I have read this good article on running tomcat in https and implemented it.
http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/
It is working fine and my tomcat is running in https mode.
But the problem is i got the certificate in BIN format. I need it in X509 format so that i can use it as an raw resource for my Android project
I have used java keytool to create it.Can i use OpenSSL to convert it into X509 Format or java keytool is sufficient?
I am new to this securities stuff.
Please point me in the right direction and clear my doubts.
I think keytool already handles certificates in X509 format only. You should have generated .keystore file. You can export certificate from it using command:
keytool -export -alias mycert -keystore mykeystore.bin -file certificatefile.cer
Yes of course, you can use OpenSSL to convert the certificate and keys to and from the following formats
Standard PEM
DER / Binary
PKCS#7 (aka P7B)
PKCS#12 (aka PFX)
In your case, given a private key file and digital certificate in standard PEM,
convert them both to pkcs12 format using the following steps:
Step 1: Convert the PEMs to a single PKCS12 file
OpenSSL> pkcs12 -export -in CE_cert.cer -inkey CE_prv_key_PEM.key -out
pkcs12_KeyStore.p12 -name ce_cert_prv_key
Heres the doc for OpenSSL PKCS12 command.
Step 2: Import the PKCS12 file created in step 1 into the new JKS
C:\>keytool -importkeystore -srckeystore pkcs12_KeyStore.p12 -srcstoretype pkcs12 -srcstorepass somepass -srcalias ce_cert_prv_key -destk
eystore path/to/JavaKeyStore_KS.jks -deststoretype jks -deststorepass somepass -destkeypass somepass
Now after having the certificate and private key in the JKS format, you can use this JSK key store in Tomcat.
Related
Currently I am doing the API load test using the LoadRunner, where the mTLS is implemented on the server side. Also I am able to include the certficates(2 pem files) using the web_set_certificate_ex function by passing the cerificate paths(clientA-crt.pem and clientA-key.pem) - the calls works perfectly fine.
Now we are planning to use jmeter for load testing. As first step, I converted pem into p12 format using the following command
openssl pkcs12 -export -out Cert.p12 -in clientA-crt.pem -inkey clientA-key.pem -passin pass:root -passout pass:root
https://www.ibm.com/support/knowledgecenter/en/SSPH29_9.0.3/com.ibm.help.common.infocenter.aps/t_ConvertthepfxCertificatetopemFormat068.html
Then next step I am converting the cert.p12 into java keystore using the following command
keytool -importkeystore -srckeystore Cert.p12 -srcstoretype PKCS12 -srcstorepass root123 -keystore dex.jks -storepass root111
https://www.blazemeter.com/blog/how-set-your-jmeter-load-test-use-client-side-certificates/
The below error is encountered:
Importing keystore Cert.p12 to dex.jks...
keytool error: java.io.IOException: keystore password was incorrect
Can someone let me know where I am going wrong.
Contents of clientA-crt.pem
-----BEGIN CERTIFICATE-----
some alphanumeric values
-----END CERTIFICATE-----
Contents of clientA-key.pem
-----BEGIN RSA PRIVATE KEY-----
some alphanumeric values
-----END RSA PRIVATE KEY-----
You don't need to convert PKCS12 keystore into a JKS keystore, JMeter can deal with both types, moreover it's recommended to use PKCS12 as JKS is a proprietary format. You just need to "tell" JMeter to use PKCS12 format via system.properties file
javax.net.ssl.keyStoreType=pkcs12
javax.net.ssl.keyStore=Cert.p12
javax.net.ssl.keyStorePassword=root
If you want to use the .jks type for any reason you need to provide the same password as you specified during the keystore creation:
keytool -importkeystore -srckeystore Cert.p12 -srcstoretype PKCS12 -srcstorepass root -keystore dex.jks -storepass root111
It might be easier to use a GUI-based tool like KeyStore Explorer if you are not too familiar with OpenSSL and Keytool command-line utilities.
More information: How to Set Your JMeter Load Test to Use Client Side Certificates
This is a little bit of an unusual situation. I have a CentOS 7 server running tomcat 7 and I need to install a new SSL cert for it. I don't have control over the domain so the cert generated for me was given to me by the parent company and it's for a start cert (*.domain.com). Even though I sent them a csr, they ignored it and made a new one for me. The package they sent has a csr file, key, two formats of the cert (crt and p7s), and an intermediary pem.
I'm trying to create a new keystore using these files and am having difficulty doing it. I found this site https://makandracards.com/jan0sch/24553-import-private-key-and-certificate-into-java-keystore and have tried:
openssl pkcs12 -export -in my.crt -inkey my.key -chain -CAfile my-ca-file.crt -name "my-domain.com" -out my.p12
I changed the CAfile to use the pem file supplied, but I get "unable to load certificates"
Anyone have any ideas?
EDIT:
I used this to make the p12 and then import it in the keystore but I don't know how to include the intermediate cert.
openssl pkcs12 -export -in my.crt -inkey myh.key -certfile my.crt -name "tomcat" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
EDIT2:
I'm trying this command to get a pfx file and then
EDIT3:
My intermediate cert had a bunch of spaces preceding the "-----BEGIN CERTIFICATE-----" which was causing an error.
Looks like all I had to do was this:
openssl pkcs12 -export -in my.crt -inkey myh.key -certfile intermediary.pem -name "tomcat" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore -deststoretype JKS
Didn't even need to put in the intermediate cert.
Right now I am securing my installation of ElasticSearch using SSL.
In the guide they mention to secure the endpoint by importing an x.509 certificate using the following keytool command:
keytool -importcert -keystore node01.jks -file cacert.pem -alias my_ca
The problem is that I have a .pfx file generated by a CA authority. If I pass the .pfx file keytool bombs saying
Input not an X.509 certificate.
How can I fix this, is there a way to convert the .pfx into a .pem certificate?
You can do so easily using the following command:
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
You can also name the output certificate certificate.pem if you wish. PEM certificates can usually have any of the following extentions: .pem, .crt, .cer, and .key
I have this problem when I import a certification file into keystore:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
I do this this operation:
1) create my keystore on the server :
keytool -genkey -keystore C:\keystore\keystore -alias jboss -keyalg RSA
2) I have domain.pfx and convert it whit this command:
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in domain.pfx -nocerts -nodes -out domain_encrypted.key
openssl rsa -in domain_encrypted.key -out domain.key
Now I have 3 new files:
domain.cer
domain_encrypted.key
domain.key
3) In the end, Import the domain.cer into C:\keystore\keystore in the jboss alias:
keytool -import -alias jboss -keystore C:\keystore\keystore -file C:\cert\domain.cer
But I have this error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
What is the problem?
A keystore comprises of two entries types:
Private Key Entry (which binds the private key stored in the keystore with the certificate imported in the keystore.) Here, the alias must remain the same which was used when the keystore file was created.
Trusted Entry :- This entry comprises of all the trusted certificate entries including the root and intermediate certificates.
If a keystore is binded to a domain in the server.xml file of tomcat, then it must contain the private key entry.
Now, as per your performed steps, you created a keystore first (a private key got generated in it) and then you tried to import the certificate in keystore. But in the command you didn't use the private key which you converted using openssl; you used the private key which freshly got generated when you generated the keystore.
As you have the domain.pfx with you, yo can straight away convert it using the below keytool command:
keytool -importkeystore -srckeystore domain.pfx -srcstoretype pkcs12 -destkeystore name_of_the_keystore_file.jks -deststoretype jks
Note: Make sure the keystore password and the key password remains the same.
Change the alias name as another entry with jboss alias should have already been created.
You can view the truststore and alias name in that by executing -> keytool -list -v -keystore . I am sure it will be resolved.
I had the same issue today. I resolved it by having a using a different alias when I imported the certificate. So I had alias1 when generating the keystone and alias2 when importing the certificate.
I created a self-signed digital certificate (.p12 / Type: 2048-RSA) with Adobe Air to sign my Android app. How to get the SHA1 signing certificate fingerprint for it?
You first need to convert your cert from .p12 (pkcs12) to binary .der (DER) format to achieve this. The simplest method I can find is to use this tool.
Alternatively, you can do this yourself by first generating a PEM cert and then the DER cert using these commands:
openssl pkcs12 -in your_certificate.p12 -out your_certificate.pem
openssl rsa -inform PEM -outform DER -in your_certificate.pem -out your_certificate.der
Once you have your DER you can generate the SHA1 like this:
openssl dgst -sha1 your_certificate.der
This worked for me:
keytool -exportcert -keystore [YOUR_CERTIFICATE_PATH] -storepass [YOUR_CERT_PASSWORD] -list -v -storetype PKCS12