I have a keystore with 16 certificates inside. different aliases.
When I use this keystore in SiapUi/ReadyApi and hit the url:
https:x.y.z.com/...
I can see the 200 response successfully.
So,When I view the keystore by:
keytool -list -v -keystore keystore.jks
I expect to see word "x.y.z.com" in CN or SubjectAlternativeName But I couldn't!!!
But I can find:
a.b.z.com and a.y.z.com
Related
jdbc:mysql://localhost:3306/MyDb?verifyServerCertificate=true&useSSL=true&requireSSL=true
I downloaded the public certificate from the mySql server and put it into cacerts like this:
keytool.exe -import -alias mysql_dev \
-keystore /c/dev/tools/Java/jre1.8.0_131/jre/lib/security/cacerts \
-file rds-combined-ca-bundle.pem
I generated new keys using keytool like this:
keytool.exe -genkeypair -alias adam \
-keypass changeit \
-keysize 1024 \
-keystore /c/dev/.secure/haa2xt.jks \
-storepass changeit
So now I can see that Java is picking up both my key from the keystore and the server certificate from the truststore, but still I'm getting the PKIX error.
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
I added this debug param to the command line and got some more info which all looks good, and I can see the mySql certificate in there.
-Djavax.net.debug=all
trustStore is: c:\dev\tools\java\jdk1.8.0_131\jre\lib\security\cacerts
trustStore type is : jks
[.....]
keyStore is : C:/dev/.secure/haa2xt.jks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
*** found key for : adam
What have I done wrong?
It turns out that the keytool import command will only import the first certificate in the PEM file when there are more than one.
This was the only one I checked for as well, so I thought it was fine when actually there were about 15 that I still hadn't imported.
I used this tool to import them all: https://github.com/use-sparingly/keyutil
I have a blah.p7b certificate type PKCS#7 which i want to import it to a java keystore using keytool in order to enable HTTPS on tomcat , i don't have the alias name and keystore when the certificate was generated i took it from the client whose want to enable https on our web-application server that they use, can this works without having the original alias name and keystore ?
when i tried to import the certificate i used this command
keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass <mypasswd> -alias "myalias"
but it gives me this error
keytool error: java.lang.Exception: Certificate reply does not contain public key for <mydomain>
Please help...
If you haven't got the original KeyStore you are hosed. You have to generate a new KeyStore, a new keypair, a new CSR, get it signed, and then import the signed cert and its chain into the KeyStore using the same alias as the keypair.
I'm using Not-yet commons SSL to develop my own TLS Socket.
But always got No private keys found in keystore on following code
private SSLServer sslS=null;
//...
sslS=new SSLServer();
KeyMaterial km=new KeyMaterial(certChain, privateKeyFile, certPassword.toCharArray(), privateKeyPassword.toCharArray());
The certChain used original JRE's cacert:
C:/Program Files/Java/jre1.8.0_101/lib/security/cacerts
This give me a java.security.KeyStoreException: No private keys found in keystore!
The certChain used my own:
keytool -certreq -alias 127.0.0.1 -keystore ServerKey.jks -file 127.0.0.1.csr
This give me a java.security.KeyStoreException: failed to extract any certificates or private keys - maybe bad password?
But I can 100% sure that my password is right. My password is a simple "123456", there is no reason I can do wrong on it.
The privateKey I generated by:
keytool -genkey -alias 127.0.0.1 -keyalg RSA -keystore ServerKey.jks -keysize 2048
How can I solve this problem, any suggestion ?
I am getting this weird error from my java code:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
The command I used to generate the keystore:
keytool -genkey -alias tomcat -keystore keystore.jks
Here is my java code:
import java.security.cert.PKIXParameters;
import java.security.KeyStore;
import java.io.FileInputStream;
public class MyKeyTest {
public static void main(String[] args) throws Exception {
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
String password = "mypass";
ks.load(new FileInputStream("keystore.jks"), password.toCharArray());
new PKIXParameters(ks);
}
}
I tried to google around for this error but mostly it says this happens when keystore was not found or is not permissive to be read.
But neither of these two cases is true in my case. Any ideas?
Some brief and simplified background just case it's not clear. The PKIXParameters object is used for client certificate validation. This is a way for you to allow or disallow access to your web resources. The way this typically works is that
you have a list of certificate authority (CA) certificates you trust (this is your trust store).
your application asks the client to provide a digital certificate (the client certificate)
the client cert will include the CA certificate which signed the client cert. If the CA certificate is on your list, the client passes the validation.
The keystore.jks file is your trust store. Your trust store does not currently contain any certificates(just a useless private key). To add a ca certificate you would use this command
keytool -import -alias <an alias for the CA cert> -file <the trusted CA cert> -keystore <your keystore>
As an example, export a CA certificate from your browser to a file and then import it into your trust store
Go to your control panel/internet options/Content tab and click on certificates.
select the "Trusted Root Certificate Authorities" tab and select a certificate (for example the "Microsoft Root Certificate Authority")
click export and save it to file (for this example I used "msroot.cer").
at your command prompt run the following command
keytool -import -alias msroot -file msroot.cer -keystore keystore.jks
Now when your run your java code using this updated keystore.jks, it should run just fine.
I'm trying to use KeyStore in order to get info from a keystore.
I've generated the keystore using this command:
keytool -genkey -alias server -keyalg RSA -keystore server.keystore -validity 365 taken this page.
Checking its info keytool -list -v -keystore server.keystore I get the following:
Alias name: server
Creation date: Apr 30, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
(other info here)
Using this command: keytool -list -keystore server.keystore -alias server I get this:
server, Apr 30, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1): 28:65:5B:0C:B3:3C:C9:AA:F1:7C:CE:91:23:77:DD:0D:F8:54:70:B9
Now, my java code:
keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(getClass().getResourceAsStream(KEYSTORE_FILE_PATH), "myPass".toCharArray());
keyStore.getCertificate("server").getPublicKey().getEncoded(); //here I get a null pointer exception - keystore.getCertificate("server") returns null.
Doing keyStore.aliases() returns an EmptyEnumeration.
The application uses maven, java ee 7 and I've copied the keystore file in the resources folder of my application. KEYSTORE_FILE_PATH has the value of "/server.keystore".
Thanks.
Class.getResourceAsStream() returns null when there is no resource with the specified name.
KeyStore.load() resets the key store to the empty state when passed a null input stream.
It means that at runtime your code does not find the keystore resource and silently proceeds with the empty keystore.
add a guarding condition that checks that getResourceAsStream() returned non-null value before passing it value into KeyStore.load().
review your code and building/packaging process in maven to ensure that keystore file is present at the proper location.
There are some questions about getResourceAsStream() that can be of help for you.