com, C=UK"
I'm using openssl to create self-signed certs. I'm getting this error with the certs I generated:
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No subject alternative names
present
Does anyone know how to specify "Subject alternative name" while creating a cert?
This is how I'm generating a keystore:
sudo $JAVA_HOME/bin/keytool -genkey -dname "CN=192.168.x.xxx, OU=I, O=I, L=T, ST=On, C=CA" -alias tomcat -validity 3650 -keyalg RSA -keystore /root/.keystore -keypass abcd -storepass abcd
To generate a key:
openssl s_client -connect 192.168.x.xxx:8443 2>/dev/null
Please help! Thanks!
Although this question was more specifically about IP addresses in Subject Alt. Names, the commands are similar (using DNS entries for a host name and IP entries for IP addresses).
To quote myself:
If you're using keytool, as of Java 7, keytool has an option to
include a Subject Alternative Name (see the table in the documentation
for -ext): you could use -ext san=dns:www.example.com or -ext
san=ip:10.0.0.1
Note that you only need Java 7's keytool to use this command. Once you've prepared your keystore, it should work with previous versions of Java.
(The rest of this answer also mentions how to do this with OpenSSL, but it doesn't seem to be what you're using.)
Both IP and DNS can be specified with the keytool additional argument -ext SAN=dns:abc.com,ip:1.1.1.1
Example:
keytool -genkeypair -keystore <keystore> -dname "CN=test, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass <keypwd> -storepass <storepass> -keyalg RSA -alias unknown -ext SAN=dns:test.abc.com,ip:1.1.1.1
When generating CSR is possible to specify -ext attribute again to have it inserted in the CSR
keytool -certreq -file test.csr -keystore test.jks -alias testAlias -ext SAN=dns:test.example.com
complete example here: How to create CSR with SANs using keytool
Can we programmatically create X.509 Certificate which contains arbitrary attributes e.g. Age, Gender, Designation etc.
I need to create Authorization Certificate, which client application will present to server application before executing the required function.
I am using Java and C#, so any solution/suggestion is good for me.
Have a look at this site for a start.
Create keystore
keytool -genkey -alias youralias -keyalg RSA -keypass yourpassword123 -keystore yourKeystoreRSAMD5 -storepass store123 -sigalg MD5WITHRSA -validity 9999 -dname "CN=Common Name, OU=XYZ, O=Your company name, L=Your Town, S=Region, C=Countryname"
Export cert file in PEM format
keytool -export -alias youralias -file rsamd5YourKey.cer -keystore yourKeystoreRSAMD5 -storepass store123