Import Self Signed Certificates into Netty - ssl

I need to set up SSL for my Netty server for which I am planning to use a self signed certificate. I wanted to know what are the steps involved in doing so ?
Use openssl to get a .key & .csr file.
Do I need to convert the .csr file into pem ?
How do I import the the certificate in the keystore? Is that cacerts on a linux machine?
Do I also need to import the keys into the keystore?

This tutorial shows the steps for using a certificate signed by StartSSL:
http://blog.hintcafe.com/post/33709433256/https-server-in-java-using-netty-and-keystore
I think the steps can be modified for using your self-signed certificate (or you could sign it for free using StartSSL.

Related

Import ssl certificates to Apache Tomcat

I have all the required files to import to my apache tomcat, that is:
the Certificate Request file (CSR file)
the RSA PRIVATE KEY file
the certificates (root, intermediates and Entity/Domain) that was sent to me by the Certificate Authority.
Now i need to import them to my apache tomcat server.
My question is, given that i havent created any key store to my server (the CSR and private key were sent to me, i didnt created them with e.g. keytool), what should be the next steps? Should i have to create a new keystore through keytool -genkey command (which alias?) ?
And if so, which of the files above should i import? As far as i can see the keytool command doesnt support to import an existing CSR.
The extension .crt is often but not always used for certificates in PEM format. First, set aside the CSR; you won't use it. Look at the contents of the privatekey file and each certificate file; do they each have (usually begin with) a line in the format -----BEGIN {one or more words}----- then several lines of base64 and then a similar END line? If so those are PEM files and the content you need is one privatekey and several certs, exactly as you listed. See also (cross) https://crypto.stackexchange.com/questions/43697/what-is-the-difference-between-pem-csr-key-and-crt and https://security.stackexchange.com/questions/183072/pem-cer-crt-p12-what-is-it-all-about .
As noted in the Q Piotr linked, modern Tomcat (8.5 and up) can directly use PEM files for privatekey and cert(s). Older Tomcats with the 'native' SSL option (aka APR, Apache Portable Runtime, which wraps OpenSSL) also do this.
To use PEM data in older Tomcat using Java SSL (JSSE), or other Java applications, see
Convert a CERT/PEM certificate to a PFX certificate
Importing the private-key/public-certificate pair in the Java KeyStore
How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?
Converting pem with multiple certificates to java keystore
Converting PEM Certificate for use in JAVA Spring Framework
Converting PEM to PKCS12 and import to Java Keystore
Note PFX is the same thing as PKCS12, and while in olden days it was often necessary to convert to PKCS12 using openssl pkcs12 -export and then to JKS using keytool -importkeystore, Java versions since 2017 should accept PKCS12 as a keystore and in fact j9 up make it the default for newly created keystores.

In Two way SSL it is necessary that both certificates(client/server) built using same tool

I need a clarity for two-way SSL, if I Create Client self-sign certificate, using OpenSSL then save it in Pkcs12 file and Server self-sign certificate using Java keytool then save it in Jks file. Can both certificate work for two-way SSL?
Which TLS version openssl used?
The structure of a certificate is a standard and independent of a specific tool. This means it does not matter what tool is used to create certificates as long as it creates proper certificates. Also, the TLS protocol version used inside a connection has nothing to do with the certificate used for the connection and what tool was used to create the certificate.

How do I install a CA-signed certificate in OWIN?

I have a certificate from GoDaddy, which I've previously used for an IIS hosted website. I've now converted the site over to an OWIN self-hosted WebAPI project and would like to use the same certificate for the new site on a brand new machine.
Do I need to install IIS just to import the certificate or is there a way to import it directly into the certificate store like you can with self-signed certificates?
Or does this need to be handled directly in the new OWIN project somehow?
You don't need IIS to import a certificate, you use certmgr (Certificate Manager). You should be able to import the certificate directly with the Windows certificate manager and then use netsh to register it for OWIN using its thumbprint.
SignalR with Self-Signed SSL and Self-Host
Just ignore the part where they import into Root Certification Authorities, GoDaddy is already a trusted CA (although you can download the cert chain/bundle and manually import that as well).
You can create a certificate manager snap-in by running MMC (start->run->MMC), then Add-Remove Snap-ins, choose Certificates. Save to Desktop.
Figured out my problem (though, I don't know if it will help anyone else if they encounter this). Turns out GoDaddy's "Download Certificate" page only downloads certificates without the private key. I had to export the certificate previously imported by IIS, then import it into my Personal store. I assume there's a way to get the private key w/o importing into IIS, but I personally don't know what it is (maybe I just missed a step somewhere this time around).
Yes, certificate must be installed with private key for it work with OWIN. I had to go through the same pain as most(all?) CA issue certificates without private keys. However you must have received the private key before hand. You must have your certificate in .crt format. This does not include the private key in it. So you need to create a certificate of .pfx format with private key in it.
If your private key is in plain text, then create .key file with plain text in as its content.Note that your .key file should have the standard first and last lines of private key else it'll complain about invalid key.
-----BEGIN PRIVATE KEY-----
<key-content>
-----END PRIVATE KEY-----
Now create a .pfx certificate using OpenSSL tool.
openssl pkcs12 -export -out servername.pfx -inkey servername.key -in servername.crt
To import this certificate just double click on .pfx file. In the import wizard choose 'Local Computer - Personal' as certificate store. After successful import you'd also notice a small (lock)key icon appearing on top of installed certificate icon.
Assuming you have bounded the server port with your OWIN application using netsh http add sslcert, it should start working!

No private key in SSL Certificate for IIS 6.0

We use IIS 6.0 (Win2003 SP2) at work and needed to renew our SSL certificate.
I created a certificate request by using openssl. Therefor I'd created a 2048 bit key with openssl first. I did not use that certreq.txt request file, since that produced format errors at the website of our used CA.
That request has been accepted meanwhile and I got a .pem file from our organization's CA. So far so good. I even was able to import the certificate. But unfortunately the private key is missing now. I think, windows (or IIS) just doesn't know, where to look for it. The private key of course lives in a *.key file, that I used for creating the request.
But how may I integrate the key into the certificate or make Windows/IIS using it?
You should be able to build a PKCS#12 file using OpenSSL using:
openssl pkcs12 -export -in cert.pem -inkey file.key -out cert.p12
Then, using the .p12 file, import both the cert and its private key at the same time.
More info on openssl https://www.openssl.org/docs/apps/pkcs12.html
Since your running Windows Server take advantage of DigiCert's free utility (http://www.digicert.com/util).
You can create the CSR from OpenSSL if you plan to import it back to OpenSSL and were using Apache.
Otherwise you'll make the CSR request from IIS or running DigiCert Utility and clicking 'Create CSR' option. Once you have the new CSR, submit it to your CA in order to have them issue a new cert that will match the proper private key in IIS.
Once you receive the new cert file, use the 'Import' function on the utility to load the cert file on your local MMC.
Final step is binding the SSL cert to the site's port 443 connection in the IIS console.
If you happen to need the private key, you can use the 'Export' function to create a .key file or a PFX file which includes both your domain certificate and the private key.
Some firewall devices require a PKCS#12 file over the PFX. If so, rename file extension from .pfx to .p12

verisign certificate into jboss server SSL

i'm trying to enable jboss to uses ssl protocol using a previously generated certificate from verisign, i imported both certificate, server certificate and ca certificate into the keytore file, and i configured the server.xml to use that keystore and activate ssl protocol, then when i run the jboss, I got this error "certificate or key corresponds to the SSL cipher suites which are enabled"
Question, reading some post on internet, i found that every example was made it generating a Certificate Request, it stricly necesary to do that if i already have the server certificate and that CSR has to be imported into the keystore as well ? at this point i'm very confused about this issue, i tried almost every solutions posted in several forums but till now i haven't any luck !! can you give me some tips in order to solve this problem.
thanks in advance
this are my keystore file: Keystore type: jks Keystore provider: SUN
Your keystore contains 2 entries
j2ee, Dec 29, 2009, trustedCertEntry, Certificate fingerprint (MD5): 69:CC:2D:2A:2D:EF:C4:DB:A2:26:35:57:06:29:7D:4C ugent, Dec 29, 2009, trustedCertEntry, Certificate fingerprint (MD5): AC:D8:0E:A2:7B:B7:2C:E7:00:DC:22:72:4A:5F:1E:92
You are almost certainly missing the concept of "private key". You need to have both the private key and the corresponding certified public key for your server. The usual way to do this is to generate a key with keytool with alias say 'mykey', export the pkcs#10 CSR with keytool, get this signed by Verisign (or whomever), then import the signed certificate back into the same keystore with keytool using the same alias 'mykey'. You can also import existing keypairs using keytool, but it can be more painful.
Finally i found a solution for this problem, as you said i need to have my private key, server certificate and ca certificate into my keystore, in this post they explains how to import this 3 existing elements (as in my case) into the keystore using a very useful tool called keyman. http://www.jguru.com/faq/view.jsp?EID=532461
cheers,