I read this tutorial "http://docs.jboss.org/jbossweb/7.0.x/ssl-howto.html"
and i already have JBoss Server with SSL.
I want to use current cert.
(what i generate by "keytool -genkey -alias tomcat -keyalg RSA")
in Apache 2 (as Front-end for JBoss).
But i don't know how to convert key from keytool in PEM (key and cer files). How do it ?
This question has already been answered. Please check the answers for the same questions:
how to convert CRT to PEM
and or:
How to make PEM from KEY and CRT files
Related
I have all the required files to import to my apache tomcat, that is:
the Certificate Request file (CSR file)
the RSA PRIVATE KEY file
the certificates (root, intermediates and Entity/Domain) that was sent to me by the Certificate Authority.
Now i need to import them to my apache tomcat server.
My question is, given that i havent created any key store to my server (the CSR and private key were sent to me, i didnt created them with e.g. keytool), what should be the next steps? Should i have to create a new keystore through keytool -genkey command (which alias?) ?
And if so, which of the files above should i import? As far as i can see the keytool command doesnt support to import an existing CSR.
The extension .crt is often but not always used for certificates in PEM format. First, set aside the CSR; you won't use it. Look at the contents of the privatekey file and each certificate file; do they each have (usually begin with) a line in the format -----BEGIN {one or more words}----- then several lines of base64 and then a similar END line? If so those are PEM files and the content you need is one privatekey and several certs, exactly as you listed. See also (cross) https://crypto.stackexchange.com/questions/43697/what-is-the-difference-between-pem-csr-key-and-crt and https://security.stackexchange.com/questions/183072/pem-cer-crt-p12-what-is-it-all-about .
As noted in the Q Piotr linked, modern Tomcat (8.5 and up) can directly use PEM files for privatekey and cert(s). Older Tomcats with the 'native' SSL option (aka APR, Apache Portable Runtime, which wraps OpenSSL) also do this.
To use PEM data in older Tomcat using Java SSL (JSSE), or other Java applications, see
Convert a CERT/PEM certificate to a PFX certificate
Importing the private-key/public-certificate pair in the Java KeyStore
How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?
Converting pem with multiple certificates to java keystore
Converting PEM Certificate for use in JAVA Spring Framework
Converting PEM to PKCS12 and import to Java Keystore
Note PFX is the same thing as PKCS12, and while in olden days it was often necessary to convert to PKCS12 using openssl pkcs12 -export and then to JKS using keytool -importkeystore, Java versions since 2017 should accept PKCS12 as a keystore and in fact j9 up make it the default for newly created keystores.
I don't know much about ssl certificates but I need to do ssl termination in haproxy. The team in charge of the certificate gave me a zip file which i assume is an entrust bundle when i check the crt files in it. So it seems like haproxy will only accept pem file(correct me if im wrong) and the bundle i have contains 5 files: ca.crt <domain>.key intermediate.crt root.crt and ServerCertificate.crt Can anyone help me on how I can convert these to a pem file that haproxy will accept?
You will need to concate everything in one file.
cat ServerCertificate.crt intermediate.crt root.crt ca.crt <domain>.key > <domain>_haproxy.pem
After wards can you configure HAProxy to handle TLS/SSL as described in the doc How to get SSL with HAProxy getting rid of stunnel, stud, nginx or pound
I am with little knowledge of certificates.
Need add certificate for jetty (v.9.4.11) which is a part of application.
Try with self-signed - all OK. But now, need do it with organization official certificate.
Administrator gives me 2 files - .cer and .p7b. Documentation of application said that enough command like:
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks
I will try this command with .cer instead .crt. Keystore was created, configured jetty-http.xml and started application. Try open - and error SSL_ERROR_NO_CIPHER_OVERLAP.
Check with openssl connect to my address with -tsl1/1_1/1_2 - nothing, connection ok, but but nothing in keystore.
Check with keytool content of keystore - 1 entry, trustedCertEntry and no key (not private/not public)
Is it real to configure only with this 2 files - .cer/.p7b or i need something else?
Usually when setting up SSL Certificates, you will more often than not have 2 or 3 files.
The base working format for certificates is a certificate / key pair.
For example, you could have a certificate for example.com with it's associated key.
example.com.cer
example.com.key
If the certificates were created using a provider, you will most likely also need the Root Certificate Authority. In our infra for instance, our ROOT CA's are in the .pem or .cer format. Here is a config for one of my webservers, using the entrust.crt as the root ca chain file :
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
SSLCertificateChainFile /etc/apache2/ssl/entrust.crt
In your case, you have a .p7b file. P7B files often have more than a single entry, they can contain both the certificate and the ROOT CA's chains. You can open the p7b in a windows machine, then find the certificates and right-click > Export. Export your files in Base64 and set them on your server.
The problem was that beginner .csr-file was incorrect.
-Recreated it
get .cer
run in cmd: certutil -repairstore my "serial" for generate key
export to .pfx
-connect apllication to .pfx
I have this certificates / files in order to enable SSL for my application:
I found out that this properties are needed for Spring Boot to enable HTTPS:
server.port=8089
server.ssl.enabled=true
server.ssl.key-store=src/main/resources/keystore.p12
server.ssl.key-store-password=****
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat
but this does not work. My question now would be what do I have to do in order to get it work? https://abc.lehr.co.at should be the URL.
[EDIT]
I have created my own keystore - with this I get the following exception:
java.io.IOException: Alias name tomcat does not identify a key entry
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:596)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:534)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:363)
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:739)
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:472)
at org.apache.coyote.http11.Http11NioProtocol.start(Http11NioProtocol.java:81)
at org.apache.catalina.connector.Connector.startInternal(Connector.java:986)
My keystore looks like this:
Actually I don't know what to import into keystore for embedded tomcat (Spring Boot).
To enable SSL, you must provide a private key, and not a trusted certificate.
In your keystore, 'tomcat' should be listed as an alias for a privatekeyentry and not a trustedcertentry.
You have to pack your private keys to PFX file or P12 with specifiyng aliases. So, it will be picked up accordingly from the keyStore after loading materials.
Use this tool to figure out what alias are:
keytool -list -storetype pkcs12 -keystore my_debug_keystore.p12 -storepass debug
server.port=8089
server.ssl.enabled=true
server.ssl.key-store=src/main/resources/keystore.p12
server.ssl.key-store-password=****
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat << This should be the alias of yourfile.12 if you have forgotten just create a new one and replace it>>
And dnt forget to add
security.require-ssl=true <<Tell Spring Security (if used) to require requests over HTTPS>>
I'd suggest you create your KeyStore in JKS format:
keytool -genkey -keyalg RSA -alias my_alias -keystore keystore.jks -storepass password -validity 360 -keysize 2048
then add the configuration:
server.port=8089
server.ssl.enabled=true
server.ssl.key-store=src/main/resources/keystore.jks
server.ssl.key-store-password=****
server.ssl.keyStoreType=JKS
server.ssl.keyAlias=my_alias
First you may convert your .pem file to a DER and then generate a keystore.
See https://stackoverflow.com/a/13992135/16358980 how to do this.
In your application.properties, change key-store property to your generated keystore file:
server.ssl.key-store=<your-generated-keystore>
I got a certificate from Geotrust and I'm trying to apply it to my Tomcat web server, as can be seen in the image below, I left .csr and .p7b in the same directory (java / bin)
the softlayer support team, has indicated the link https://www.digicert.com/ssl-certificate-installation-tomcat.htm as help and when I execute the command I get the error:keytool error: java.lang.Exception: Input not an X.509 certificate
Anyone have been through this and can you help me? I've been trying to figure it out for days.
Reasons for the error :-
You are importing the certificate (p7b) in a wrong keystore . when you import the certificate in an existing keystore it will never ask you to punch in the password twice. If its asking you to punch in the password twice, it means its creating a new keystore. In a new keystore, you cannot import the the certificates as private entry You can only create Trusted Entry and add the certificates as trusted.
Solution
1)If you have the private key with you, please create a text file and rename the file as example.pem with all the certificates and private key in it in the below sequence
a) private key
b) Server certificate
c) Intermediate Certificate
d) Root Certificate.
2) Run the below openssl command
openssl pkcs12 -in example.pem -out certificate.pfx
3) As you have the pfx file from the above command, use the keytool command below to convert this in jks format for tomcat
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype
pkcs12 -destkeystore certificate.jks -deststoretype jks.
4) Provide the certificate.jks directive in server.xml file of tomcat along with its password
5) Restart the tomcat service.
Hope this helps ..