I'm trying to make some keystores using keytool from the latest JRE (version 1.8.0_151). When I create the keystore using this command keytool -genkey -alias serverprivate -keystore server.private -keyalg rsa -storepass apassword -keypass apassword it shows me this warning:
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate
to PKCS12 which is an industry standard format using "keytool
-importkeystore -srckeystore server.private -destkeystore server.private
-deststoretype pkcs12".
So I type the command, and it says it's done and the old keystore was saved in server.private_old. But when I run keytool -list -keystore server.private and type the password, it is still listed as JKS instead of PKCS12. Why is this?
update
It's not silently changed to pkcs12 either, because when I use KeyStore store = KeyStore.getInstance("pkcs12"); in java it throws an error, while it works fine when using getInstance("JKS");
update 2
And when using keytool -genkey -alias serverprivate -keystore server.private -storetype PKCS12 -keyalg rsa it doesn't show me a warning, but still shows as a JKS keystore when using keytool -list server.private.
It seems to be a bug in what keytool displays rather than what it does. Consider the following experiments.
(EDIT: bug report filed)
First, my jdk version is 1.8.0_152:
excalibur:~ ronan$ java -version
java version "1.8.0_152"
Java(TM) SE Runtime Environment (build 1.8.0_152-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.152-b16, mixed mode)
Now, create the keystore as you specified:
excalibur:~ ronan$ keytool -genkey -alias serverprivate -keystore server.private -keyalg rsa -storepass apassword -keypass apassword
What is your first and last name?
[Unknown]: Art Vandelay
What is the name of your organizational unit?
[Unknown]: Export/Import
What is the name of your organization?
[Unknown]: Vandelay Industries
What is the name of your City or Locality?
[Unknown]: New York
What is the name of your State or Province?
[Unknown]: New York
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Art Vandelay, OU=Export/Import, O=Vandelay Industries, L=New York, ST=New York, C=US correct?
[no]: yes
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.private -destkeystore server.private -deststoretype pkcs12".
Now, following the instructions given:
excalibur:~ ronan$ keytool -importkeystore -srckeystore server.private -destkeystore server.private -deststoretype pkcs12
Enter source keystore password:
Entry for alias serverprivate successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
Migrated "server.private" to Non JKS/JCEKS. The JKS keystore is backed up as "server.private.old".
But when we list it with keytool it still says JKS.
excalibur:~ ronan$ keytool -list -keystore server.private
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
serverprivate, Dec 4, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 16:E8:C6:12:7A:F1:7A:B8:64:98:EC:12:C4:07:9E:67:06:BD:DD:BD
However, openssl can parse it as pkcs12 just fine.
excalibur:~ ronan$ openssl pkcs12 -in server.private
Enter Import Password:
MAC verified OK
Bag Attributes
friendlyName: serverprivate
localKeyID: 54 69 6D 65 20 31 35 31 32 34 31 33 32 30 38 31 38 32
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Bag Attributes
friendlyName: serverprivate
localKeyID: 54 69 6D 65 20 31 35 31 32 34 31 33 32 30 38 31 38 32
subject=/C=US/ST=New York/L=New York/O=Vandelay Industries/OU=Export/Import/CN=Art Vandelay
issuer=/C=US/ST=New York/L=New York/O=Vandelay Industries/OU=Export/Import/CN=Art Vandelay
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIEKSoRITANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMC
VVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQHEwhOZXcgWW9yazEcMBoGA1UE
ChMTVmFuZGVsYXkgSW5kdXN0cmllczEWMBQGA1UECxMNRXhwb3J0L0ltcG9ydDEV
MBMGA1UEAxMMQXJ0IFZhbmRlbGF5MB4XDTE3MTIwNDE4NDM1NVoXDTE4MDMwNDE4
NDM1NVowgYAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazERMA8GA1UE
BxMITmV3IFlvcmsxHDAaBgNVBAoTE1ZhbmRlbGF5IEluZHVzdHJpZXMxFjAUBgNV
BAsTDUV4cG9ydC9JbXBvcnQxFTATBgNVBAMTDEFydCBWYW5kZWxheTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAIwVIy24Hws6ffaEQGhYEyaw2JC4UPLH
wtSXpJaZf3lrdtbktbLC+zKJ93fFVfoukX5vpnZKxv+f724duAszkVWN3bBrnAwb
6sh445tXiRhT2eS+z0rHtXwiPWUKOAPOxGUP1Lhfl5ZCPR4bmohyh/daSX1ppT3P
k6//lf1y2RdsS5hZ5Ltx9dr99/txsv4a1D8uuPDHIf8dvWfOqGb7ywIAlrbh5JsA
4IWjMVFMpDQ2WM/C+v48y2W7AdgxGD0J/nNC6t4QfAgwhvVyXbiu9IbAR+ivn59E
VqC83qv4bBkffB3yYk6WSHSl7YloJueWalVAoudf4uHeaNZBLCvbNsMCAwEAAaMh
MB8wHQYDVR0OBBYEFNOc6gJkUFCSgyHCDFGJmZwtPLgIMA0GCSqGSIb3DQEBCwUA
A4IBAQAVyc6j9U+va5U02MxsjDE6LWDPg+0FaqpTAQlU6xhVrZlKWuX+Dup4PF6S
s4oqhInb7XcGOjbLkVTnuEY5mwfHnyGqNhmyyUwJOVrWZJWBZADvhdcZi0w/jclg
jAb7dP1VssR4Ozgsd1XkGxnS7P8e344xpjQd1krPc1Od7qhFSF6FufTDvgEcrmx/
qrHpLpwoYPTyuv+NtD+7KlWINqWq5PT1olydd6ki8O+bTsgDuy8rnvqd/jJ7dsuv
VLNc+IDEEMO26hS8d1WkppTTuLrayE07LCV8df68WHv6KumDSc5Mb0zOUdLqZUDQ
Wmxbt0kEAAG6jgbpACBpGEqtAtTs
-----END CERTIFICATE-----
and the following Java snippet can also parse it.
import java.io.FileInputStream;
import java.security.KeyStore;
import java.util.Collections;
public class Main {
public static void main(String[] args) throws Exception {
KeyStore pkcs12 = KeyStore.getInstance("PKCS12");
pkcs12.load(new FileInputStream("../../../server.private"), "apassword".toCharArray());
for (String alias : Collections.list(pkcs12.aliases())) {
System.out.println(alias);
}
}
}
and the output is
serverprivate
The above problem is solved follow this link for the steps
https://docs.flutter.dev/deployment/android#create-an-upload-keystore
it contains the updated steps...
After running the
keytool -genkey -v -keystore c:\Users\USER_NAME\upload-keystore.jks -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 -alias upload
I get this command as a part of warning message.
keytool -importkeystore -srckeystore c:\Users\USER_NAME\upload-keystore.jks -destkeystore c:\Users\USER_NAME\upload-keystore.jks -deststoretype pkcs12
and this is the following output after running the above command.
Enter source keystore password:
Entry for alias upload successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Warning:
Migrated "c:\Users\USER_NAME\upload-keystore.jks" to PKCS12. The JKS keystore is backed up as "c:\Users\USER_NAME\upload-keystore.jks.old".
Related
I have been provided with:
A private key (-----BEGIN RSA PRIVATE KEY-----)
Intermediate CA cert (-----BEGIN CERTIFICATE-----)
Root CA cert (-----BEGIN CERTIFICATE-----)
SSL connectivity exists and I have proven this successfully using curl;
curl -vv https://thirdparty.service.com --key private.pem --cert cert.crt
However, I wish to establish this SSL connection using Java. Given this, I know I need to import these certificates and key into my Java keystore.
I initially imported the Intermediate and Root CA certs only into my Java keystore but I could not establish a successful SSL connection to the third party service. Based on my curl command, I realised that I need to somehow import the private key into the Java keystore.
I have tried many openssl/keytool commands and this is the current combination/command I have running. I still cannot establish an SSL connection using Java.
cat cert.crt cachain.crt > import.pem
echo "pazzword" > pazzword.txt
openssl pkcs12 -export -in import.pem -inkey privkey.pem -name my_bundle -passout file:pazzword.txt > server.p12
${JAVA_HOME}/bin/keytool -importkeystore -srckeystore server.p12 -destkeystore ${JAVA_HOME}/jre/lib/security/cacerts -srcstoretype pkcs12 -srcstorepass pazzword -deststorepass changeit
Versions:
openjdk version "1.8.0_345"
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
Can someone please help clarify what I should be doing with the certs and key I have above?
A successful SSL connection using my Java
keytool command is supposed to generate public-private key pairs. I use the following command to generate the public-private key pair:
keytool -genkey -alias test -keystore test keystore -validity 1000
If I open and see the keystore , I see the following:
C:\Program Files\Java\jdk1.7.0_25\bin>keytool -list -keystore testkeystore Enter keystore password:
Keystore type: JKS Keystore provider: SUN
Your keystore contains 1 entry
test, May 1, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): 0C:FB:51:84:1C:3F:74:C7:1C:F9:F1:DE:E6:89:90:E6: 39:78:F3:FD
I am confused as to what is the public key here and what is the private key here. Can anyone help ?
The entry contains both the private key and a self-signed certificate containing the public key.
I generate a certificate signing request like this:
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore xxxx -dname "CN=www.example.com,OU=Infrastructure and Operations, O=ACME, Inc., L=Test, ST=Test, C=US" && keytool -certreq -alias server -file xxxx.csr -keystore xxxx.jks
When a code signing certificate is created, for some reason the CN is set to the organization value instead of the FQDN, that I listed originally www.example.com
So the cert has CN=ACME, Inc.,OU=Infrastructure and Operations, O=ACME, Inc., L=Test, ST=Test, C=US
Not sure why it didn't take the FQDN.
Oracle docs say:
If a distinguished name string value contains a comma, the comma must be escaped by a "\" character when you specify the string on a command line, as in
cn=peter schuster, o=Sun Microsystems\, Inc., o=sun, c=us
So the valid dname is:
"CN=www.example.com,OU=Infrastructure and Operations, O=ACME\, Inc., L=Test, ST=Test, C=US"
I have aplication in java and cxf which connects to WebServices with client certificate.
I got certificates form WebService owner
certificate.p12
certificate.pem
certificate.crt
trusted_ca.cer
root_ca.cer
I have problem with straightforward converting this p12 certficate to working jks keystore requred by java.
I did this:
keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore certificate1.jks -deststoretype JKS -storepass secret
keytool -import -alias root -file root_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret
keytool -import -alias trusted -file trusted_ca.cer -trustcacerts -keystore certificate1.jks -storepass secret
but this jks doesn`t work and I get HTTP response '403: Forbidden' when using this certificate1.jks
However if I import this p12(pfx) certificate to Internet Explorer and then export this certificate from IE to pfx format selecting "Include all certificates in the certification path" checkbox and use:
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype PKCS12 -destkeystore certificate2.jks -deststoretype JKS -storepass secret
keytool -import -alias root -file root_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret
keytool -import -alias trusted -file trusted_ca_kir.cer -trustcacerts -keystore certificate2.jks -storepass secret
Then everything works fine and I can connect to WebService using certificate2.jks.
I found that original certificate.p12(pfx) contains only one entry (Certificate chain length: 1):
keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v
*******************************************
*******************************************
Alias name: alias
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=MyCompany, EMAILADDRESS=my.email#domain.com, O=bla, C=PL
Issuer: CN=Trusted CA, O=ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: X.X.XX.XX Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
...
*******************************************
*******************************************
while certificate.pfx exported from IE with "Include all certificates in the certification path" contains certificate chain with second Trusted CA certificate (Certificate chain length: 2):
keytool -list -keystore certificate.p12 -storepass secret -storetype PKCS12 -v
*******************************************
*******************************************
Alias name: alias
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=MyCompany, EMAILADDRESS=my.email#domain.com, O=bla, C=PL
Issuer: CN=Trusted CA, O=ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: X.X.XX.XX Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
...
Certificate[2]:
Owner: CN=Trusted CA, O=ble ble ble, C=PL
Issuer: CN=ROOT CA, O=ble ble ble, C=PL
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: ... until: ...
Certificate fingerprints:
MD5: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
SHA1: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
*******************************************
*******************************************
So to solve my problem I need to have p12 certificate with chain to trusted CA certificate.
I can do this by importing p12 to IE and then exporting back with "Include all certificates in the certification path".
How can I do this without IE using keytool or other tool?
Bary
Own answer.
I figured out how to do this with OpenSSL:
openssl pkcs12 -in certificate.p12 -out clientcert.pem -nodes -clcerts
openssl x509 -in trusted_ca.cer -inform DER -out trusted_ca.pem
openssl x509 -in root_ca.cer -inform DER -out root_ca.pem
cat clientcert.pem trusted_ca.pem root_ca.pem >> clientcertchain.pem
openssl pkcs12 -export -in clientcertchain.pem -out clientcertchain.pfx
If you are working in Windows OS, you can install the certificate as usual through the IIS, then open mmc.exe -> File -> Add / Remove Snap In -> Double click on "Certificates" Select "Computer Account", next, finish, OK.
Expand certificates, if needed add the certificates from the CA into "Intermediate Certification Authorities" or "Trusted Root Certification Authorities".
Then go to "Web Hosting", here must be your webSite certificates, select the certificate, left click on it, select Export and follow the wizard, the important things to check are "Include Private Key", Include all certificates on the chain, export all extended properties, you must set a password, select the output flie name and this is it. Now you have a certificate with the complete chain on it. No more problems with Facebook or similar.
how to create a .bks keystore in java sun keytool, what should i do?
C:\Program Files\Java\jdk1.6.0\jre\bin>keytool -genkey -alias server3private -ke
ystore server3.private -storetype BKS -keyalg rsa -dname "CN=Your Name, OU=Your
Organizational Unit, O=Your Organization, L=Your City, S=Your State, C=Your Coun
try" -storepass tahirpw -keypass tahirpw
it gives me error
keytool error: java.security.KeyStoreException: BKS not found
Your error indicates that keytool tries to instantiate a BKS keystore but no Cryptographic Service Provider (CSP) is able to provide such an implementation. BKS keystore type is a type implemented by the BouncyCastle CSP.
Therefore there is 2 solutions:
install this provider with Java. Oracle published along with Java a comprehensive documentation.
pass to keytool the suitable options to indicate which CSP should be used and its location:
-storetype BKS <- keystore type
-provider org.bouncycastle.jce.provider.BouncyCastleProvider <- CSP implementation
-providerpath /path/to/bouncycastle.jar <- Path to the CSP jar file