Keytool - Import a certificate to the keystore - ssl

I am trying to import a certificate into a keystore.
Therefore i execute the following steps:
Create an empty keystore.jks file
Create the file contentent with the keytool:
keytool -genkey -alias server-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
Add my certificate to that keystore:
keytool -import -v -trustcacerts -alias server-alias -file C:\server.cert -keystore keystore.jks -keypass changeit -storepass changeit
But I always get the error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
What am I doing wrong here and how can I fix it?

In step two you always generate a new key, but if you want to import a certificate and it's private key into the keystore you have to use the key that matches the certificate.
Hence you need the key you created before someone signed your server certificate (the one stored in C:\server.cert).
The following steps have to be performed in the right order:
Create a random public/private key pair. The private key is usually saved password protected
Create a certificate request containing the public key from step 1
Send the certificate request to a trust center which signs it and sends you back the certificate (the server.cert you have)
Save the private key from step 1 together with the returned certificate
Therefore you are always trying to re-do step 1 and 4 without step 2 and 3. Thus you are getting that "don't match" error.
Just complete all steps 1-4 after another. Or use the saved private key that belongs to the server.cert certificate (hopefully you still have it).

Related

How to import a secret key into key store by keytool

I would like to make my Liberty application to connect the Bluemix Secure Gateway'sdestination with TLS Mutual Auth. I tried to create a key store and import a cert and a secret key into the key store by keytool, but I don't know the keyalias of the secret key. I can't execute the command which imports the secret key into the The key store. (The cert and the secret key were provided by Bluemix Secure Gateway's destination with TLS Mutual Auth(*))
*Bluemix Secure Gateway
https://www.ng.bluemix.net/docs/services/SecureGateway/index.html
Could you teach me how to know the keyalias of the secret key ?
Or could you teach me any other way by keytool (not java code) to create keystore and import the secret key and cert but the following procedure ?
[the files provided by Bluemix Secure Gateway's destination]
destination_id_key.pem
destination_id_cert.pem
[procedure]
1. create a key store and import the cert into the key store at once
# keytool -import -file *destination_id*_cert.pem -keystore myKeyStore.jks -storepass password -alias mutual_cert
2. import the secret key nto the key store
# keytool -importseckey -keyalias XXXXX -keystore myKeyStore.jks -storepass password -storetype jks -importfile *destination_id*_cert.pem
There is an example using openssl in the documentation to create a key store using the destination cert and key.
https://www.ng.bluemix.net/docs/services/SecureGateway/sg_023.html#sg_007
As far as I'm aware, the alias value is a name that you set to identify that particular key within your own keystore. The key/cert does not have its own alias, so it's completely up to you what alias to use. Later if you need to remove that key/cert, or perform some other action on it, then you use your custom alias in the command. So you can just do something like this:
# keytool -importcert -alias myCustomAlias -file *destination_id*_cert.pem -keystore myKeyStore.jks -storepass password -storetype jks
Afterwards, use the command keytool -list -keystore myKeyStore.jks to see a list of your keys/certs. Each entry will be listed under the alias that you chose for that key/cert, e.g.:
myCustomAlias, 01-Jul-2015, trustedCertEntry,
Certificate fingerprint (SHA1): AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD
Note: -importseckey1, -keyalias and -importfile that you have used in your example command are not valid options for keytool. -importcert, -alias and -file are the correct option names, but they may just have been typos on your part when creating the question.

Difference between .pem and .pb7, .p12 formats

I'm trying to enable SSL for Boomi webservices. I've followed the instructions on their documentation to generate the CSR and sent it to CA for signing. I've received the signed certificate in .pem format. I've looked at the contents of the file and it doesn't contain any information about any private key.
These are the steps on Boomi's documentation.
1) Replace the keystore path, KEYSTORENAME and –dname parameters in this command with your information (this –dname “….” option can be omitted if the trusted root authority requests this information when submitting the CSR) and run the following command to generate the key:
keytool -genkey -dname "CN=HOSTNAME, OU=ORGUNIT, O=ORG, L=LOCATION, S=STATE, C=COUNTRY" -alias Boomi -keyalg RSA -keystore c:\Certificates\Boomi\KEYSTORENAME -keysize 2048
2) Replace the KEYSTORENAME in this command and run the following command to generate the CSR:
keytool -certreq -keyalg RSA -alias Boomi -file c:\Certificates\Boomi\KEYSTORENAME.csr -keystore c:\Certificates\Boomi\KEYSTORENAME
3) Submit the CSR to the Trusted Root Authority (for example, Verisign), and request/download the returned certificate in PKCS7 format. This will have a public, G3 intermediate, and G5 intermediate certificate all in one certificate. Java must be 1.6 or newer.
4) Replace the certificate file path\name and keystore path\name in this command and run the following command to import the PKCS7 certificate:
keytool -import -alias Boomi -trustcacerts -file c:\Certificates\Boomi\NEWCERTNAME.p7b -keystore c:\Certificates\Boomi\KEYSTORENAME
5) Replace the new and destination keystore paths/names and passwords (if different from changeit) in this command and run the following command to convert to .p12 format for import into Boomi:
keytool -importkeystore -srckeystore c:\Certificates\Boomi\KEYSTORE -destkeystore c:\Certificates\Boomi\KEYSTORENAME.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -srcalias Boomi -destalias Boomi -srckeypass changeit -destkeypass changeit -noprompt
I'm stuck at step 4 because I don't have the signed certificate in .p7b format. I've searched around for any information about how to convert .pem file to .p7b file, and all of them mention that the .pem file will contain key information along with the certificate information. But since the .pem file that I have doesn't have the key info, how should I go about converting .pem to .p7b and eventually arrive at .p12 cert.
Also, if possible, can you please explain what do these formats mean?
First, check out this ServerFault answer for information on keys and keyformats.
Second, to address your issue, the .pem file may or may not contain private key information. In the case of a signed certificate (signed after submitting CSR to the CA), it typically will not inlcude the private key. In your instructions, the private key exists in the keystore, already. I believe the command in instruction number 4 will import the trustchain (.p7b) into the keystore, so you'll have the public key, private key, and trust chain all in the same [protected] file.
If you don't have the file in the .p7b format, you could request the CA send it to you in .p7b format.
Barring that, the first thing I would try is changing the command to include the .pem file instead of the .p7b file. keytool is pretty smart, and I would think it would figure out what it needed to do to import the .pem instead of the .p7b.
If that doesn't work for some reason, there's more you can do, but things start to get more complicated. I would start with this link. Good luck!

SSL on tomcat 7 (7.0.10) here I am using Thawte SGC Certificate

I have problem configuring SSL on tomcat 7 (7.0.10) here I am using Thawte SGC Certificate , please read below description carefully help me out .
I have followed below step
1)Generated key using below command
keytool -genkey -keysize 2048 -alias test_self_certificate -keyalg RSA -keystore test_self_certificate.jks -validity 730
this command generated “test_self_certificate.jks” file in current folder
2)This generated CSR using below command
keytool -certreq -alias test_self_certificate -file my_application.csr -keystore test_self_certificate.jks
this command generated “my_application.csr” file in current folder
3)Then I have submitted this CSR to Thawte and got certificate from them in PKCS#7 format , I have copied that certificate text in notepad and saved that file as “signed_certificate.p7b”
4)Then i created New JKS keystore and imported certificate received from Thawte using below command
keytool -import -alias signed_cert -trustcacerts -file signed_certificate.p7b -keystore tomcat_application.jks
this command generated “tomcat_application.jks” file in current folder
5)I have update tomcat server.xml as below ( I have provided correct .jks file path and keystore password )
<Connector port="8001" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/export/home/parsupport/Tomcat_certs/ tomcat_application.jks " keystorePass="parlive" clientAuth="false" sslProtocol="TLS" />
6)After this change when I start Tomcat I get below Exception and tomcat does not start with SSL
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:774)
Important Note : but if I import certificate received from Thawte in keystore (test_self_certificate.jks -- mentioned as first step above) that I have created to generate KeyPair and CSR , and use that keystore to configure tomcat (as described in step 6 as above ) then Tomcat start in SSL mode but when in try to launch HTTPS URL I get untrusted certificate warning .
keytool -genkey -keysize 2048 -alias test_self_certificate [...]
Here, -genkey generates a public/private key pair and stores in into the "test_self_certificate" alias entry, thereby making this a private key entry. (If you use keytool -list, you'll see some private key entries and some certificate entries). -genkey also generates a self-signed certificate to associate with this private key automatically (this is also how the public key is effectively stored by default).
keytool -import -alias signed_cert [...]
If you get a certificate issued for a private key that is stored in a keystore, you need to store this certificate against the right private key entry, not just any entry. Here, you should have used -alias test_self_certificate instead (which may also mean that it wasn't the best choice of alias name, but that's just a detail).
(In some cases, you may also need to make sure you import the full chain.)

import ssl certificate in Glassfish

i have the following issue:
I obtain a free certificate from comodo (90 days) for my glassfish web application and then i have imported the certs into glassfish 3.1 by following http://javadude.wordpress.com/2010/04/06/getting-started-with-glassfish-v3-and-ssl/
I have also modify the domain.xml file by replacing the alias s1as with my certificate alias and the file keystore.jks with the server.keystore....but when i try to access my web application with https protocol i got the following log error:
[#|2012-10-12T14:41:18.828+0200|WARNING|glassfish3.1.2|com.sun.grizzly.config.Gr
izzlyServiceListener|_ThreadID=25;_ThreadName=http-thread-pool-443(1);|GRIZZLY00
07: SSL support could not be configured!
java.io.IOException: SSL configuration is invalid due to No available certificat
e or key corresponds to the SSL cipher suites which are enabled.
Please help me..i know that here i can find the solution to my issue...
Unfortunately I don`t have enough reputation to post images of glassfish console admin, but let me try to help somebody just using text.
NOTE1: The configuration was done on Ubuntu 12.04 server and glassfish 3.1.2
Comodo gives you 4 files
your_domain.key (your private key)
your_domain.crt (your public key)
PositiveSSLCA2.crt (CA public key)
AddTrustExternalCARoot.crt (CA public key)
Import every public key into the file cacerts.jks. To do that merge the public key files in one file:
NOTE2: The order of the files DOES matter.
cat your_domain.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > all.crt
Now import them using keytool:
keytool -import -trustcacerts -alias tomcat -file all.crt -keystore cacerts.jks
Create a p12 file with your private key:
NOTE3: You can use the same password for every file to make things easier.
openssl pkcs12 -export -in all.crt -inkey your_domain.key -out your_domain.p12 - name your_alias -CAfile PositiveSSLCA2.crt -caname immed
NOTE4: Don`t forget you alias (your_alias), you will need to reference it in glassfish admin console later.
Now import the private key using keytool:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore your_domain.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias your_alias
Now your keystore.jks (with your private keys) and your cacerts.jks (with you public key) are ready to me used. If you want to check if everything is ok run:
keytool -list -keystore keystore.jks
keytool -list -keystore cacerts.jks
Go to the glassfish admin console and find the session:
Configurations->server-config->HTTP Service->Http Listeners->http-listener-2
Go to the SSL tab and change the Certificate NickName to your_domain.
Restart Glassfish server.
Preconditions:
installed keytool and GlassFish 4.x (with default keystore password changeit)
your source keystore used to generate CSR
e.g. ~/mySourceKeystore.jks with password myPassword and private key with alias myAlias
your valid certificate (obtained from CA)
e.g. ~/myCertificate.crt with password myPassword and alias myAlias
certificate of CA (obtained from CA)
e.g. ~/AwesomeCA.crt
Here are all steps how to import SSL certificate into GlassFish:
Navigate to GLASSFISH-HOME/domains/domain1/config
Import your source keystore (with private key) into GlassFish keystore:
$ keytool -importkeystore -srckeystore ~/mySourceKeystore.jks -destkeystore keystore.jks`
Enter destination keystore password: changeit
Enter source keystore password: myPassword
Entry for alias server successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Import certificate of CA into GlassFish keystore:
$ keytool -import -v -trustcacerts -alias AwesomeCA -file ~/AwesomeCA.crt -keystore keystore.jks
Enter keystore password: changeit
Certificate was added to keystore
[Storing keystore.jks]
Import obtained SSL certificate into GlassFish keystore:
$ keytool -import -v -trustcacerts -alias myAlias -file ~/myCertificate.crt -keystore keystore.jks
Enter keystore password: changeit
Enter key password for <myAlias>: myPassword
Certificate reply was installed in keystore
[Storing keystore.jks]
At this moment error java.security.UnrecoverableKeyException: Cannot recover key would occur during GlassFish startup because you have different keystore password and alias key password. To prevent this error you need to execute:
$ keytool -keypasswd -alias myAlias -new changeit -keystore keystore.jks
Enter keystore password: changeit
Enter key password for <myAlias>: myPassword
Change default alias (s1as) in GlassFish to your myAlias:
$ asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.cert-nickname=myAlias
(Optional) You can change default SSL port (8181) in GlassFish to well known 443:
$ asadmin set server.network-config.network-listeners.network-listener.http-listener-2.port=443
Restart GlassFish
For Glassfish 4.x you can follow this Comodo Guide
Here is the web archive if link expires.

setup SSL connection with JSSE (Javase6) and self-signed certificate

I'm trying to build a simple client/server system wich uses SSLSocket to exchange data. (JavaSE 6)
The server must have its own certificate, clients don't need one.
I started with this
http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
To generate key for the server and a self signed certificate.
To sum it up:
Create a new keystore and self-signed certificate with corresponding public/private keys.
keytool -genkeypair -alias mytest -keyalg RSA -validity 7 -keystore /scratch/stores/server.jks
Export and examine the self-signed certificate.
keytool -export -alias mytest -keystore /scratch/stores/server.jks -rfc -file server.cer
Import the certificate into a new truststore.
keytool -import -alias mytest -file server.cer -keystore /scratch/stores/client.jks
Then in my server code I do
System.setProperty("javax.net.ssl.keyStore", "/scratch/stores/server.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
SSLServerSocket sslServerSocket = (SSLServerSocket)sf.createServerSocket( port );
Socket s = sslServerSocket.accept();
I am basically missing some point because I get a "javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled." when I try to run the server.
Can it be a problem with the certificate? When using -validity in keytool the certificate gets self-signed, so it should work if I'm not wrong.
Reading the docs seems that setting the property "javax.net.ssl.keyStore" is sufficient for the SSLContext to setup correctly. Any suggestion?
I messed up things a little, complete solution is here: https://forums.oracle.com/forums/thread.jspa?threadID=1531716