I created a self-signed digital certificate (.p12 / Type: 2048-RSA) with Adobe Air to sign my Android app. How to get the SHA1 signing certificate fingerprint for it?
You first need to convert your cert from .p12 (pkcs12) to binary .der (DER) format to achieve this. The simplest method I can find is to use this tool.
Alternatively, you can do this yourself by first generating a PEM cert and then the DER cert using these commands:
openssl pkcs12 -in your_certificate.p12 -out your_certificate.pem
openssl rsa -inform PEM -outform DER -in your_certificate.pem -out your_certificate.der
Once you have your DER you can generate the SHA1 like this:
openssl dgst -sha1 your_certificate.der
This worked for me:
keytool -exportcert -keystore [YOUR_CERTIFICATE_PATH] -storepass [YOUR_CERT_PASSWORD] -list -v -storetype PKCS12
Related
This is a little bit of an unusual situation. I have a CentOS 7 server running tomcat 7 and I need to install a new SSL cert for it. I don't have control over the domain so the cert generated for me was given to me by the parent company and it's for a start cert (*.domain.com). Even though I sent them a csr, they ignored it and made a new one for me. The package they sent has a csr file, key, two formats of the cert (crt and p7s), and an intermediary pem.
I'm trying to create a new keystore using these files and am having difficulty doing it. I found this site https://makandracards.com/jan0sch/24553-import-private-key-and-certificate-into-java-keystore and have tried:
openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile my-ca-file.crt -name "my-domain.com" -out my.p12
I changed the CAfile to use the pem file supplied, but I get "unable to load certificates"
Anyone have any ideas?
EDIT:
I used this to make the p12 and then import it in the keystore but I don't know how to include the intermediate cert.
openssl pkcs12 -export -in my.crt -inkey myh.key -certfile my.crt -name "tomcat" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
EDIT2:
I'm trying this command to get a pfx file and then
EDIT3:
My intermediate cert had a bunch of spaces preceding the "-----BEGIN CERTIFICATE-----" which was causing an error.
Looks like all I had to do was this:
openssl pkcs12 -export -in my.crt -inkey myh.key -certfile intermediary.pem -name "tomcat" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
Didn't even need to put in the intermediate cert.
I have 2 files - CSR.csr and newkey.key, both seem to be in PEM format as follows -
-----BEGIN CERTIFICATE REQUEST-----
MIID....
-----END CERTIFICATE REQUEST-----
-----BEGIN RSA PRIVATE KEY-----
MI...
-----END RSA PRIVATE KEY-----
When I'm trying to read the CSR.csr file, I get the following error :
$ openssl x509 -in CSR.csr -text -noout
unable to load certificate
140518720210760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
I read that we get this error when the input file is in DER format, so I tried the following -
$ openssl x509 -inform DER -in CSR.csr -text -noout
but now I get the error -
unable to load certificate
140519053051720:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320:
140519053051720:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:382:Type=X509
And it seems this error occurs when the input file is already in PEM format and one tries to read it in DER format.
Really confused how to go about it as I'm new to SSL. Please help!
In my case I was trying to read my cer file and was receiving the error stated above
openssl x509 -in CSR.csr -text -noout
unable to load certificate
140518720210760:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE
I had to convert it to a crt file using openssl.
openssl x509 -inform DER -in <certname>.cer -out <certname>.crt
openssl x509 -in <certname>.crt -text
Here's the doc i used. I was able to read it using openssl after that
The problem is not PEM vs. DER but that you are using a certificate request in a place where a certificate is expected. This is clearly shown by the PEM header -----BEGIN CERTIFICATE REQUEST-----.
To show the content of a certificate request use
openssl req -in CSR.csr -text
To show the content of a certificate use
openssl x509 -in CERT.crt -text
This ERROR also happens on certificates that are not "certificate request" emmited to be signed by a CA (non-CSR certificate) but which are x509 regular certificates from Windows PKI in ".cer" format
In this case, following "Norbert" answer is the good way to solve the problem, converting the certificate in ".crt'
After the file is able to be dumped using:
openssl x509 -in YOURCERT.crt -noout -text
or
openssl x509 -in YOURCERT.crt -text
Right now I am securing my installation of ElasticSearch using SSL.
In the guide they mention to secure the endpoint by importing an x.509 certificate using the following keytool command:
keytool -importcert -keystore node01.jks -file cacert.pem -alias my_ca
The problem is that I have a .pfx file generated by a CA authority. If I pass the .pfx file keytool bombs saying
Input not an X.509 certificate.
How can I fix this, is there a way to convert the .pfx into a .pem certificate?
You can do so easily using the following command:
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
You can also name the output certificate certificate.pem if you wish. PEM certificates can usually have any of the following extentions: .pem, .crt, .cer, and .key
If I have the actual file(.p12) and a Bash shell in Mac, how can I extract certificate and key file and also the certificate expiration date? assuming I have the csr(.p12), key files.
You can use openssl to extract the certificate from the .p12 file to a .pem file using the following command:
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes
Then, you can extract the expiration date from the certificate in the .pem file using the following command:
cat certificate.pem | openssl x509 -noout -enddate
You can make the first answer a one-liner without using the intermediate file:
openssl pkcs12 -in certificate.p12 -nodes | openssl x509 -noout -enddate
Extract the client certificate from the pkcs12 file and print its end date:
openssl pkcs12 -in certificate.p12 -clcerts -nodes | openssl x509 -noout -enddate
If you do not include the -clcerts option you may get the end date from a CA certificate instead of from your own certificate. Several CA certificates are usually included within the file as part of the chain of trust.
Here's how you do it on Windows:
certutil -dump "file.pfx"
P.S. I know the question specifically mentions Mac, this is just in case Google sends you here (like it sent me).
I have read this good article on running tomcat in https and implemented it.
http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/
It is working fine and my tomcat is running in https mode.
But the problem is i got the certificate in BIN format. I need it in X509 format so that i can use it as an raw resource for my Android project
I have used java keytool to create it.Can i use OpenSSL to convert it into X509 Format or java keytool is sufficient?
I am new to this securities stuff.
Please point me in the right direction and clear my doubts.
I think keytool already handles certificates in X509 format only. You should have generated .keystore file. You can export certificate from it using command:
keytool -export -alias mycert -keystore mykeystore.bin -file certificatefile.cer
Yes of course, you can use OpenSSL to convert the certificate and keys to and from the following formats
Standard PEM
DER / Binary
PKCS#7 (aka P7B)
PKCS#12 (aka PFX)
In your case, given a private key file and digital certificate in standard PEM,
convert them both to pkcs12 format using the following steps:
Step 1: Convert the PEMs to a single PKCS12 file
OpenSSL> pkcs12 -export -in CE_cert.cer -inkey CE_prv_key_PEM.key -out
pkcs12_KeyStore.p12 -name ce_cert_prv_key
Heres the doc for OpenSSL PKCS12 command.
Step 2: Import the PKCS12 file created in step 1 into the new JKS
C:\>keytool -importkeystore -srckeystore pkcs12_KeyStore.p12 -srcstoretype pkcs12 -srcstorepass somepass -srcalias ce_cert_prv_key -destk
eystore path/to/JavaKeyStore_KS.jks -deststoretype jks -deststorepass somepass -destkeypass somepass
Now after having the certificate and private key in the JKS format, you can use this JSK key store in Tomcat.