When submitting CSR on the esteemed site Network Solutions I get an error message The CSR provided uses an unsupported signature algorithm. Supported algorithms are: md5withrsa, sha1withrsa, oid 1.2.840.113549.1.1.4, oid 1.2.840.113549.1.1.5. The command I am using is below and not sure why there are not accepting it when this is exactly what they have listed on their site and on Apache Tomcat site
keytool -genkey -keyalg RSA -alias tomcat -keystore domain_keystore.jks -keysize 2048
Followed by the command to generate CSR
keytool -certreq -alias tomcat -file domain_keystore.csr -keystore domain_keystore.jks
When I use openssl to generate key it gets accepted by Network Solutions. But some how I cannot get it to run with tomcat :(
openssl req -nodes -newkey rsa:2048 -keyout www_website_com.key -out www_website_com.csr
Exhausted and need help in installing thrid party certificate on Mac + Tomcat
You can use the -sigalg option to specify a signature algorithm to use with keytool -certreq.
keytool -certreq -sigalg sha1withrsa -alias tomcat -file domain_keystore.csr -keystore domain_keystore.jks
Related
I'm doing a TCP server in java that communicates with a client in C.
My approach so far:
# Generate server's private and public keys
keytool -genkey -alias server -keyalg RSA -keysize 2048 -validity 365 -keystore certs.jks -storepass le_pass
# Export for client
keytool -exportcert -alias server -keystore certs.jks -storepass le_pass -rfc -file server.pem
# Generate client's private and public keys
openssl req -new -x509 -days 365 -nodes -sha256 -out client.pem -keyout client.key
# Convert and import client's public key
openssl x509 -outform der -in client.pem -out client.der
keytool -import -alias server -keystore certs.jks -file client.der -storepass le_pass
The result (same if not converted):
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
If I use a different alias in the last line I get no error, but I don't think that's how it should be done?
The first command keytool -genkey -alias server ... creates both private and public keys for the alias server. No wonders it fails in the last command keytool -import -alias server ... -- you try to load a different public key for already existing name. The public key that doesn't match the existing private key for the alias server.
I don't think that you need to save client's public key under server alias. IMHO, it should be named client, shouldn't it?
keytool -import -alias CLIENT-keystore certs.jks -file client.der -storepass le_pass
I tried installing SSL certificate I purchased from Godaddy (CN = my domain) following below steps. And after the last step I did a GREP search for .jks in repository/conf directory and replaced all keystore configs (wso2carbon.jks) to my JKS and password. Restarted the server. It started giving a bunch of errors and server not started properly.. But when I changed ONLY catalina_server.xml's configuration and undo all others, it started and SSL was working only for 9443 port but when I checked the cert installation from a SSL checker tool, it said cert was not installed properly. And even API gateway endpoints were not working with SSL (browser rejects cert) and it was port 8244. What have I done wrong? Exception trace given below.
Create Keystore and the CSR
keytool -genkey -alias certalias -keyalg RSA -keysize 2048 -keystore newkeystore.jks
Create CSR - copy output and submit to Go Daddy.
keytool -certreq -alias certalias -keystore newkeystore.jks
Get the Certificates for tomcat you will get below certificates.
gd_bundle-g2-g1.crt - Root Certificate
gdig2.crt.pem - Intermediate Certificate
[randomNumber].crt - Domain Certificate
Convert crt to pem.
openssl x509 -in gd_bundle-g2-g1.crt -out gd_bundle-g2-g1.pem
openssl x509 -in [randomNumber].crt -out [randomNumber].pem
Join root and intermediate certificate
cat gdig2.crt.pem gd_bundle-g2-g1.pem >> clientcertchain.pem
Extract the key from the keystore.
keytool -importkeystore -srckeystore newkeystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias keys -deststorepass -destkeypass
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem
Create pkcs12 keystore
openssl pkcs12 -export -out final.p12 -inkey key.pem -in [randomNumber].crt -CAfile clientcertchain.pem -name "cacertificates"
Create JKS from pkcs keystore.
keytool -importkeystore -srckeystore final.p12 -srcstoretype PKCS12 -destkeystore wso2carbon.jks
Replace it with wso2carbon.jks located in <WSO2AM_HOME>/repository/resources/security/
Go to <WSO2AM_HOME>/repository/resources/security/
Extract key file to add client keystore
keytool -export -alias cacertificates -keystore newkeystore.jks -file .pem
Add key to client-truststore.jks
keytool -import -alias cacertificates -file .pem -keystore client-truststore.jks -storepass wso2carbon
Please help... I am using keytool to generate certificate request with sigal SHA256withRSA and using openssl to sign the csr using self generated CA but the output certificate I am receiving is showing signature algorithm as SHA1withRSA. I have verified .csr, self generated CA and they all have SHA256withRSA and in openssl.conf file, there's no mention of algorithm so I haven't got a clue from where it is picking up SHA1withRSA and how to resolve.
Commands I am running : -
To generate Keypair
KEYTOOL -genkeypair -alias servercert1 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "cn=servercert1,dn=domain,dn=com" -validity 1095 -keystore server1.keystore -storepass *** -keypass same -v
To generate csr
KEYTOOL -certreq -sigalg SHA256withRSA -alias servercert1 -file server1.csr -keystore server1.keystore -storepass ***
To sign csr using openssl
OPENSSL x509 -in server1.csr -out server1.pem -dates -days 1095 -req -CA selfsignedca.pem -CAkey selfsignedcapvt.key -CAcreateserial -passin pass:caroot_password -extfile openssl.conf -extension v3_req -text*
I am trying to establish a secure connection for my application using jetty http server version 8.1.8.v20121106 with self signed certificate.
I am generating self signed certificate with the following command,
keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keypass password -keystore keystore.jks -storepass password
keytool -export -alias mykey -file server.cer -keystore keystore.jks -storepass password
keytool -import -alias mykey -file server.cer -keystore truststore.jks -storepass password
So, totally 3 files generate (keystore.jks,server.cer,truststore.jks)
After the server gets started, I got the following error in my browser. There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).
Could anyone help me to generate a trusted self signed certificate using keytool.
Thanks in advance.
It is the problem with java jdk. I have verified using java 1.8 and jdk1.7.0_79 it is working fyn for me. Change your java jdk version and verify. For further clarification, Please refer this link.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=398644
I'm using openssl to create self-signed certs. I'm getting this error with the certs I generated:
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No subject alternative names
present
Does anyone know how to specify "Subject alternative name" while creating a cert?
This is how I'm generating a keystore:
sudo $JAVA_HOME/bin/keytool -genkey -dname "CN=192.168.x.xxx, OU=I, O=I, L=T, ST=On, C=CA" -alias tomcat -validity 3650 -keyalg RSA -keystore /root/.keystore -keypass abcd -storepass abcd
To generate a key:
openssl s_client -connect 192.168.x.xxx:8443 2>/dev/null
Please help! Thanks!
Although this question was more specifically about IP addresses in Subject Alt. Names, the commands are similar (using DNS entries for a host name and IP entries for IP addresses).
To quote myself:
If you're using keytool, as of Java 7, keytool has an option to
include a Subject Alternative Name (see the table in the documentation
for -ext): you could use -ext san=dns:www.example.com or -ext
san=ip:10.0.0.1
Note that you only need Java 7's keytool to use this command. Once you've prepared your keystore, it should work with previous versions of Java.
(The rest of this answer also mentions how to do this with OpenSSL, but it doesn't seem to be what you're using.)
Both IP and DNS can be specified with the keytool additional argument -ext SAN=dns:abc.com,ip:1.1.1.1
Example:
keytool -genkeypair -keystore <keystore> -dname "CN=test, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -keypass <keypwd> -storepass <storepass> -keyalg RSA -alias unknown -ext SAN=dns:test.abc.com,ip:1.1.1.1
When generating CSR is possible to specify -ext attribute again to have it inserted in the CSR
keytool -certreq -file test.csr -keystore test.jks -alias testAlias -ext SAN=dns:test.example.com
complete example here: How to create CSR with SANs using keytool