Can somebody please explain me the difference between keytool command genkey and selfcert, where I googled and I got both will generate self signed certificate, whats the difference then ?
How can I sign a CSR with a certificate using keytool command ?
Thanks in advance.
genkey creates both a key and a cert. selfcert replaces the cert for an existing key with a new self-cert. Do this when your old cert has expired. If you want to sign it with a different cert (maybe from a CA) use import.
I will first assume that you have generated the CSR and sent it across to a CA. The CA returns back the certificate that you can importcert back into the keystore for the same alias for which you generated the CSR.
So in short:
keytool -v -importcert -keystore mykeystore.jks -alias mycertalias -file CASignedCert.cer -trustcacerts
Related
I tested the solution which given there:
In relation with the topic, How to add a SSL connector for apache karaf?
but I would want to use a certification authority CA.
For that purpose, I generated a CSR from the Keystore generated with a command like :
keytool -certreq -alias MyAlias -file MyCSR.csr -keystore Serverkeystore.jks
then I got back a CRT signed by our CA, but I do not know how to use it and where to declare it.
Would know how to declare it in the file CFG Pax Web? or if I just have to insert it into the store of key Serverkeystore.jks ?
(I am in Karaf V4.0.3)
I am trying to import a certificate into a keystore.
Therefore i execute the following steps:
Create an empty keystore.jks file
Create the file contentent with the keytool:
keytool -genkey -alias server-alias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
Add my certificate to that keystore:
keytool -import -v -trustcacerts -alias server-alias -file C:\server.cert -keystore keystore.jks -keypass changeit -storepass changeit
But I always get the error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
What am I doing wrong here and how can I fix it?
In step two you always generate a new key, but if you want to import a certificate and it's private key into the keystore you have to use the key that matches the certificate.
Hence you need the key you created before someone signed your server certificate (the one stored in C:\server.cert).
The following steps have to be performed in the right order:
Create a random public/private key pair. The private key is usually saved password protected
Create a certificate request containing the public key from step 1
Send the certificate request to a trust center which signs it and sends you back the certificate (the server.cert you have)
Save the private key from step 1 together with the returned certificate
Therefore you are always trying to re-do step 1 and 4 without step 2 and 3. Thus you are getting that "don't match" error.
Just complete all steps 1-4 after another. Or use the saved private key that belongs to the server.cert certificate (hopefully you still have it).
I have a webstart application where I want to do client authentication while connecting to the server. I have created pkcs12 certificate which I install using certmgr.exe and it works fine.
I want to do for every client that uses the application. How should I do this? If I distribute the certificate
I get a bad_certificate error. I know there isn't a problem with the certifcate because it would work if you install the certificate using the browser.
I had created the public key using
keytool -export -alias myKey -keystore abc.p12" -storetype PKCS12 -storepass mypassword -rfc -file abc.cer
then I imported this file into my server's keystore for mutual authentication using:
keytool -import -v -file abc.cer -keystore C:\apache-tomcat-7.0.26\tomcat.keystore" -storepass mypassword
after this, if I install abc.p12 certificate in certmgr, it works fine.
To be able to do it from Java, I needed a truststore. I created a truststore where I import the public key using
>keytool -import -keystore client-truststore.jks -file abc.cer
If I try to access the server using
-Djavax.net.ssl.keyStore=abc.p12
-Djavax.net.ssl.keyStorePassword=mypassword
-Djavax.net.ssl.trustStore=trustore.jks
-Djavax.net.ssl.trustStorePassword=mypassword
I'm not sure if I'm doing the right thing. Please let me know what you think.
What should I be doing? Please let me know your suggestions.
You should have imported it into your server's trust store, not its keystore.
You have to import the cert to your certs file, in the JDK is the cacerts file. After do that you have to view the cert is living on the file, and you will have do that on every client.
The thing about the trust store is that you create your own JKS file.
I am using self signed certificate for HTTPS connection to and from Axis2 server. All of these connections works fine and as desired.
There is a part in my web service which is responsible for sending emails. I am using GMail for the purpose of sending mail.
The problem is when I try to send a mail using an SSL connection I get certificate error, i.e. GMail certificate is not trusted. I had faced a similar problem with JBoss as well. For once I was able to get around this problem downloading GMail certificate and than importing it into the Keystore using Keytool utility. For a long time this had worked.
But only recently I have started to get the Old problem again. I tried to use the old technique that fixed the problem last time, but this time that did not work. (not sure why)
I reckon that GMail uses a signed certificate which out of the box should be trusted by any of the servers, let it be JBoss or Axis2. I fail to figure out what the problem actually is. Is it because of using of Self Signed certificate? Or are there any specific way of creating it so that the Signed certificates are trusted?
Thanks for the help.
To have a SSL encrypted Server/Client communication we need to Keystores and Truststore for Server & Client. Following are the steps to create them.
#Creating Server keystore and exporting a certificate
keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass changeit -keypass changeit -dname "CN=test.com, OU=Test, O=Test, L=London, ST=London, C=UK"
keytool -export -alias serverkeys -keystore server.keystore -storepass changeit -file server.cer
#Creating Client keystore and exporting a certificate
keytool -genkey -alias clientkeys -keyalg RSA -keystore client.keystore -storepass changeit -keypass changeit -dname "CN=test.com, OU=test, O=test, L=London, ST=London, C=UK"
keytool -export -alias clientkeys -keystore client.keystore -storepass changeit-file client.cer
#Making a copy of cacerts file. These copies will be used for client/server truststore
cp /usr/java/jdk1.6.0_14/jre/lib/security/cacerts client.truststore
cp /usr/java/jdk1.6.0_14/jre/lib/security/cacerts server.truststore
#Copying server certificate to Client truststore
keytool -import -trustcacerts -v -keystore client.truststore -storepass changeit -file server.cer
#Copying Client certificate to Server truststore
keytool -import -trustcacerts -v -keystore server.truststore -storepass changeit -file client.cer
During the first few iteration I was not using cacert but directly create truststores from the certificate and that too worked well. Problems came up when we need to connect to some other services using SSL and connection could not be establised even when the service used a Signed Certificate.
For example connecting to GMail SMTP server would faile if the truststore were not created up from cacerts. Reason being even though GMail uses a signed certificate, we wold be using a truststore that would not know if the GMail certificate can be trusted. For this reason we used cacerts to create out truststore. After which we were able to connector any service that uses a Signed Certificate.
If in case we encounter a unsigned certificate we will then have to add them to the Components Truststore.
I'm trying to build a simple client/server system wich uses SSLSocket to exchange data. (JavaSE 6)
The server must have its own certificate, clients don't need one.
I started with this
http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
To generate key for the server and a self signed certificate.
To sum it up:
Create a new keystore and self-signed certificate with corresponding public/private keys.
keytool -genkeypair -alias mytest -keyalg RSA -validity 7 -keystore /scratch/stores/server.jks
Export and examine the self-signed certificate.
keytool -export -alias mytest -keystore /scratch/stores/server.jks -rfc -file server.cer
Import the certificate into a new truststore.
keytool -import -alias mytest -file server.cer -keystore /scratch/stores/client.jks
Then in my server code I do
System.setProperty("javax.net.ssl.keyStore", "/scratch/stores/server.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
SSLServerSocket sslServerSocket = (SSLServerSocket)sf.createServerSocket( port );
Socket s = sslServerSocket.accept();
I am basically missing some point because I get a "javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled." when I try to run the server.
Can it be a problem with the certificate? When using -validity in keytool the certificate gets self-signed, so it should work if I'm not wrong.
Reading the docs seems that setting the property "javax.net.ssl.keyStore" is sufficient for the SSLContext to setup correctly. Any suggestion?
I messed up things a little, complete solution is here: https://forums.oracle.com/forums/thread.jspa?threadID=1531716