I've done following steps
Create keystore:
keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks -keysize 2048
Crete certificate request:
keytool -certreq -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon
Bought Comodo PositiveSSL certificate
Import all certificates to newly created keystore - wso2carbon.jks:
keytool -import -alias root -keystore wso2carbon.jks -trustcacerts -file AddTrustExternalCARoot.crt -storepass wso2carbon
keytool -import -alias intermediate1 -keystore wso2carbon.jks -trustcacerts -file COMODORSAAddTrustCA.crt -storepass wso2carbon
keytool -import -alias intermediate2 -keystore wso2carbon.jks -trustcacerts -file COMODORSADomainValidationSecureServerCA.crt -storepass wso2carbon
keytool -import -alias domain.com -keystore wso2carbon.jks -trustcacerts -file domain_com.crt -storepass wso2carbon
Copied wso2carbon.jks to {CARBON_HOME}/repository/resources/security/ and overwrite the old one.
Restarted WSO2 IS. WHen I inspect with prowser it says in Certificate hiararchy only domain.com is present.
In general I followed this tutorial https://docs.wso2.com/display/AS521/Creating+New+Keystores#CreatingNewKeystores-Creatingakeystoreusinganewcertificate
I've found the solution:
At point 3 I needed to put the same alias like in point 1 for last import - domain.com:
keytool -import -alias wso2carbon -keystore wso2carbon.jks -trustcacerts -file domain_com.crt -storepass wso2carbon
Now it works great with web browsers but when access with Android it is still not trusted, but that is for another topic.
Related
I have installed ActiveMQ Artemis in Linux and configured broker.xml. I am using a certificate, but ActiveMQ Artemis uses keystore and truststore. How to create those and how to enable SSL for MQTT protocol?
Below shows configuration broker.xml
<acceptor name="mqtt">tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true
sslEnabled=true;
keyStorePath=home/certs/server-ks/server1.p12;keyStorePassword=abc#1234;
trustStorePath=home/certs/server-ks/server1.p12;
trustStorePassword=abc#1234;needClientAuth=true
</acceptor>
I have converted a certificate (.pem) to keystore and truststore
keytool -import -alias rootCA -trustcacerts -file certs/ca.pem -keystore certs/activeMQ-truststore.jks
openssl pkcs12 -inkey certs/server-cert/server1.pem -in certs/server-cert/server1.pem -name server1 -export -out certs/server-ks/server1.p12
keytool -importkeystore -deststorepass abc#1234 -destkeystore certs/server-ks/server-keystore1.jks -srckeystore certs/server-ks/server1.p12 -srcstoretype PKCS12
As above same I have created/converted for client keystore.
I need to connect broker using MQTT.FX client with self signed client keystore.
How to achieve this I am getting confused. Please help me if any one have idea.
In a self-signed configuration typically you'll create a certificate for both the broker and the client, export each, and then import the broker's cert into the client's truststore and import the client's cert into the broker's truststore. You can do all this using Java's keytool command.
Take a look at the example that ships with ActiveMQ Artemis in the examples/features/standard/ssl-enabled-dual-authentication directory. It demonstrates how to do this, e.g.:
keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
Your acceptor will need both sslEnabled=true and needClientAuth=true.
I ran following commands to generate a keystore, certificate and a truststore:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias clientcertalias -dname "CN=Local,OU=Department,O=Company,L=City,ST=State,C=US" -keystore keystore.jks -storepass "clientpassword1" -keypass "clientpassword2"
keytool -export -alias clientcertalias -file client.cer -keystore keystore.jks -storepass "clientpassword1"
keytool -import -v -trustcacerts -alias clientcertalias -file client.cer -keystore keystore.jks -storepass "serverpass" -noprompt;
When I try to start my tomcat server, it gives above mentioned exception. But when I keep "storepass" and "keypass" of point 1 same, my server starts smoothly. What is significance of the two passwords? Why do we have to keep them same?
Good morning,
I recently requested a certificate from GoDaddy and they have sent me two sets of .pem and .spc files (SHA1 and SHA1) but when I try to import them to my codesignstore it says they are not X.509. Is there any way to convert them?
I used these commands to generate the files that I sent to GoDaddy.
Keystore
keytool -genkey -alias codesigncert -keyalg RSA -keysize 2048 -dname "CN=Corp,O=Corp,C=US,ST=FL,L=Orlando" -keystore codesignstore
Certificate Request
keytool -certreq -v -alias codesigncert -file codesign.pem -keystore codesignstore
Import
keytool –import –alias codesignecert –file NAME_OF_FILE_FROM_GODADDY –keystore codesignstore
I tried importing a trustcert using the below command and it worked for me.
keytool.exe -import -trustcacerts -alias "cert_alias_name" -file cert.pem -keystore "C:/Program Files/Java/jre1.8.0_291/lib/security/cacerts" -srcstorepass changeit -deststorepass changeit -v -noprompt
Certificate was added to keystore
[Storing C:/Program Files/Java/jre1.8.0_291/lib/security/cacerts]
We have IBM liberty server (8.5.5.0) running in CICS (v5.1) region. I am getting error message listed below when we tried to activate ssl. I deleted default ssl keystore key.jks and key store recreated automatically but keep getting the same message.
I was able to view certificate in same keystore on my pc with keytool.
We also tried converting the file into IBM-1047 and IBM-037 code pages but no luck.
Error Message:
[11/9/15 15:47:15:572 EST] 0000001d com.ibm.ws.ssl.config.WSKeyStore E CWPKI0033E: The keystore located at /xxx/resources/security/key.jks id not load because of the following error: Invalid keystore format.
We are using default ssl provided by IBM
<!-- SSL Feature -->
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
<!-- Disable SSLv3 -->
<ssl id="defaultSSLConfig"
keyStoreRef="defaultKeyStore"
sslProtocol="TLS" />
<!-- Generate a default keystore -->
<keyStore id="defaultKeyStore" password="defaultPassword" />
Anybody had similar issue ? Could you please help ?
I had a similar problem where the keystore was empty, so I had to create it myself with Verisign CA certs. Here are my notes:
On a mac, see java home via: /usr/libexec/java_home
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
Verisign Class 3 and Class 3 G3 & G5
Aliases:
verisignclass3ca
verisignclass3g5ca
verisignclass3g3ca
keytool -export -alias verisignclass3ca -file verisign_c3.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
keytool -export -alias verisignclass3g3ca -file verisign_c3g3.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
keytool -export -alias verisignclass3g5ca -file verisign_c3g5.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
keytool -import -trustcacerts -file verisign_c3.crt -alias verisign_c3ca -keystore key.jks -storepass worklight
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias
Do you still want to add it to your own keystore? [no]:Y
keytool -import -trustcacerts -file verisign_c3g3.crt -alias verisign_c3g3ca -keystore key.jks -storepass worklight
keytool -import -trustcacerts -file verisign_c3g5.crt -alias verisign_c3g5ca -keystore key.jks -storepass worklight
I am using the following guide to setup SSL on my glassfish server hosted in EC2.
I kept getting SSL connection error while browsing the 8181 page and there isn't any warning or error on the server log.
http://aliok.wordpress.com/2011/06/04/using-your-ssl-certificate-on-glassfish-3/
keytool -keysize 2048 -genkey -alias yourdomain.com -keyalg RSA -dname "CN=www.yourdomain.com,O=Your Organization,L=Your City,S=Your State,C=Your Country Code like US, CH or TR" -keystore keystore.jks -keypass changeit -storepass changeit
keytool -certreq -alias yourdomain.com -keystore keystore.jks -storepass changeit -keypass changeit -file server.csr
Download 2 cert files from godaddy.
keytool -importkeystore -srckeystore ~/ssl-stuff/keystore.jks -destkeystore $GLASSFISHHOME/domains/yourdomain/config/keystore.jks
cd $GLASSFISH_HOME/domains/yourdomain/config
keytool -import -v -trustcacerts -alias root -file gd_bundle.crt -keystore keystore.jks -keypass changeit -storepass changeit
keytool -import -v -trustcacerts -alias yourdomain.com -file yourdomain.com.crt -keystore keystore.jks -keypass changeit -storepass changeit
then i changed the server config SSL section, certificate nickname to yourdomain.com