Extract one alias from pkcs12 keystore in pkcs12 format - alias

I am trying to export one of the aliases from the pkcs12 keystore to a new "empty" keystore of the same type (i.e. pkcs12).
keytool -importkeystore -v -srckeystore vault.p12 -destkeystore p2.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -srcstorepass yyyy -deststorepass xxxx -srcalias p2 -destalias p2
This command gives an empty p2.p12 file and a failure:
[Storing p986wasuser.p12] keytool error (likely untranslated): java.io.IOException: Error in storing the key store: Given final block not properly padded

As I managed to find out this was a working way to solve my problem:
keytool -importkeystore -srckeystore source.p12 -destkeystore alias.p12 -srcstorepass password -srcstoretype pkcs12 -deststoretype PKCS12 -srcalias alias -deststorepass pass -destkeypass pass

Related

Generating JKS file from CRT and P7b

I know how to generate a .jks file from .crt & .key file . But the ssl that I have received contains three file (.crt,.p7b ,ca bundle file). How would I generate .jks file from these file for tomcat. Thanks in advance
Try sth like this:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

WSO2 IS 430 - Godaddy SSL Certificate installation fails

I tried installing SSL certificate I purchased from Godaddy (CN = my domain) following below steps. And after the last step I did a GREP search for .jks in repository/conf directory and replaced all keystore configs (wso2carbon.jks) to my JKS and password. Restarted the server. It started giving a bunch of errors and server not started properly.. But when I changed ONLY catalina_server.xml's configuration and undo all others, it started and SSL was working only for 9443 port but when I checked the cert installation from a SSL checker tool, it said cert was not installed properly. And even API gateway endpoints were not working with SSL (browser rejects cert) and it was port 8244. What have I done wrong? Exception trace given below.
Create Keystore and the CSR
keytool -genkey -alias certalias -keyalg RSA -keysize 2048 -keystore newkeystore.jks
Create CSR - copy output and submit to Go Daddy.
keytool -certreq -alias certalias -keystore newkeystore.jks
Get the Certificates for tomcat you will get below certificates.
gd_bundle-g2-g1.crt - Root Certificate
gdig2.crt.pem - Intermediate Certificate
[randomNumber].crt - Domain Certificate
Convert crt to pem.
openssl x509 -in gd_bundle-g2-g1.crt -out gd_bundle-g2-g1.pem
openssl x509 -in [randomNumber].crt -out [randomNumber].pem
Join root and intermediate certificate
cat gdig2.crt.pem gd_bundle-g2-g1.pem >> clientcertchain.pem
Extract the key from the keystore.
keytool -importkeystore -srckeystore newkeystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias keys -deststorepass -destkeypass
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
Create pkcs12 keystore
openssl pkcs12 -export -out final.p12 -inkey key.pem -in [randomNumber].crt -CAfile clientcertchain.pem -name "cacertificates"
Create JKS from pkcs keystore.
keytool -importkeystore -srckeystore final.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
Replace it with wso2carbon.jks located in <WSO2AM_HOME>/repository/resources/security/
Go to <WSO2AM_HOME>/repository/resources/security/
Extract key file to add client keystore
keytool -export -alias cacertificates -keystore newkeystore.jks -file .pem
Add key to client-truststore.jks
keytool -import -alias cacertificates -file .pem -keystore client-truststore.jks -storepass wso2carbon

How do you create a keystore given csr, key, pem and crt

This is a little bit of an unusual situation. I have a CentOS 7 server running tomcat 7 and I need to install a new SSL cert for it. I don't have control over the domain so the cert generated for me was given to me by the parent company and it's for a start cert (*.domain.com). Even though I sent them a csr, they ignored it and made a new one for me. The package they sent has a csr file, key, two formats of the cert (crt and p7s), and an intermediary pem.
I'm trying to create a new keystore using these files and am having difficulty doing it. I found this site https://makandracards.com/jan0sch/24553-import-private-key-and-certificate-into-java-keystore and have tried:
openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile my-ca-file.crt -name "my-domain.com" -out my.p12
I changed the CAfile to use the pem file supplied, but I get "unable to load certificates"
Anyone have any ideas?
EDIT:
I used this to make the p12 and then import it in the keystore but I don't know how to include the intermediate cert.
openssl pkcs12 -export -in my.crt -inkey myh.key -certfile my.crt -name "tomcat" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
EDIT2:
I'm trying this command to get a pfx file and then
EDIT3:
My intermediate cert had a bunch of spaces preceding the "-----BEGIN CERTIFICATE-----" which was causing an error.
Looks like all I had to do was this:
openssl pkcs12 -export -in my.crt -inkey myh.key -certfile intermediary.pem -name "tomcat" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
Didn't even need to put in the intermediate cert.

How can I create keystore from an existing certificate (abc.crt) and abc.key files?

I am trying to import a certificate and a key file into the keystore but I'm unable to do that.
How can I create a keystore by importing both an existing certificate (abc.crt) and abc.key files?
The easiest is probably to create a PKCS#12 file using OpenSSL:
openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12
You should be able to use the resulting file directly using the PKCS12 keystore type.
If you really need to, you can convert it to JKS using keytool -importkeystore (available in keytool from Java 6):
keytool -importkeystore -srckeystore abc.p12 \
-srcstoretype PKCS12 \
-destkeystore abc.jks \
-deststoretype JKS
You must use OpenSSL and keytool.
OpenSSL for CER & PVK file > P12
openssl pkcs12 -export -name servercert -in selfsignedcert.crt -inkey serverprivatekey.key -out myp12keystore.p12
Keytool for p12 > JKS
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercert
Adding to #MK Yung and #Bruno's answer.. Do enter a password for the destination keystore. I saw my console hanging when I entered the command without a password.
openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12 -name localhost -passout pass:changeit
In addition to #Bruno's answer, you need to supply the -name for alias, otherwise Tomcat will throw Alias name tomcat does not identify a key entry error
Sample Command:
openssl pkcs12 -export -in localhost.crt -inkey localhost.key -out localhost.p12 -name localhost
Ideally you should have received 3 files:
ca_bundle.crt yourname.crt yourname.key
Use the following command to create the pk cs 12 version of it with:
openssl pkcs12 -export -out yourname.pfx -inkey yourname.key -in yourname.crt -certfile ca_bundle.crt
Then you will need to import it into key store that is easy to configure in Apache
keytool -importkeystore -srckeystore yourname.pfx -srcstorepass yourpassword -srcstoretype pkcs12 -destkeystore yourkeystore.jks -deststoretype jks -deststorepass yourkeystorepassword
If the keystore is for tomcat then, after creating the keystore with the above answers, you must add a final step to create the "tomcat" alias for the key:
keytool -changealias -alias "1" -destalias "tomcat" -keystore keystore-file.jks
You can check the result with:
keytool -list -keystore keystore-file.jks -v

Convert certificate in BIN format to X509 format

I have read this good article on running tomcat in https and implemented it.
http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/
It is working fine and my tomcat is running in https mode.
But the problem is i got the certificate in BIN format. I need it in X509 format so that i can use it as an raw resource for my Android project
I have used java keytool to create it.Can i use OpenSSL to convert it into X509 Format or java keytool is sufficient?
I am new to this securities stuff.
Please point me in the right direction and clear my doubts.
I think keytool already handles certificates in X509 format only. You should have generated .keystore file. You can export certificate from it using command:
keytool -export -alias mycert -keystore mykeystore.bin -file certificatefile.cer
Yes of course, you can use OpenSSL to convert the certificate and keys to and from the following formats
Standard PEM
DER / Binary
PKCS#7 (aka P7B)
PKCS#12 (aka PFX)
In your case, given a private key file and digital certificate in standard PEM,
convert them both to pkcs12 format using the following steps:
Step 1: Convert the PEMs to a single PKCS12 file
OpenSSL> pkcs12 -export -in CE_cert.cer -inkey CE_prv_key_PEM.key -out
pkcs12_KeyStore.p12 -name ce_cert_prv_key
Heres the doc for OpenSSL PKCS12 command.
Step 2: Import the PKCS12 file created in step 1 into the new JKS
C:\>keytool -importkeystore -srckeystore pkcs12_KeyStore.p12 -srcstoretype pkcs12 -srcstorepass somepass -srcalias ce_cert_prv_key -destk
eystore path/to/JavaKeyStore_KS.jks -deststoretype jks -deststorepass somepass -destkeypass somepass
Now after having the certificate and private key in the JKS format, you can use this JSK key store in Tomcat.