I would like to run the following keytool command in java code:
keytool -v \
-genkeypair \
-dname "$SERVER_DN" \
-keystore "$SERVER_DIR"/keystore.jks \
-storepass "$SERVER_PW" \
-keypass "$SERVER_PW" \
-keyalg "EC" \
-alias server \
-validity 1825 \
-deststoretype pkcs12 \
-ext KU=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement \
-ext EKU=serverAuth \
-ext SAN="$SERVER_SAN"
and would like to know the best way to do it programmatically. Is it possible at all?
String command = "keytool -v \
-genkeypair \
-dname "$SERVER_DN" \
-keystore "$SERVER_DIR"/keystore.jks \
-storepass "$SERVER_PW" \
-keypass "$SERVER_PW" \
-keyalg "EC" \
-alias server \
-validity 1825 \
-deststoretype pkcs12 \
-ext KU=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement \
-ext EKU=serverAuth \
-ext SAN="$SERVER_SAN""
ProcessBuilder pb = new ProcessBuilder("cmd.exe");
Process process = pb.start();
PrintWriter commandWriter = new PrintWriter(new OutputStreamWriter(new BufferedOutputStream(process.getOutputStream())));
commandWriter.println(command);
commandWriter.flush();
Also you can read errorStream or inputStream from process.getErrorStream() and process.getInputStream.
Related
I'm trying to add SSL in my client / server nodes but i'm getting a "Handshake timed out" from the client side and a "Failed to process selector key" "Closing NIO session because of unhandled exception" from the server side. I don't know if I am doing things correctly...
I'm using java 11 + ignite 2.7.6 + gridgain 8.7.6
For the keystore creation:
keytool -genkey -alias server-alias -keyalg RSA -keypass password -storepass password -keystore serverkeystore.jks
keytool -genkey -alias client-alias -keyalg RSA -keypass password -storepass password -keystore clientkeystore.jks
Exporting the cer into its own file:
keytool -export -alias server-alias -storepass password -file server.cer -keystore serverkeystore.jks
keytool -export -alias client-alias -storepass password -file client.cer -keystore clientkeystore.jks
Add the certs to the server trust store
keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore publicserverkeystore.jks -keypass password -storepass password
keytool -import -v -trustcacerts -alias client-alias -file client.cer -keystore publicserverkeystore.jks -keypass password -storepass password
Add the certs to the client trust store
keytool -import -v -trustcacerts -alias client-alias -file client.cer -keystore publicclientkeystore.jks -keypass password -storepass password
keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore publicclientkeystore.jks -keypass password -storepass password
Now in the java client node side:
ClientConnectorConfiguration cliConnCfg = new ClientConnectorConfiguration();
cliConnCfg.setJdbcEnabled(false);
cliConnCfg.setOdbcEnabled(false);
cliConnCfg.setThinClientEnabled(false);
cliConnCfg.setSslEnabled(true);
cliConnCfg.setSslClientAuth(true);
igniteConfiguration.setClientConnectorConfiguration(cliConnCfg);
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\clientkeystore.jks");
sslContextFactory.setKeyStorePassword("password".toCharArray());
sslContextFactory.setTrustStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\publicclientkeystore.jks");
sslContextFactory.setTrustStorePassword("password".toCharArray());
igniteConfiguration.setSslContextFactory(sslContextFactory);
Now in the java server node side:
ClientConnectorConfiguration cliConnCfg = new ClientConnectorConfiguration();
cliConnCfg.setJdbcEnabled(false);
cliConnCfg.setOdbcEnabled(false);
cliConnCfg.setThinClientEnabled(false);
cliConnCfg.setSslEnabled(true);
cliConnCfg.setSslClientAuth(true);
igniteConfiguration.setClientConnectorConfiguration(cliConnCfg);
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\serverkeystore.jks");
sslContextFactory.setKeyStorePassword("password".toCharArray());
sslContextFactory.setTrustStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\publicserverkeystore.jks");
sslContextFactory.setTrustStorePassword("password".toCharArray());
igniteConfiguration.setSslContextFactory(sslContextFactory);
This is the command I am running in cmd:
keytool -importcert -noprompt -trustcacerts -alias microsoftgraph -file C:\Users\myuser\Desktop\cacerts.jks -keystore C:\Program Files\Java\jdk1.8.0_161\jre\lib\security\cacerts -storepass changeit
The error is illegal option: Files\Java\jdk1.8.0_161\jre\lib\security\cacerts Has anyone got an idea as to what is going wrong?
Use
keytool -importcert -noprompt -trustcacerts -alias microsoftgraph -file C:\Users\myuser\Desktop\cacerts.jks -keystore "C:\Program Files\Java\jdk1.8.0_161\jre\lib\security\cacerts" -storepass changeit
I have created certificate through Openssl
Openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
and then created a PKCS#12 file using OpenSSL:
openssl pkcs12 -export -in tls.crt -inkey tls.key -out tls.p12
and after that convert it to JKS using
keytool -importkeystore -srckeystore tls.p12 -srcstoretype PKCS12 -destkeystore tls.jks -deststoretype JKS
now when importing this jks file through keytool like this
keytool -import -noprompt -trustcacerts -alias "nginxsvc" -file tls.jks -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"
I am getting
keytool error: java.lang.Exception: Input not an X.509 certificate
The -import needs a certificate file, not a JKS.
Try :
keytool -import -noprompt -trustcacerts -alias "nginxsvc" -file tls.crt -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"
We can generate certificate through keytool like this
keytool -genkey -alias initcert -keyalg RSA -keystore keycloak.jks -validity 365 -keysize 2048
and through openssl also like this
Openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
What is the difference between these two technique and which we should use?
I have a Java application accessing a service that uses a StartCom SSL certificate. For this to work, I need to add the StartCom CA certs to Java's truststore, because they're not in there by default yet. I've succesfully done that on linux using these commands
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca -file ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class2 -file sub.class2.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class3 -file sub.class3.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class4 -file sub.class4.server.ca.crt
(From this script)
The same command (adapted appropriately) doesn't work on Windows however. I get:
keytool error: java.lang.RuntimeException: Usage error, trustcacerts is not a legal command
How to make it work?
It was a simple typo. In converting the command I forgot a dash before "trustcacerts". :(
On Mac OS X Mavericks 10.9 I did this:
I always make a tmp directory that I delete later, but you don’t have to:
mkdir ~/tmp
cd ~/tmp
Then download the certs:
curl http://www.startssl.com/certs/ca.crt -O
curl http://www.startssl.com/certs/sub.class1.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class2.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class3.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class4.server.ca.crt -O
Get your Java home:
$ /usr/libexec/java_home
/Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home
Use keytool to install it:
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca -file ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class2 -file sub.class2.server.ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class3 -file sub.class3.server.ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class4 -file sub.class4.server.ca.crt
Remove -trustcacerts
Yes, -trustcacerts is the right syntax.
But for the linked script to work under Cygwin you need to remove sudo from all keytool lines - sudo is unavailable in Cygwin.