Please help... I am using keytool to generate certificate request with sigal SHA256withRSA and using openssl to sign the csr using self generated CA but the output certificate I am receiving is showing signature algorithm as SHA1withRSA. I have verified .csr, self generated CA and they all have SHA256withRSA and in openssl.conf file, there's no mention of algorithm so I haven't got a clue from where it is picking up SHA1withRSA and how to resolve.
Commands I am running : -
To generate Keypair
KEYTOOL -genkeypair -alias servercert1 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "cn=servercert1,dn=domain,dn=com" -validity 1095 -keystore server1.keystore -storepass *** -keypass same -v
To generate csr
KEYTOOL -certreq -sigalg SHA256withRSA -alias servercert1 -file server1.csr -keystore server1.keystore -storepass ***
To sign csr using openssl
OPENSSL x509 -in server1.csr -out server1.pem -dates -days 1095 -req -CA selfsignedca.pem -CAkey selfsignedcapvt.key -CAcreateserial -passin pass:caroot_password -extfile openssl.conf -extension v3_req -text*
Related
I configured SSL in kafka using the following commands:-
Generate CA
openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
Create Truststore
keytool -keystore kafka.server.truststore.jks -alias ca-cert -import -file ca-cert
Create Keystore
keytool -keystore kafka.server.keystore.jks -alias kafka -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost
Create certificate signing request (CSR)
keytool -keystore kafka.server.keystore.jks -alias kafka -certreq -file ca-request-zookeeper
Sign the CSR
openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-kafka -out ca-signed-kafka -days 3650 -CAcreateserial
Import the CA into Keystore
keytool -keystore kafka.server.keystore.jks -alias ca-cert -import -file ca-cert
Import the signed certificate from step 5 into Keystore
keytool -keystore kafka.server.keystore.jks -alias kafka -import -file ca-signed-kafka
and added the following properties in server.properties file:-
ssl.truststore.location=PATH-TO-YOUR-KAFKA-DIR/ssl/kafka.broker0.truststore.jks
ssl.truststore.password=vinodts
ssl.keystore.location=PATH-TO-YOUR-KAFKA-DIR/ssl/kafka.broker0.keystore.jks
ssl.keystore.password=vinodks
ssl.key.password=vinodks
security.inter.broker.protocol=SSL
ssl.client.auth=required
ssl.protocol=TLSv1.2
and SSL in kafka server running on localhost:9092 is successfully running.
I used the following commands for creating CA's for kafka-console-producer:-
keytool -keystore kafka.producer.truststore.jks -alias ca-cert -import -file ca-cert
keytool -keystore kafka.producer.keystore.jks -alias kafka-producer -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost
keytool -keystore kafka.producer.keystore.jks -alias kafka-producer -certreq -file ca-request-producer
openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-producer -out ca-signed-producer -days 3650 -CAcreateserial
keytool -keystore kafka.producer.keystore.jks -alias ca-cert -import -file ca-cert
keytool -keystore kafka.producer.keystore.jks -alias kafka-producer -import -file ca-signed-producer
added the following properties in producer.properties file:-
bootstrap.servers=localhost:9092
security.protocol=SSL
ssl.protocol=TLSv1.2
ssl.truststore.location=PATH-TO-YOUR-KAFKA-DIR/ssl/kafka.producer.truststore.jks
ssl.truststore.password=vinodts
ssl.keystore.location=PATH-TO-YOUR-KAFKA-DIR/ssl/kafka.producer.keystore.jks
ssl.keystore.password=vinodks
ssl.key.password=vinodks1
Now when i try to run the command:
kafka-console-producer.bat --topic ssl-topic ../../config/producer.properties --broker-list localhost:9092
I get:
Bootstrap broker localhost:9092 (id: -1 rack: null) disconnected (org.apache.kafka.clients.NetworkClient) In producer window and
get Failed authentication with /127.0.0.1 (SSL handshake failed) (org.apache.kafka.common.network.Selector) in kafka window.
Does anybody know what I am doing wrong? Thanks in advance
INFO [SocketServer listenerType=ZK_BROKER, nodeId=0] Failed authentication with /127.0.0.1 (channelId=127.0.0.1:9092-127.0.0.1:55412-1) (SSL handshake failed) (org.apache.kafka.common.network.Selector)
cd kafka/config
create a new ssl.config file and paste the below lines
ssl.endpoint.identification.algorithm=https
security.protocol=SSL
ssl.keystore.location=kafka/ssl/kafka.broker0.keystore.jks
ssl.keystore.password=password
ssl.key.password=password
ssl.truststore.location=kafka/ssl/kafka.broker0.truststore.jks
ssl.truststore.password=passWord
Now you try with(--command-config config/ssl.config)
sudo bin/kafka-topics.sh --list --bootstrap-server localhost:9092 --command-config config/ssl.config
it's working
I'm doing a TCP server in java that communicates with a client in C.
My approach so far:
# Generate server's private and public keys
keytool -genkey -alias server -keyalg RSA -keysize 2048 -validity 365 -keystore certs.jks -storepass le_pass
# Export for client
keytool -exportcert -alias server -keystore certs.jks -storepass le_pass -rfc -file server.pem
# Generate client's private and public keys
openssl req -new -x509 -days 365 -nodes -sha256 -out client.pem -keyout client.key
# Convert and import client's public key
openssl x509 -outform der -in client.pem -out client.der
keytool -import -alias server -keystore certs.jks -file client.der -storepass le_pass
The result (same if not converted):
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
If I use a different alias in the last line I get no error, but I don't think that's how it should be done?
The first command keytool -genkey -alias server ... creates both private and public keys for the alias server. No wonders it fails in the last command keytool -import -alias server ... -- you try to load a different public key for already existing name. The public key that doesn't match the existing private key for the alias server.
I don't think that you need to save client's public key under server alias. IMHO, it should be named client, shouldn't it?
keytool -import -alias CLIENT-keystore certs.jks -file client.der -storepass le_pass
I tried installing SSL certificate I purchased from Godaddy (CN = my domain) following below steps. And after the last step I did a GREP search for .jks in repository/conf directory and replaced all keystore configs (wso2carbon.jks) to my JKS and password. Restarted the server. It started giving a bunch of errors and server not started properly.. But when I changed ONLY catalina_server.xml's configuration and undo all others, it started and SSL was working only for 9443 port but when I checked the cert installation from a SSL checker tool, it said cert was not installed properly. And even API gateway endpoints were not working with SSL (browser rejects cert) and it was port 8244. What have I done wrong? Exception trace given below.
Create Keystore and the CSR
keytool -genkey -alias certalias -keyalg RSA -keysize 2048 -keystore newkeystore.jks
Create CSR - copy output and submit to Go Daddy.
keytool -certreq -alias certalias -keystore newkeystore.jks
Get the Certificates for tomcat you will get below certificates.
gd_bundle-g2-g1.crt - Root Certificate
gdig2.crt.pem - Intermediate Certificate
[randomNumber].crt - Domain Certificate
Convert crt to pem.
openssl x509 -in gd_bundle-g2-g1.crt -out gd_bundle-g2-g1.pem
openssl x509 -in [randomNumber].crt -out [randomNumber].pem
Join root and intermediate certificate
cat gdig2.crt.pem gd_bundle-g2-g1.pem >> clientcertchain.pem
Extract the key from the keystore.
keytool -importkeystore -srckeystore newkeystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias keys -deststorepass -destkeypass
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
Create pkcs12 keystore
openssl pkcs12 -export -out final.p12 -inkey key.pem -in [randomNumber].crt -CAfile clientcertchain.pem -name "cacertificates"
Create JKS from pkcs keystore.
keytool -importkeystore -srckeystore final.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
Replace it with wso2carbon.jks located in <WSO2AM_HOME>/repository/resources/security/
Go to <WSO2AM_HOME>/repository/resources/security/
Extract key file to add client keystore
keytool -export -alias cacertificates -keystore newkeystore.jks -file .pem
Add key to client-truststore.jks
keytool -import -alias cacertificates -file .pem -keystore client-truststore.jks -storepass wso2carbon
I'm using CAS using the gradle overlay method. I am able to use it with a self signed certificate. However, when I try to use a certificate from the FreeIPA certificate authority, I am getting the following error message:
2018-02-03 13:39:54,298 ERROR [org.apache.catalina.core.StandardService] - <Failed to start connector [Connector[HTTP/1.1-8443]]>
org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) ~[tomcat-embed-core-8.5.24.jar!/:8.5.24]
...
Caused by: java.lang.IllegalArgumentException: java.io.IOException: Alias name [null] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116) ~[tomcat-embed-core-8.5.24.jar!/:8.5.24]
I have added the FreeIPA CA certificate to /usr/java/jdk1.8.0_152/jre/lib/security/cacerts
And, put the certificate into /etc/cas/thekeystore
This is the solution:
openssl req -nodes -newkey rsa:2048 -sha256 -keyout cas.key -out cas.csr
[Send CSR to certificate authority]
[Download CA certificate PEM file]
[Download CAS certificate PEM file]
cp cas.key /etc/pki/tls/private/.
cp cas.crt /etc/pki/tls/certs/.
cp freeipa_ca.crt /etc/pki/tls/certs/.
cat cas.pem freeipa_ca.pem > cas_all.pem
openssl pkcs12 -export -inkey /etc/pki/tls/private/cas.key -in cas_all.pem -name cas -out cas.p12
keytool -delete -alias cas -keystore /etc/cas/thekeystore
keytool -list -keystore /etc/cas/thekeystore -v
keytool -importkeystore -srckeystore cas.p12 -srcstoretype pkcs12 -destkeystore /etc/cas/thekeystore
When submitting CSR on the esteemed site Network Solutions I get an error message The CSR provided uses an unsupported signature algorithm. Supported algorithms are: md5withrsa, sha1withrsa, oid 1.2.840.113549.1.1.4, oid 1.2.840.113549.1.1.5. The command I am using is below and not sure why there are not accepting it when this is exactly what they have listed on their site and on Apache Tomcat site
keytool -genkey -keyalg RSA -alias tomcat -keystore domain_keystore.jks -keysize 2048
Followed by the command to generate CSR
keytool -certreq -alias tomcat -file domain_keystore.csr -keystore domain_keystore.jks
When I use openssl to generate key it gets accepted by Network Solutions. But some how I cannot get it to run with tomcat :(
openssl req -nodes -newkey rsa:2048 -keyout www_website_com.key -out www_website_com.csr
Exhausted and need help in installing thrid party certificate on Mac + Tomcat
You can use the -sigalg option to specify a signature algorithm to use with keytool -certreq.
keytool -certreq -sigalg sha1withrsa -alias tomcat -file domain_keystore.csr -keystore domain_keystore.jks