This is the command I am running in cmd:
keytool -importcert -noprompt -trustcacerts -alias microsoftgraph -file C:\Users\myuser\Desktop\cacerts.jks -keystore C:\Program Files\Java\jdk1.8.0_161\jre\lib\security\cacerts -storepass changeit
The error is illegal option: Files\Java\jdk1.8.0_161\jre\lib\security\cacerts Has anyone got an idea as to what is going wrong?
Use
keytool -importcert -noprompt -trustcacerts -alias microsoftgraph -file C:\Users\myuser\Desktop\cacerts.jks -keystore "C:\Program Files\Java\jdk1.8.0_161\jre\lib\security\cacerts" -storepass changeit
Related
I'm trying to setup eureka discovery server with https enabled in different machine (say 192.168.1.10) with
keytool -genkey -keystore eurekaserver.jks -alias eurekaserver -storepass server1 -keypass server1 -dname "CN=server1, OU=server1, O=server1, L=kvp, S=TN, C=IN"
keytool -export -alias eurekaserver -file eurekaserver.crt -keystore eurekaserver.jks
keytool -import -alias localhost -file client1.crt -keystore eurekaserver.jks
And tried to view eureka dashboard in another machine's browser (say 192.168.2.20)
keytool -genkey -keystore client1.jks -alias client1 -storepass client1 -keypass client1 -dname "CN=client1, OU=client1, O=client1, L=kvp, S=TN, C=IN"
keytool -export -alias client1 -file client1.crt -keystore client1.jks
keytool -import -alias eurekaserver -file eurekaserver.crt -keystore client1.jks
and converted jks to p12 format and added in certificate
But in browser error recevied as
ERR_BAD_SSL_CLIENT_AUTH_CERT
Can anyone help. what possibly I'm doing wrong ?
I'm trying to add SSL in my client / server nodes but i'm getting a "Handshake timed out" from the client side and a "Failed to process selector key" "Closing NIO session because of unhandled exception" from the server side. I don't know if I am doing things correctly...
I'm using java 11 + ignite 2.7.6 + gridgain 8.7.6
For the keystore creation:
keytool -genkey -alias server-alias -keyalg RSA -keypass password -storepass password -keystore serverkeystore.jks
keytool -genkey -alias client-alias -keyalg RSA -keypass password -storepass password -keystore clientkeystore.jks
Exporting the cer into its own file:
keytool -export -alias server-alias -storepass password -file server.cer -keystore serverkeystore.jks
keytool -export -alias client-alias -storepass password -file client.cer -keystore clientkeystore.jks
Add the certs to the server trust store
keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore publicserverkeystore.jks -keypass password -storepass password
keytool -import -v -trustcacerts -alias client-alias -file client.cer -keystore publicserverkeystore.jks -keypass password -storepass password
Add the certs to the client trust store
keytool -import -v -trustcacerts -alias client-alias -file client.cer -keystore publicclientkeystore.jks -keypass password -storepass password
keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore publicclientkeystore.jks -keypass password -storepass password
Now in the java client node side:
ClientConnectorConfiguration cliConnCfg = new ClientConnectorConfiguration();
cliConnCfg.setJdbcEnabled(false);
cliConnCfg.setOdbcEnabled(false);
cliConnCfg.setThinClientEnabled(false);
cliConnCfg.setSslEnabled(true);
cliConnCfg.setSslClientAuth(true);
igniteConfiguration.setClientConnectorConfiguration(cliConnCfg);
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\clientkeystore.jks");
sslContextFactory.setKeyStorePassword("password".toCharArray());
sslContextFactory.setTrustStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\publicclientkeystore.jks");
sslContextFactory.setTrustStorePassword("password".toCharArray());
igniteConfiguration.setSslContextFactory(sslContextFactory);
Now in the java server node side:
ClientConnectorConfiguration cliConnCfg = new ClientConnectorConfiguration();
cliConnCfg.setJdbcEnabled(false);
cliConnCfg.setOdbcEnabled(false);
cliConnCfg.setThinClientEnabled(false);
cliConnCfg.setSslEnabled(true);
cliConnCfg.setSslClientAuth(true);
igniteConfiguration.setClientConnectorConfiguration(cliConnCfg);
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\serverkeystore.jks");
sslContextFactory.setKeyStorePassword("password".toCharArray());
sslContextFactory.setTrustStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\publicserverkeystore.jks");
sslContextFactory.setTrustStorePassword("password".toCharArray());
igniteConfiguration.setSslContextFactory(sslContextFactory);
I'm trying to install SSL-certificate into Glassfish 4.1.1.
I've done the following:
keytool -importkeystore -srckeystore /home/user/domain.com.jks -destkeystore /opt/glassfish4/glassfish/domains/domain1/config/keystore.jks
keytool -import -trustcacerts -keystore keystore.jks -alias root -file root.crt
keytool -import -trustcacerts -keystore keystore.jks -alias intermediate1 -file 1_cross_Intermediate.crt
keytool -import -trustcacerts -keystore keystore.jks -alias intermediate2 -file 2_issuer_Intermediate.crt
keytool -import -trustcacerts -keystore keystore.jks -alias domain_com -file 3_user_domain.com.crt
Then I renamed SSL-reference for http-listener-2 from 's1as' to 'domain_com' at server-config using Administration Console.
And restarted domain via Administration Console and button 'restart'.
After that, I cannot access my application at https://domain.com:8181. Error:
ERR_CONNECTION_RESET
And even cannot access Administration Console at https://domain.com:4848 with
ERR_CONNECTION_CLOSED
Where can I see what happends and how can I properly configure SSL.
One more remark: passwords for keystore and master-password for glassfish are both default passwords (changeit) and match each other. I've verified.
Can you provide some clues of where to look?
Thank you in advance!
UPDATE: In glassfish-logs I'm having the following exceptions:
[2016-08-17T10:29:53.142+0000] [glassfish 4.1] [WARNING] [] [javax.enterprise.network.config] [tid: _ThreadID=43 _T$
GRIZZLY0050: SSL support could not be configured!
java.io.IOException: A MultiException has 2 exceptions. They are:
1. java.lang.Error: java.security.UnrecoverableKeyException: Cannot recover key
2. java.lang.IllegalStateException: Unable to perform operation: post construct on com.sun.enterprise.security.ssl.$
at org.glassfish.grizzly.config.ssl.JSSE14SocketFactory.init(JSSE14SocketFactory.java:162)
at org.glassfish.grizzly.config.SSLConfigurator.initializeSSLContext(SSLConfigurator.java:249)
at org.glassfish.grizzly.config.SSLConfigurator.configureSSL(SSLConfigurator.java:131)
at org.glassfish.grizzly.config.SSLConfigurator$InternalSSLContextConfigurator.createSSLContext(SSLConfigur$
at org.glassfish.grizzly.ssl.SSLEngineConfigurator.createSSLEngine(SSLEngineConfigurator.java:209)
at org.glassfish.grizzly.ssl.SSLEngineConfigurator.createSSLEngine(SSLEngineConfigurator.java:186)
at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:293)
[2016-08-17T10:29:53.143+0000] [glassfish 4.1] [WARNING] [] [org.glassfish.grizzly.filterchain.DefaultFilterChain] $
GRIZZLY0013: Exception during FilterChain execution
java.lang.NullPointerException
at org.glassfish.grizzly.ssl.SSLEngineConfigurator.createSSLEngine(SSLEngineConfigurator.java:214)
at org.glassfish.grizzly.ssl.SSLEngineConfigurator.createSSLEngine(SSLEngineConfigurator.java:186)
at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:293)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:283)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:200)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:132)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:111)
You forgot to insert your certificates in cacerts.jks
Include root and intermediate certificates in cacerts like this
keytool -import -trustcacerts -keystore cacerts.jks -alias root -file root.crt
keytool -import -trustcacerts -keystore cacerts.jks -alias intermediate1 -file 1_cross_Intermediate.crt
keytool -import -trustcacerts -keystore cacerts.jks -alias intermediate2 -file 2_issuer_Intermediate.crt
Domain certificate not necessary to insert in cacerts.jks
Probably, still need to work on your keystore. You could use KSE to edit the key, much easier to handle certificates.
Are you sure that the keystore, and the certificate entry, both have the
password "changeit"?
Is the certificate chain right for this certificate entry?
I have signed a JAR file using a certificate i received from a trusted CA.
I followed the complete code-signing process by creating a keystore, create CSR,
submitting the CSR to CA and receive the certificate , importing the certificates into keystore (root, chain and code-signing certificates) and then sign the JAR file.
I have the above in below steps
keytool -genkey -keyalg rsa -keysize 2048 -alias myalias -dname "CN=##,O=##,L=##,ST=##,C=##" -keystore mykeystore -storepass mypass
keytool -certreq -alias myalias -file certreq1.pem -keystore mykeystore
keytool -import -trustcacerts -alias myalias1 -file root.crt -keystore mykeystore
keytool -import -trustcacerts -alias myalias2 -file chain.crt -keystore mykeystore
keytool -import -alias myalias3 -file certificate.crt -keystore mykeystore
jarsigner -keystore mykeystore Applet.jar myalias
But still when i open it in the browser, i am getting the publisher as 'UNKNOWN'.
What am i doing wrong here?
I found what i did incorreclty. While importing the code-signing certificate, i should use the same alias as the original one.
keytool -import -alias **myalias** -file certificate.crt -keystore mykeystore
Once this is done, it works.
I have a Java application accessing a service that uses a StartCom SSL certificate. For this to work, I need to add the StartCom CA certs to Java's truststore, because they're not in there by default yet. I've succesfully done that on linux using these commands
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca -file ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class2 -file sub.class2.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class3 -file sub.class3.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class4 -file sub.class4.server.ca.crt
(From this script)
The same command (adapted appropriately) doesn't work on Windows however. I get:
keytool error: java.lang.RuntimeException: Usage error, trustcacerts is not a legal command
How to make it work?
It was a simple typo. In converting the command I forgot a dash before "trustcacerts". :(
On Mac OS X Mavericks 10.9 I did this:
I always make a tmp directory that I delete later, but you don’t have to:
mkdir ~/tmp
cd ~/tmp
Then download the certs:
curl http://www.startssl.com/certs/ca.crt -O
curl http://www.startssl.com/certs/sub.class1.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class2.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class3.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class4.server.ca.crt -O
Get your Java home:
$ /usr/libexec/java_home
/Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home
Use keytool to install it:
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca -file ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class2 -file sub.class2.server.ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class3 -file sub.class3.server.ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class4 -file sub.class4.server.ca.crt
Remove -trustcacerts
Yes, -trustcacerts is the right syntax.
But for the linked script to work under Cygwin you need to remove sudo from all keytool lines - sudo is unavailable in Cygwin.