Good morning,
I recently requested a certificate from GoDaddy and they have sent me two sets of .pem and .spc files (SHA1 and SHA1) but when I try to import them to my codesignstore it says they are not X.509. Is there any way to convert them?
I used these commands to generate the files that I sent to GoDaddy.
Keystore
keytool -genkey -alias codesigncert -keyalg RSA -keysize 2048 -dname "CN=Corp,O=Corp,C=US,ST=FL,L=Orlando" -keystore codesignstore
Certificate Request
keytool -certreq -v -alias codesigncert -file codesign.pem -keystore codesignstore
Import
keytool –import –alias codesignecert –file NAME_OF_FILE_FROM_GODADDY –keystore codesignstore
I tried importing a trustcert using the below command and it worked for me.
keytool.exe -import -trustcacerts -alias "cert_alias_name" -file cert.pem -keystore "C:/Program Files/Java/jre1.8.0_291/lib/security/cacerts" -srcstorepass changeit -deststorepass changeit -v -noprompt
Certificate was added to keystore
[Storing C:/Program Files/Java/jre1.8.0_291/lib/security/cacerts]
Related
I have installed ActiveMQ Artemis in Linux and configured broker.xml. I am using a certificate, but ActiveMQ Artemis uses keystore and truststore. How to create those and how to enable SSL for MQTT protocol?
Below shows configuration broker.xml
<acceptor name="mqtt">tcp://0.0.0.0:1883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true
sslEnabled=true;
keyStorePath=home/certs/server-ks/server1.p12;keyStorePassword=abc#1234;
trustStorePath=home/certs/server-ks/server1.p12;
trustStorePassword=abc#1234;needClientAuth=true
</acceptor>
I have converted a certificate (.pem) to keystore and truststore
keytool -import -alias rootCA -trustcacerts -file certs/ca.pem -keystore certs/activeMQ-truststore.jks
openssl pkcs12 -inkey certs/server-cert/server1.pem -in certs/server-cert/server1.pem -name server1 -export -out certs/server-ks/server1.p12
keytool -importkeystore -deststorepass abc#1234 -destkeystore certs/server-ks/server-keystore1.jks -srckeystore certs/server-ks/server1.p12 -srcstoretype PKCS12
As above same I have created/converted for client keystore.
I need to connect broker using MQTT.FX client with self signed client keystore.
How to achieve this I am getting confused. Please help me if any one have idea.
In a self-signed configuration typically you'll create a certificate for both the broker and the client, export each, and then import the broker's cert into the client's truststore and import the client's cert into the broker's truststore. You can do all this using Java's keytool command.
Take a look at the example that ships with ActiveMQ Artemis in the examples/features/standard/ssl-enabled-dual-authentication directory. It demonstrates how to do this, e.g.:
keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
Your acceptor will need both sslEnabled=true and needClientAuth=true.
I've done following steps
Create keystore:
keytool -genkey -alias wso2carbon -keyalg RSA -keystore wso2carbon.jks -keysize 2048
Crete certificate request:
keytool -certreq -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon
Bought Comodo PositiveSSL certificate
Import all certificates to newly created keystore - wso2carbon.jks:
keytool -import -alias root -keystore wso2carbon.jks -trustcacerts -file AddTrustExternalCARoot.crt -storepass wso2carbon
keytool -import -alias intermediate1 -keystore wso2carbon.jks -trustcacerts -file COMODORSAAddTrustCA.crt -storepass wso2carbon
keytool -import -alias intermediate2 -keystore wso2carbon.jks -trustcacerts -file COMODORSADomainValidationSecureServerCA.crt -storepass wso2carbon
keytool -import -alias domain.com -keystore wso2carbon.jks -trustcacerts -file domain_com.crt -storepass wso2carbon
Copied wso2carbon.jks to {CARBON_HOME}/repository/resources/security/ and overwrite the old one.
Restarted WSO2 IS. WHen I inspect with prowser it says in Certificate hiararchy only domain.com is present.
In general I followed this tutorial https://docs.wso2.com/display/AS521/Creating+New+Keystores#CreatingNewKeystores-Creatingakeystoreusinganewcertificate
I've found the solution:
At point 3 I needed to put the same alias like in point 1 for last import - domain.com:
keytool -import -alias wso2carbon -keystore wso2carbon.jks -trustcacerts -file domain_com.crt -storepass wso2carbon
Now it works great with web browsers but when access with Android it is still not trusted, but that is for another topic.
I ran following commands to generate a keystore, certificate and a truststore:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias clientcertalias -dname "CN=Local,OU=Department,O=Company,L=City,ST=State,C=US" -keystore keystore.jks -storepass "clientpassword1" -keypass "clientpassword2"
keytool -export -alias clientcertalias -file client.cer -keystore keystore.jks -storepass "clientpassword1"
keytool -import -v -trustcacerts -alias clientcertalias -file client.cer -keystore keystore.jks -storepass "serverpass" -noprompt;
When I try to start my tomcat server, it gives above mentioned exception. But when I keep "storepass" and "keypass" of point 1 same, my server starts smoothly. What is significance of the two passwords? Why do we have to keep them same?
[EDIT]
I used those two commands to generate the csr:
keytool -genkey -alias tomcat -keyalg RSA -keystore XY.key
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore XY.key
gd_bundle-g2-g1.crt has 3 blocks in it, the other two have only 1.
[/EDIT]
I want to install the certificates. I want to use:
keytool -import -alias [AB] -keystore [CD.key] -trustcacerts -file [EF.crt]
I know CD; that's the keystore I generated, but what alias (AB) is correct for which certificate (EF)? The three certificates I get are:
b715e55ecaeeba39.crt
gd_bundle-g2-g1.crt
gdig2.crt
And after I did that correctly, am I right by using the:
keytool -import -alias tomcat -keystore <your_keystore_filename> -file certreq.csr
The file with which I requested the Certificate?
Thank you for your help.
You can use any alias you want as long as you specify it in the server.xml file (parameter keyAlias, case sensitive).
tomcat seems to be the default alias : https://docs.jboss.org/jbossweb/7.0.x/ssl-howto.html
I am using the following guide to setup SSL on my glassfish server hosted in EC2.
I kept getting SSL connection error while browsing the 8181 page and there isn't any warning or error on the server log.
http://aliok.wordpress.com/2011/06/04/using-your-ssl-certificate-on-glassfish-3/
keytool -keysize 2048 -genkey -alias yourdomain.com -keyalg RSA -dname "CN=www.yourdomain.com,O=Your Organization,L=Your City,S=Your State,C=Your Country Code like US, CH or TR" -keystore keystore.jks -keypass changeit -storepass changeit
keytool -certreq -alias yourdomain.com -keystore keystore.jks -storepass changeit -keypass changeit -file server.csr
Download 2 cert files from godaddy.
keytool -importkeystore -srckeystore ~/ssl-stuff/keystore.jks -destkeystore $GLASSFISHHOME/domains/yourdomain/config/keystore.jks
cd $GLASSFISH_HOME/domains/yourdomain/config
keytool -import -v -trustcacerts -alias root -file gd_bundle.crt -keystore keystore.jks -keypass changeit -storepass changeit
keytool -import -v -trustcacerts -alias yourdomain.com -file yourdomain.com.crt -keystore keystore.jks -keypass changeit -storepass changeit
then i changed the server config SSL section, certificate nickname to yourdomain.com