We can generate certificate through keytool like this
keytool -genkey -alias initcert -keyalg RSA -keystore keycloak.jks -validity 365 -keysize 2048
and through openssl also like this
Openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
What is the difference between these two technique and which we should use?
Related
I have generated with OpenSSL self signed certificates:
Root CA: cacert.crt (the root CA certificate), and root_key.pem (for
root private key).
Client: client_cert.crt (the client certificate), and client_key.pem (for private key).
Server: server_cert.crt (the server certificate), and server_key.pem (for private key).
Both client and server certificates are signed with the root key.
As I understand it, for two way SSL the server truststore should include the client certificate and the client truststore should include the server certificate.
My question is how to generate with keytool, the two pair of client/server trusstore/keystore starting from these certificates/keys
After some research, I found the following steps:
For client keystore:
openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_cert.crt
For client truststore:
keytool -import -file cacert.crt -alias cacert -keystore ClientTruststore
keytool -import -file client_cert.crt -alias servercert -keystore ClientTruststore
For server keystore:
openssl pkcs12 -export -out server_key.p12 -inkey server_key.pem -in server_cert.crt
SET PASSWORD=MyPassword
keytool -genkey -alias server -keyalg RSA -validity 3650 -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD%
keytool -importcert -alias rootCA -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% -file cacert.crt
keytool -v -importkeystore -srckeystore server_key.p12 -srcstoretype PKCS12 -destkeystore server.keystore -deststoretype JKS -deststorepass %PASSWORD%
For server truststore:
keytool -import -file cacert.crt -alias cacert -keystore ServerTruststore
keytool -import -file client_cert.crt -alias client -keystore ServerTruststore
I tested it with a very simple SSL Client/Server by running the program:
java -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ServerTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloServer.jar
java -Djavax.net.ssl.keyStore=client.pfx -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ClientTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloClient.jar
It is working fine.
Any suggestions of improvements are welcomed.
I want to configure Wildfly 14 to use encrypted JDBC connection. I tried this:
MariaDB:
mysql -u root -p
CREATE USER 'wildfly' IDENTIFIED BY 'qwerty';
CREATE DATABASE production_gateway;
GRANT ALL PRIVILEGES ON production_gateway.* TO 'wildfly'#'%' REQUIRE SSL;
FLUSH PRIVILEGES;
Create certificate:
mkdir -p /etc/mysql/ssl
cd /etc/mysql/ssl
sudo openssl genrsa 4096 > ca-key.pem
sudo openssl req -new -x509 -nodes -days 36500 -key ca-key.pem -out cacert.pem
sudo openssl req -newkey rsa:4096 -days 36500 -nodes -keyout server-key.pem -out server-req.pem
sudo openssl rsa -in server-key.pem -out server-key.pem
sudo openssl x509 -req -in server-req.pem -days 36500 -CA cacert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
sudo openssl req -newkey rsa:2048 -days 36500 -nodes -keyout client-key.pem -out client-req.pem
sudo openssl rsa -in client-key.pem -out client-key.pem
sudo openssl x509 -req -in client-req.pem -days 36500 -CA cacert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
openssl verify -CAfile cacert.pem server-cert.pem client-cert.pem
Add certificate in MariDB under my.cnf
ssl-ca=/etc/mysql/ssl/cacert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
systemctl restart mysql
Import certificate in Java keystone:
cd /usr/lib/jvm/java-11-openjdk-amd64/lib/security/
openssl x509 -outform der -in /etc/mysql/ssl/client-cert.pem -out certificate.der
keytool -import -alias client -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -file certificate.der -srcstorepass changeit
Export keystone configuration:
export JAVA_OPTS="-Djavax.net.ssl.keyStore=/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit"
When I use this connection link:
jdbc:mariadb://localhost:3306/production_gateway - it's working
But when I use: jdbc:mariadb://localhost:3306/production_gateway?useSSL=true&requireSSL=true
I get:
17:40:30,454 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (External Management Request Threads -- 1) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection
17:40:30,472 ERROR [org.jboss.as.controller.management-operation] (External Management Request Threads -- 1) WFLYCTL0013: Operation ("test-connection-in-pool") failed - address: ([
("subsystem" => "datasources"),
("data-source" => "MariaDB")
]) - failure description: "WFLYJCA0040: failed to invoke operation: WFLYJCA0047: Connection is not valid"
Can you advice how I can fix this issue?
I use JDBC driver mariadb-java-client-2.3.0.jar
As per my knowledge,you just need to provide requireSSL field to true.
Try with below line :
jdbc:mariadb://localhost:3306/production_gateway?requireSSL=true
Let us know whether it's working or not.
For more clarification you can check this answer .
I have created certificate through Openssl
Openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
and then created a PKCS#12 file using OpenSSL:
openssl pkcs12 -export -in tls.crt -inkey tls.key -out tls.p12
and after that convert it to JKS using
keytool -importkeystore -srckeystore tls.p12 -srcstoretype PKCS12 -destkeystore tls.jks -deststoretype JKS
now when importing this jks file through keytool like this
keytool -import -noprompt -trustcacerts -alias "nginxsvc" -file tls.jks -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"
I am getting
keytool error: java.lang.Exception: Input not an X.509 certificate
The -import needs a certificate file, not a JKS.
Try :
keytool -import -noprompt -trustcacerts -alias "nginxsvc" -file tls.crt -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"
I am trying to create BKS Key store but unable to Import a Certificate Reply
I am getting error as
keytool error: java.lang.Exception: Failed to establish chain from reply
java.lang.Exception: Failed to establish chain from reply
at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:3375)
at sun.security.tools.KeyTool.installReply(KeyTool.java:2583)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:998)
at sun.security.tools.KeyTool.run(KeyTool.java:340)
at sun.security.tools.KeyTool.main(KeyTool.java:333)
BKS Key store creation steps:
step 1: Create root ca key and ca cert using openssl
openssl req -x509 -newkey rsa:2048 -sha256 -nodes -out cacert.crt -outform PEM -keyout cakey.pem -config openssl-ca.cnf
step 2:Import ca cert to cacerts keystore of keytool as trust CRT
keytool -importcert -alias root-ca -file cacert.crt -keystore cacerts -storepass changeit
step 3:Import certificate to BKS key store as trust CRT
keytool -importcert -storetype BKS -keystore mykeystore.bks -alias root-ca -file cacert.crt -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keypass bks123 -storepass bks123 -providerpath bcprov-ext-jdk15on-154.jar
step 4: Generate key pair
keytool -genkeypair -alias java-client2-key -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -storetype BKS -keystore mykeystore.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keypass bks123 -storepass bks123 -providerpath bcprov-ext-jdk15on-154.jar
step 5: Generate cert request(CSR)
keytool -certreq -alias java-client2-key -file client2-ugoca.csr -storetype BKS -keystore mykeystore.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keypass bks123 -storepass bks123 -providerpath bcprov-ext-jdk15on-154.jar
step 6:Sign the CSR using self signed root CA created in step 1
openssl x509 -req -days 365 -in client2-ugoca.csr -CA cacert.crt -CAkey cakey.pem -set_serial 300661 -out java-client2.crt
step 7: Import the signed certifcate to key store
keytool -v -importcert -alias java-client2-key -file java-client2.crt -trustcacerts -storetype BKS -keystore mykeystore.bks -keypass bks123 -storepass bks123 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-ext-jdk15on-154.jar
Note:
Able to create java JKS keystore using above steps
Any help is greatly appreciated....!
After Step6: we need to create client CRT with root CRT in it as follows
cat java-client2.crt cacert.crt > client_chain.crt
Then in step 7: import client_chain.crt as below
keytool -v -importcert -alias java-client2-key -file client_chain.crt -trustcacerts -storetype BKS -keystore mykeystore.bks -keypass bks123 -storepass bks123 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-ext-jdk15on-154.jar
I have a wilcard certificate along with a certificate chain and private key.
How do I import that into my java keystore?
certificate chain
*.whatever.com - certificate
private key
I found the answer here -
You have to convert your to a PKCS12 certificate to import it with a command similar to the following.
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore my-keystore.jks -srckeystore cert-and-key.p12 -srcstoretype PKCS12 -srcstorepass cert-and-key-password -alias 1
To convert from PEM to PKCS12 use the following command.
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt