I had a CA certificate which is expiring this year. My key.jks file list as below.
inter, Dec 17, 2019, trustedCertEntry,
....
root, Dec 17, 2019, trustedCertEntry,
....
app.domain.com, Dec 29, 2019, PrivateKeyEntry,
To extend validity I gave the same CSR file given last year. Now I have new 3 crt files for inter, root and domain-name.
Now I tried to remove old entries by
keytool -delete -alias inter -keystore key.jks -storepass pword
keytool -delete -alias root -keystore key.jks -storepass pword
keytool -delete -alias app.domain.com -keystore key.jks -storepass pword
and imported the new cert files like
keytool -import -alias inter -file intermediate.crt -keystore key.jks -storepass pword
keytool -import -alias root -file TrustedRoot.crt -keystore key.jks -storepass pword
keytool -import -alias app.domain.com -file app_domain_com.crt -keystore key.jks -storepass pword
Now keytool -list does not show PrivateKeyEntry for app_domain_com.crt and application not coming up.
inter, Dec 15, 2020, trustedCertEntry,
....
root, Dec 15, 2020, trustedCertEntry,
....
app.doamin.com, Dec 15, 2020, trustedCertEntry,
I have ADFS SSO integration and wanted to avoid changes with it because of this certificate change.
Your third delete command deleted your private key as well. That's why your application is broken, you need your private key for SSL to work.
When you said you wanted to reuse the same CSR that was used last time, it means you were planning on using the same private key, but you deleted it. That's why you see them as different types after you deleted and imported. In your first keytool list you have app.domain.com as a PrivateKeyEntry (contains private key and certificate), but after you deleted and imported the cert, you have the app.domain.com as a TrustedCertEntry (only certificate). If you had not deleted the private key, the import command will have associated the new certificate with it, since the private key is not found, it just adds the certificate.
In your case you should have done these steps:
Not run the third delete command
Imported the new certificate and associated with the existing private key using keytool's -importcert command.
Something to consider when trying to reuse the same CSR as last time can be found here, here and here.
P.S: I hope you have backed up your original keystore.
Related
I'm trying to make some keystores using keytool from the latest JRE (version 1.8.0_151). When I create the keystore using this command keytool -genkey -alias serverprivate -keystore server.private -keyalg rsa -storepass apassword -keypass apassword it shows me this warning:
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate
to PKCS12 which is an industry standard format using "keytool
-importkeystore -srckeystore server.private -destkeystore server.private
-deststoretype pkcs12".
So I type the command, and it says it's done and the old keystore was saved in server.private_old. But when I run keytool -list -keystore server.private and type the password, it is still listed as JKS instead of PKCS12. Why is this?
update
It's not silently changed to pkcs12 either, because when I use KeyStore store = KeyStore.getInstance("pkcs12"); in java it throws an error, while it works fine when using getInstance("JKS");
update 2
And when using keytool -genkey -alias serverprivate -keystore server.private -storetype PKCS12 -keyalg rsa it doesn't show me a warning, but still shows as a JKS keystore when using keytool -list server.private.
It seems to be a bug in what keytool displays rather than what it does. Consider the following experiments.
(EDIT: bug report filed)
First, my jdk version is 1.8.0_152:
excalibur:~ ronan$ java -version
java version "1.8.0_152"
Java(TM) SE Runtime Environment (build 1.8.0_152-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.152-b16, mixed mode)
Now, create the keystore as you specified:
excalibur:~ ronan$ keytool -genkey -alias serverprivate -keystore server.private -keyalg rsa -storepass apassword -keypass apassword
What is your first and last name?
[Unknown]: Art Vandelay
What is the name of your organizational unit?
[Unknown]: Export/Import
What is the name of your organization?
[Unknown]: Vandelay Industries
What is the name of your City or Locality?
[Unknown]: New York
What is the name of your State or Province?
[Unknown]: New York
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Art Vandelay, OU=Export/Import, O=Vandelay Industries, L=New York, ST=New York, C=US correct?
[no]: yes
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.private -destkeystore server.private -deststoretype pkcs12".
Now, following the instructions given:
excalibur:~ ronan$ keytool -importkeystore -srckeystore server.private -destkeystore server.private -deststoretype pkcs12
Enter source keystore password:
Entry for alias serverprivate successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
Migrated "server.private" to Non JKS/JCEKS. The JKS keystore is backed up as "server.private.old".
But when we list it with keytool it still says JKS.
excalibur:~ ronan$ keytool -list -keystore server.private
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
serverprivate, Dec 4, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 16:E8:C6:12:7A:F1:7A:B8:64:98:EC:12:C4:07:9E:67:06:BD:DD:BD
However, openssl can parse it as pkcs12 just fine.
excalibur:~ ronan$ openssl pkcs12 -in server.private
Enter Import Password:
MAC verified OK
Bag Attributes
friendlyName: serverprivate
localKeyID: 54 69 6D 65 20 31 35 31 32 34 31 33 32 30 38 31 38 32
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Bag Attributes
friendlyName: serverprivate
localKeyID: 54 69 6D 65 20 31 35 31 32 34 31 33 32 30 38 31 38 32
subject=/C=US/ST=New York/L=New York/O=Vandelay Industries/OU=Export/Import/CN=Art Vandelay
issuer=/C=US/ST=New York/L=New York/O=Vandelay Industries/OU=Export/Import/CN=Art Vandelay
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIEKSoRITANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMC
VVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQHEwhOZXcgWW9yazEcMBoGA1UE
ChMTVmFuZGVsYXkgSW5kdXN0cmllczEWMBQGA1UECxMNRXhwb3J0L0ltcG9ydDEV
MBMGA1UEAxMMQXJ0IFZhbmRlbGF5MB4XDTE3MTIwNDE4NDM1NVoXDTE4MDMwNDE4
NDM1NVowgYAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazERMA8GA1UE
BxMITmV3IFlvcmsxHDAaBgNVBAoTE1ZhbmRlbGF5IEluZHVzdHJpZXMxFjAUBgNV
BAsTDUV4cG9ydC9JbXBvcnQxFTATBgNVBAMTDEFydCBWYW5kZWxheTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAIwVIy24Hws6ffaEQGhYEyaw2JC4UPLH
wtSXpJaZf3lrdtbktbLC+zKJ93fFVfoukX5vpnZKxv+f724duAszkVWN3bBrnAwb
6sh445tXiRhT2eS+z0rHtXwiPWUKOAPOxGUP1Lhfl5ZCPR4bmohyh/daSX1ppT3P
k6//lf1y2RdsS5hZ5Ltx9dr99/txsv4a1D8uuPDHIf8dvWfOqGb7ywIAlrbh5JsA
4IWjMVFMpDQ2WM/C+v48y2W7AdgxGD0J/nNC6t4QfAgwhvVyXbiu9IbAR+ivn59E
VqC83qv4bBkffB3yYk6WSHSl7YloJueWalVAoudf4uHeaNZBLCvbNsMCAwEAAaMh
MB8wHQYDVR0OBBYEFNOc6gJkUFCSgyHCDFGJmZwtPLgIMA0GCSqGSIb3DQEBCwUA
A4IBAQAVyc6j9U+va5U02MxsjDE6LWDPg+0FaqpTAQlU6xhVrZlKWuX+Dup4PF6S
s4oqhInb7XcGOjbLkVTnuEY5mwfHnyGqNhmyyUwJOVrWZJWBZADvhdcZi0w/jclg
jAb7dP1VssR4Ozgsd1XkGxnS7P8e344xpjQd1krPc1Od7qhFSF6FufTDvgEcrmx/
qrHpLpwoYPTyuv+NtD+7KlWINqWq5PT1olydd6ki8O+bTsgDuy8rnvqd/jJ7dsuv
VLNc+IDEEMO26hS8d1WkppTTuLrayE07LCV8df68WHv6KumDSc5Mb0zOUdLqZUDQ
Wmxbt0kEAAG6jgbpACBpGEqtAtTs
-----END CERTIFICATE-----
and the following Java snippet can also parse it.
import java.io.FileInputStream;
import java.security.KeyStore;
import java.util.Collections;
public class Main {
public static void main(String[] args) throws Exception {
KeyStore pkcs12 = KeyStore.getInstance("PKCS12");
pkcs12.load(new FileInputStream("../../../server.private"), "apassword".toCharArray());
for (String alias : Collections.list(pkcs12.aliases())) {
System.out.println(alias);
}
}
}
and the output is
serverprivate
The above problem is solved follow this link for the steps
https://docs.flutter.dev/deployment/android#create-an-upload-keystore
it contains the updated steps...
After running the
keytool -genkey -v -keystore c:\Users\USER_NAME\upload-keystore.jks -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 -alias upload
I get this command as a part of warning message.
keytool -importkeystore -srckeystore c:\Users\USER_NAME\upload-keystore.jks -destkeystore c:\Users\USER_NAME\upload-keystore.jks -deststoretype pkcs12
and this is the following output after running the above command.
Enter source keystore password:
Entry for alias upload successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
Migrated "c:\Users\USER_NAME\upload-keystore.jks" to PKCS12. The JKS keystore is backed up as "c:\Users\USER_NAME\upload-keystore.jks.old".
keytool command is supposed to generate public-private key pairs. I use the following command to generate the public-private key pair:
keytool -genkey -alias test -keystore test keystore -validity 1000
If I open and see the keystore , I see the following:
C:\Program Files\Java\jdk1.7.0_25\bin>keytool -list -keystore testkeystore Enter keystore password:
Keystore type: JKS Keystore provider: SUN
Your keystore contains 1 entry
test, May 1, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): 0C:FB:51:84:1C:3F:74:C7:1C:F9:F1:DE:E6:89:90:E6: 39:78:F3:FD
I am confused as to what is the public key here and what is the private key here. Can anyone help ?
The entry contains both the private key and a self-signed certificate containing the public key.
I generate a certificate signing request like this:
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore xxxx -dname "CN=www.example.com,OU=Infrastructure and Operations, O=ACME, Inc., L=Test, ST=Test, C=US" && keytool -certreq -alias server -file xxxx.csr -keystore xxxx.jks
When a code signing certificate is created, for some reason the CN is set to the organization value instead of the FQDN, that I listed originally www.example.com
So the cert has CN=ACME, Inc.,OU=Infrastructure and Operations, O=ACME, Inc., L=Test, ST=Test, C=US
Not sure why it didn't take the FQDN.
Oracle docs say:
If a distinguished name string value contains a comma, the comma must be escaped by a "\" character when you specify the string on a command line, as in
cn=peter schuster, o=Sun Microsystems\, Inc., o=sun, c=us
So the valid dname is:
"CN=www.example.com,OU=Infrastructure and Operations, O=ACME\, Inc., L=Test, ST=Test, C=US"
Hi I'm trying to configure tomcat7 (7.0.50) in windows 7 using a cert from a CA (entrust, if it matters). I downloaded the CA root, chain root and chain cert files, and my new certificate. Per the tomcat guide, I used the keystore I generated the csr from and followed these steps
keytool -import -alias entrust -trustcacerts -keystore crush.jks -file entrust.crt.txt
[prompts me the cert exists in the system wide CA keystore, I still add it]
keytool -import -alias chain-root -trustcacerts -keystore crush.jks -file L1Kchainroot.txt
keytool -import -alias chain-root -trustcacerts -keystore crush.jks -file L1Kchain.txt
keytool -import -alias tomcat -trustcacerts -keystore crush.jks -file entrustcert.crt.txt
Now when I list the contents of my keystore I see
C:\Users\crush\My Documents\cert>keytool -list -keystore crush.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 5 entries
entrust, Mar 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:3
chain, Mar 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): CC:A2:7D:33:C7:35:A7:D0:6D:1F:EC:A
chain-root, Mar 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 9E:1A:0C:35:E7:14:B6:97:92:D0:90:B
tomcat, Mar 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 6A:77:EC:32:1E:F9:AC:4F:BE:C7:CB:5
crush-windows7, Mar 26, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): 04:72:8A:36:56:7E:D5:0F:7E:E9:E0:1
Now I edited my server.xml file to be like so
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1"
keystoreFile="C:\Users\crush\apache-tomcat-7.0.50\conf\crush.jks"
keystorePass="storepassword"
keyPass="keypassword"
/>
When this boots up and I navigate to the page I'll see an untrusted connection warning
crush-windows7.crush.com:8443 uses an invalid security certificate. The certificate is not trusted because it is self-signed. (Error code: sec_error_ca_cert_invalid)
If I use -v with keytool and inspect the returned certificate I'll see the Issuer as Entrust
Owner: CN=crush-windows7.crush.com, ....
Issuer: CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
But my private key entry has the issuer as myself
Owner: CN=crush-windows7.crush.com, ....
Issuer: CN=crush-windows7.crush.com, ....
I've been messing with this for a couple hours and bashing my head against the wall, I've done this with linux before using openssl instead of keytool without issues. Could this be my issue? No matter what connector config I try, it will not boot without the private key entry as the alias and the keyPass option set. If I remove the private key entry it will boot but never complete the ssl handshake. I use the 'tomcat' alias for the keyAlias it will say
java.io.IOException: Alias name tomcat does not identify a key entry
Can I salvage my current certificate or do I need to generate a new private key and csr and submit a new request then move them to my windows machine? I really feel this is my issue, am I even close to being on point? Using windows for this has been less than comfortable, thanks for helping.
You have made a small mistake in step 4: Instead of updating your PrivateKeyEntry with the certificate issued by Entrust, you have imported it as a trusted certificate.
The right command would have been:
keytool -import -alias crush-windows7 -trustcacerts -keystore crush.jks -file entrustcert.crt.txt
I have aplication in java and cxf which connects to WebServices with client certificate.
I got certificates form WebService owner
certificate.p12
certificate.pem
certificate.crt
trusted_ca.cer
root_ca.cer
I have problem with straightforward converting this p12 certficate to working jks keystore requred by java.
I did this:
keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore certificate1.jks -deststoretype JKS -storepass secret
keytool -import -alias root -file root_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret
keytool -import -alias trusted -file trusted_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret
but this jks doesn`t work and I get HTTP response '403: Forbidden' when using this certificate1.jks
However if I import this p12(pfx) certificate to Internet Explorer and then export this certificate from IE to pfx format selecting "Include all certificates in the certification path" checkbox and use:
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype PKCS12 -destkeystore certificate2.jks -deststoretype JKS -storepass secret
keytool -import -alias root -file root_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret
keytool -import -alias trusted -file trusted_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret
Then everything works fine and I can connect to WebService using certificate2.jks.
I found that original certificate.p12(pfx) contains only one entry (Certificate chain length: 1):
keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v
*******************************************
*******************************************
Alias name: alias
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=MyCompany, EMAILADDRESS=my.email#domain.com, O=bla, C=PL
Issuer: CN=Trusted CA, O=ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: X.X.XX.XX Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
...
*******************************************
*******************************************
while certificate.pfx exported from IE with "Include all certificates in the certification path" contains certificate chain with second Trusted CA certificate (Certificate chain length: 2):
keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v
*******************************************
*******************************************
Alias name: alias
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=MyCompany, EMAILADDRESS=my.email#domain.com, O=bla, C=PL
Issuer: CN=Trusted CA, O=ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: X.X.XX.XX Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
...
Certificate[2]:
Owner: CN=Trusted CA, O=ble ble ble, C=PL
Issuer: CN=ROOT CA, O=ble ble ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
*******************************************
*******************************************
So to solve my problem I need to have p12 certificate with chain to trusted CA certificate.
I can do this by importing p12 to IE and then exporting back with "Include all certificates in the certification path".
How can I do this without IE using keytool or other tool?
Bary
Own answer.
I figured out how to do this with OpenSSL:
openssl pkcs12 -in certificate.p12 -out clientcert.pem -nodes -clcerts
openssl x509 -in trusted_ca.cer -inform DER -out trusted_ca.pem
openssl x509 -in root_ca.cer -inform DER -out root_ca.pem
cat clientcert.pem trusted_ca.pem root_ca.pem >> clientcertchain.pem
openssl pkcs12 -export -in clientcertchain.pem -out clientcertchain.pfx
If you are working in Windows OS, you can install the certificate as usual through the IIS, then open mmc.exe -> File -> Add / Remove Snap In -> Double click on "Certificates" Select "Computer Account", next, finish, OK.
Expand certificates, if needed add the certificates from the CA into "Intermediate Certification Authorities" or "Trusted Root Certification Authorities".
Then go to "Web Hosting", here must be your webSite certificates, select the certificate, left click on it, select Export and follow the wizard, the important things to check are "Include Private Key", Include all certificates on the chain, export all extended properties, you must set a password, select the output flie name and this is it. Now you have a certificate with the complete chain on it. No more problems with Facebook or similar.