I tried installing SSL certificate I purchased from Godaddy (CN = my domain) following below steps. And after the last step I did a GREP search for .jks in repository/conf directory and replaced all keystore configs (wso2carbon.jks) to my JKS and password. Restarted the server. It started giving a bunch of errors and server not started properly.. But when I changed ONLY catalina_server.xml's configuration and undo all others, it started and SSL was working only for 9443 port but when I checked the cert installation from a SSL checker tool, it said cert was not installed properly. And even API gateway endpoints were not working with SSL (browser rejects cert) and it was port 8244. What have I done wrong? Exception trace given below.
Create Keystore and the CSR
keytool -genkey -alias certalias -keyalg RSA -keysize 2048 -keystore newkeystore.jks
Create CSR - copy output and submit to Go Daddy.
keytool -certreq -alias certalias -keystore newkeystore.jks
Get the Certificates for tomcat you will get below certificates.
gd_bundle-g2-g1.crt - Root Certificate
gdig2.crt.pem - Intermediate Certificate
[randomNumber].crt - Domain Certificate
Convert crt to pem.
openssl x509 -in gd_bundle-g2-g1.crt -out gd_bundle-g2-g1.pem
openssl x509 -in [randomNumber].crt -out [randomNumber].pem
Join root and intermediate certificate
cat gdig2.crt.pem gd_bundle-g2-g1.pem >> clientcertchain.pem
Extract the key from the keystore.
keytool -importkeystore -srckeystore newkeystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias keys -deststorepass -destkeypass
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
Create pkcs12 keystore
openssl pkcs12 -export -out final.p12 -inkey key.pem -in [randomNumber].crt -CAfile clientcertchain.pem -name "cacertificates"
Create JKS from pkcs keystore.
keytool -importkeystore -srckeystore final.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
Replace it with wso2carbon.jks located in <WSO2AM_HOME>/repository/resources/security/
Go to <WSO2AM_HOME>/repository/resources/security/
Extract key file to add client keystore
keytool -export -alias cacertificates -keystore newkeystore.jks -file .pem
Add key to client-truststore.jks
keytool -import -alias cacertificates -file .pem -keystore client-truststore.jks -storepass wso2carbon
Related
I have installed ActiveMQ Artemis in Linux and configured broker.xml. I am using a certificate, but ActiveMQ Artemis uses keystore and truststore. How to create those and how to enable SSL for MQTT protocol?
Below shows configuration broker.xml
<acceptor name="mqtt">tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true
sslEnabled=true;
keyStorePath=home/certs/server-ks/server1.p12;keyStorePassword=abc#1234;
trustStorePath=home/certs/server-ks/server1.p12;
trustStorePassword=abc#1234;needClientAuth=true
</acceptor>
I have converted a certificate (.pem) to keystore and truststore
keytool -import -alias rootCA -trustcacerts -file certs/ca.pem -keystore certs/activeMQ-truststore.jks
openssl pkcs12 -inkey certs/server-cert/server1.pem -in certs/server-cert/server1.pem -name server1 -export -out certs/server-ks/server1.p12
keytool -importkeystore -deststorepass abc#1234 -destkeystore certs/server-ks/server-keystore1.jks -srckeystore certs/server-ks/server1.p12 -srcstoretype PKCS12
As above same I have created/converted for client keystore.
I need to connect broker using MQTT.FX client with self signed client keystore.
How to achieve this I am getting confused. Please help me if any one have idea.
In a self-signed configuration typically you'll create a certificate for both the broker and the client, export each, and then import the broker's cert into the client's truststore and import the client's cert into the broker's truststore. You can do all this using Java's keytool command.
Take a look at the example that ships with ActiveMQ Artemis in the examples/features/standard/ssl-enabled-dual-authentication directory. It demonstrates how to do this, e.g.:
keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
Your acceptor will need both sslEnabled=true and needClientAuth=true.
I'm using CAS using the gradle overlay method. I am able to use it with a self signed certificate. However, when I try to use a certificate from the FreeIPA certificate authority, I am getting the following error message:
2018-02-03 13:39:54,298 ERROR [org.apache.catalina.core.StandardService] - <Failed to start connector [Connector[HTTP/1.1-8443]]>
org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) ~[tomcat-embed-core-8.5.24.jar!/:8.5.24]
...
Caused by: java.lang.IllegalArgumentException: java.io.IOException: Alias name [null] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116) ~[tomcat-embed-core-8.5.24.jar!/:8.5.24]
I have added the FreeIPA CA certificate to /usr/java/jdk1.8.0_152/jre/lib/security/cacerts
And, put the certificate into /etc/cas/thekeystore
This is the solution:
openssl req -nodes -newkey rsa:2048 -sha256 -keyout cas.key -out cas.csr
[Send CSR to certificate authority]
[Download CA certificate PEM file]
[Download CAS certificate PEM file]
cp cas.key /etc/pki/tls/private/.
cp cas.crt /etc/pki/tls/certs/.
cp freeipa_ca.crt /etc/pki/tls/certs/.
cat cas.pem freeipa_ca.pem > cas_all.pem
openssl pkcs12 -export -inkey /etc/pki/tls/private/cas.key -in cas_all.pem -name cas -out cas.p12
keytool -delete -alias cas -keystore /etc/cas/thekeystore
keytool -list -keystore /etc/cas/thekeystore -v
keytool -importkeystore -srckeystore cas.p12 -srcstoretype pkcs12 -destkeystore /etc/cas/thekeystore
Please help... I am using keytool to generate certificate request with sigal SHA256withRSA and using openssl to sign the csr using self generated CA but the output certificate I am receiving is showing signature algorithm as SHA1withRSA. I have verified .csr, self generated CA and they all have SHA256withRSA and in openssl.conf file, there's no mention of algorithm so I haven't got a clue from where it is picking up SHA1withRSA and how to resolve.
Commands I am running : -
To generate Keypair
KEYTOOL -genkeypair -alias servercert1 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "cn=servercert1,dn=domain,dn=com" -validity 1095 -keystore server1.keystore -storepass *** -keypass same -v
To generate csr
KEYTOOL -certreq -sigalg SHA256withRSA -alias servercert1 -file server1.csr -keystore server1.keystore -storepass ***
To sign csr using openssl
OPENSSL x509 -in server1.csr -out server1.pem -dates -days 1095 -req -CA selfsignedca.pem -CAkey selfsignedcapvt.key -CAcreateserial -passin pass:caroot_password -extfile openssl.conf -extension v3_req -text*
This is a little bit of an unusual situation. I have a CentOS 7 server running tomcat 7 and I need to install a new SSL cert for it. I don't have control over the domain so the cert generated for me was given to me by the parent company and it's for a start cert (*.domain.com). Even though I sent them a csr, they ignored it and made a new one for me. The package they sent has a csr file, key, two formats of the cert (crt and p7s), and an intermediary pem.
I'm trying to create a new keystore using these files and am having difficulty doing it. I found this site https://makandracards.com/jan0sch/24553-import-private-key-and-certificate-into-java-keystore and have tried:
openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile my-ca-file.crt -name "my-domain.com" -out my.p12
I changed the CAfile to use the pem file supplied, but I get "unable to load certificates"
Anyone have any ideas?
EDIT:
I used this to make the p12 and then import it in the keystore but I don't know how to include the intermediate cert.
openssl pkcs12 -export -in my.crt -inkey myh.key -certfile my.crt -name "tomcat" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
EDIT2:
I'm trying this command to get a pfx file and then
EDIT3:
My intermediate cert had a bunch of spaces preceding the "-----BEGIN CERTIFICATE-----" which was causing an error.
Looks like all I had to do was this:
openssl pkcs12 -export -in my.crt -inkey myh.key -certfile intermediary.pem -name "tomcat" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
Didn't even need to put in the intermediate cert.
I am trying to import a certificate and a key file into the keystore but I'm unable to do that.
How can I create a keystore by importing both an existing certificate (abc.crt) and abc.key files?
The easiest is probably to create a PKCS#12 file using OpenSSL:
openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12
You should be able to use the resulting file directly using the PKCS12 keystore type.
If you really need to, you can convert it to JKS using keytool -importkeystore (available in keytool from Java 6):
keytool -importkeystore -srckeystore abc.p12 \
-srcstoretype PKCS12 \
-destkeystore abc.jks \
-deststoretype JKS
You must use OpenSSL and keytool.
OpenSSL for CER & PVK file > P12
openssl pkcs12 -export -name servercert -in selfsignedcert.crt -inkey serverprivatekey.key -out myp12keystore.p12
Keytool for p12 > JKS
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercert
Adding to #MK Yung and #Bruno's answer.. Do enter a password for the destination keystore. I saw my console hanging when I entered the command without a password.
openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12 -name localhost -passout pass:changeit
In addition to #Bruno's answer, you need to supply the -name for alias, otherwise Tomcat will throw Alias name tomcat does not identify a key entry error
Sample Command:
openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.p12 -name localhost
Ideally you should have received 3 files:
ca_bundle.crt yourname.crt yourname.key
Use the following command to create the pk cs 12 version of it with:
openssl pkcs12 -export -out yourname.pfx -inkey yourname.key -in yourname.crt -certfile ca_bundle.crt
Then you will need to import it into key store that is easy to configure in Apache
keytool -importkeystore -srckeystore yourname.pfx -srcstorepass yourpassword -srcstoretype pkcs12 -destkeystore yourkeystore.jks -deststoretype jks -deststorepass yourkeystorepassword
If the keystore is for tomcat then, after creating the keystore with the above answers, you must add a final step to create the "tomcat" alias for the key:
keytool -changealias -alias "1" -destalias "tomcat" -keystore keystore-file.jks
You can check the result with:
keytool -list -keystore keystore-file.jks -v