My client doesn't have MobileFirst plugin for eclipse installed and I need guide him to extract the public sign key for app authentication.
Is there a way to extract the public sign key from command line?
The keystore that is used to hold the key used to sign your APK is just a normal Java keystore in JKS format, which can be manipulated using the standard Java "keytool" command. You can extract the certificate in PEM format by doing something like:
keytool -exportcert -keystore keystore_name -alias alias_name -rfc > cert.txt
(where "keystore_name" is the name of the keystore file, and "alias_name" is the key alias for the key being used to sign the APK)
and then extract the public key from the "cert.txt" file you just created, by doing something like:
openssl x509 -in cert.txt -pubkey -noout
The public key you need will appear between the "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----" lines.
If you wanted to do it in a single command, something like:
keytool -exportcert -keystore keystore_name -alias alias_name -storepass keystore_password -rfc | openssl x509 -pubkey -noout | grep -v PUBLIC
would extract and print just the public key, so that you could capture it in a shell variable or something.
Related
I'm doing a TCP server in java that communicates with a client in C.
My approach so far:
# Generate server's private and public keys
keytool -genkey -alias server -keyalg RSA -keysize 2048 -validity 365 -keystore certs.jks -storepass le_pass
# Export for client
keytool -exportcert -alias server -keystore certs.jks -storepass le_pass -rfc -file server.pem
# Generate client's private and public keys
openssl req -new -x509 -days 365 -nodes -sha256 -out client.pem -keyout client.key
# Convert and import client's public key
openssl x509 -outform der -in client.pem -out client.der
keytool -import -alias server -keystore certs.jks -file client.der -storepass le_pass
The result (same if not converted):
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
If I use a different alias in the last line I get no error, but I don't think that's how it should be done?
The first command keytool -genkey -alias server ... creates both private and public keys for the alias server. No wonders it fails in the last command keytool -import -alias server ... -- you try to load a different public key for already existing name. The public key that doesn't match the existing private key for the alias server.
I don't think that you need to save client's public key under server alias. IMHO, it should be named client, shouldn't it?
keytool -import -alias CLIENT-keystore certs.jks -file client.der -storepass le_pass
Currently I am doing the API load test using the LoadRunner, where the mTLS is implemented on the server side. Also I am able to include the certficates(2 pem files) using the web_set_certificate_ex function by passing the cerificate paths(clientA-crt.pem and clientA-key.pem) - the calls works perfectly fine.
Now we are planning to use jmeter for load testing. As first step, I converted pem into p12 format using the following command
openssl pkcs12 -export -out Cert.p12 -in clientA-crt.pem -inkey clientA-key.pem -passin pass:root -passout pass:root
https://www.ibm.com/support/knowledgecenter/en/SSPH29_9.0.3/com.ibm.help.common.infocenter.aps/t_ConvertthepfxCertificatetopemFormat068.html
Then next step I am converting the cert.p12 into java keystore using the following command
keytool -importkeystore -srckeystore Cert.p12 -srcstoretype PKCS12 -srcstorepass root123 -keystore dex.jks -storepass root111
https://www.blazemeter.com/blog/how-set-your-jmeter-load-test-use-client-side-certificates/
The below error is encountered:
Importing keystore Cert.p12 to dex.jks...
keytool error: java.io.IOException: keystore password was incorrect
Can someone let me know where I am going wrong.
Contents of clientA-crt.pem
-----BEGIN CERTIFICATE-----
some alphanumeric values
-----END CERTIFICATE-----
Contents of clientA-key.pem
-----BEGIN RSA PRIVATE KEY-----
some alphanumeric values
-----END RSA PRIVATE KEY-----
You don't need to convert PKCS12 keystore into a JKS keystore, JMeter can deal with both types, moreover it's recommended to use PKCS12 as JKS is a proprietary format. You just need to "tell" JMeter to use PKCS12 format via system.properties file
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=Cert.p12
javax.net.ssl.keyStorePassword=root
If you want to use the .jks type for any reason you need to provide the same password as you specified during the keystore creation:
keytool -importkeystore -srckeystore Cert.p12 -srcstoretype PKCS12 -srcstorepass root -keystore dex.jks -storepass root111
It might be easier to use a GUI-based tool like KeyStore Explorer if you are not too familiar with OpenSSL and Keytool command-line utilities.
More information: How to Set Your JMeter Load Test to Use Client Side Certificates
I have this problem when I import a certification file into keystore:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
I do this this operation:
1) create my keystore on the server :
keytool -genkey -keystore C:\keystore\keystore -alias jboss -keyalg RSA
2) I have domain.pfx and convert it whit this command:
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain_encrypted.key
openssl rsa -in domain_encrypted.key -out domain.key
Now I have 3 new files:
domain.cer
domain_encrypted.key
domain.key
3) In the end, Import the domain.cer into C:\keystore\keystore in the jboss alias:
keytool -import -alias jboss -keystore C:\keystore\keystore -file C:\cert\domain.cer
But I have this error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
What is the problem?
A keystore comprises of two entries types:
Private Key Entry (which binds the private key stored in the keystore with the certificate imported in the keystore.) Here, the alias must remain the same which was used when the keystore file was created.
Trusted Entry :- This entry comprises of all the trusted certificate entries including the root and intermediate certificates.
If a keystore is binded to a domain in the server.xml file of tomcat, then it must contain the private key entry.
Now, as per your performed steps, you created a keystore first (a private key got generated in it) and then you tried to import the certificate in keystore. But in the command you didn't use the private key which you converted using openssl; you used the private key which freshly got generated when you generated the keystore.
As you have the domain.pfx with you, yo can straight away convert it using the below keytool command:
keytool -importkeystore -srckeystore domain.pfx -srcstoretype pkcs12 -destkeystore name_of_the_keystore_file.jks -deststoretype jks
Note: Make sure the keystore password and the key password remains the same.
Change the alias name as another entry with jboss alias should have already been created.
You can view the truststore and alias name in that by executing -> keytool -list -v -keystore . I am sure it will be resolved.
I had the same issue today. I resolved it by having a using a different alias when I imported the certificate. So I had alias1 when generating the keystone and alias2 when importing the certificate.
I'm trying to enable SSL for Boomi webservices. I've followed the instructions on their documentation to generate the CSR and sent it to CA for signing. I've received the signed certificate in .pem format. I've looked at the contents of the file and it doesn't contain any information about any private key.
These are the steps on Boomi's documentation.
1) Replace the keystore path, KEYSTORENAME and –dname parameters in this command with your information (this –dname “….” option can be omitted if the trusted root authority requests this information when submitting the CSR) and run the following command to generate the key:
keytool -genkey -dname "CN=HOSTNAME, OU=ORGUNIT, O=ORG, L=LOCATION, S=STATE, C=COUNTRY" -alias Boomi -keyalg RSA -keystore c:\Certificates\Boomi\KEYSTORENAME -keysize 2048
2) Replace the KEYSTORENAME in this command and run the following command to generate the CSR:
keytool -certreq -keyalg RSA -alias Boomi -file c:\Certificates\Boomi\KEYSTORENAME.csr -keystore c:\Certificates\Boomi\KEYSTORENAME
3) Submit the CSR to the Trusted Root Authority (for example, Verisign), and request/download the returned certificate in PKCS7 format. This will have a public, G3 intermediate, and G5 intermediate certificate all in one certificate. Java must be 1.6 or newer.
4) Replace the certificate file path\name and keystore path\name in this command and run the following command to import the PKCS7 certificate:
keytool -import -alias Boomi -trustcacerts -file c:\Certificates\Boomi\NEWCERTNAME.p7b -keystore c:\Certificates\Boomi\KEYSTORENAME
5) Replace the new and destination keystore paths/names and passwords (if different from changeit) in this command and run the following command to convert to .p12 format for import into Boomi:
keytool -importkeystore -srckeystore c:\Certificates\Boomi\KEYSTORE -destkeystore c:\Certificates\Boomi\KEYSTORENAME.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -srcalias Boomi -destalias Boomi -srckeypass changeit -destkeypass changeit -noprompt
I'm stuck at step 4 because I don't have the signed certificate in .p7b format. I've searched around for any information about how to convert .pem file to .p7b file, and all of them mention that the .pem file will contain key information along with the certificate information. But since the .pem file that I have doesn't have the key info, how should I go about converting .pem to .p7b and eventually arrive at .p12 cert.
Also, if possible, can you please explain what do these formats mean?
First, check out this ServerFault answer for information on keys and keyformats.
Second, to address your issue, the .pem file may or may not contain private key information. In the case of a signed certificate (signed after submitting CSR to the CA), it typically will not inlcude the private key. In your instructions, the private key exists in the keystore, already. I believe the command in instruction number 4 will import the trustchain (.p7b) into the keystore, so you'll have the public key, private key, and trust chain all in the same [protected] file.
If you don't have the file in the .p7b format, you could request the CA send it to you in .p7b format.
Barring that, the first thing I would try is changing the command to include the .pem file instead of the .p7b file. keytool is pretty smart, and I would think it would figure out what it needed to do to import the .pem instead of the .p7b.
If that doesn't work for some reason, there's more you can do, but things start to get more complicated. I would start with this link. Good luck!
I have read this good article on running tomcat in https and implemented it.
http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/
It is working fine and my tomcat is running in https mode.
But the problem is i got the certificate in BIN format. I need it in X509 format so that i can use it as an raw resource for my Android project
I have used java keytool to create it.Can i use OpenSSL to convert it into X509 Format or java keytool is sufficient?
I am new to this securities stuff.
Please point me in the right direction and clear my doubts.
I think keytool already handles certificates in X509 format only. You should have generated .keystore file. You can export certificate from it using command:
keytool -export -alias mycert -keystore mykeystore.bin -file certificatefile.cer
Yes of course, you can use OpenSSL to convert the certificate and keys to and from the following formats
Standard PEM
DER / Binary
PKCS#7 (aka P7B)
PKCS#12 (aka PFX)
In your case, given a private key file and digital certificate in standard PEM,
convert them both to pkcs12 format using the following steps:
Step 1: Convert the PEMs to a single PKCS12 file
OpenSSL> pkcs12 -export -in CE_cert.cer -inkey CE_prv_key_PEM.key -out
pkcs12_KeyStore.p12 -name ce_cert_prv_key
Heres the doc for OpenSSL PKCS12 command.
Step 2: Import the PKCS12 file created in step 1 into the new JKS
C:\>keytool -importkeystore -srckeystore pkcs12_KeyStore.p12 -srcstoretype pkcs12 -srcstorepass somepass -srcalias ce_cert_prv_key -destk
eystore path/to/JavaKeyStore_KS.jks -deststoretype jks -deststorepass somepass -destkeypass somepass
Now after having the certificate and private key in the JKS format, you can use this JSK key store in Tomcat.