I am trying to create BKS Key store but unable to Import a Certificate Reply
I am getting error as
keytool error: java.lang.Exception: Failed to establish chain from reply
java.lang.Exception: Failed to establish chain from reply
at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:3375)
at sun.security.tools.KeyTool.installReply(KeyTool.java:2583)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:998)
at sun.security.tools.KeyTool.run(KeyTool.java:340)
at sun.security.tools.KeyTool.main(KeyTool.java:333)
BKS Key store creation steps:
step 1: Create root ca key and ca cert using openssl
openssl req -x509 -newkey rsa:2048 -sha256 -nodes -out cacert.crt -outform PEM -keyout cakey.pem -config openssl-ca.cnf
step 2:Import ca cert to cacerts keystore of keytool as trust CRT
keytool -importcert -alias root-ca -file cacert.crt -keystore cacerts -storepass changeit
step 3:Import certificate to BKS key store as trust CRT
keytool -importcert -storetype BKS -keystore mykeystore.bks -alias root-ca -file cacert.crt -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keypass bks123 -storepass bks123 -providerpath bcprov-ext-jdk15on-154.jar
step 4: Generate key pair
keytool -genkeypair -alias java-client2-key -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -storetype BKS -keystore mykeystore.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keypass bks123 -storepass bks123 -providerpath bcprov-ext-jdk15on-154.jar
step 5: Generate cert request(CSR)
keytool -certreq -alias java-client2-key -file client2-ugoca.csr -storetype BKS -keystore mykeystore.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keypass bks123 -storepass bks123 -providerpath bcprov-ext-jdk15on-154.jar
step 6:Sign the CSR using self signed root CA created in step 1
openssl x509 -req -days 365 -in client2-ugoca.csr -CA cacert.crt -CAkey cakey.pem -set_serial 300661 -out java-client2.crt
step 7: Import the signed certifcate to key store
keytool -v -importcert -alias java-client2-key -file java-client2.crt -trustcacerts -storetype BKS -keystore mykeystore.bks -keypass bks123 -storepass bks123 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-ext-jdk15on-154.jar
Note:
Able to create java JKS keystore using above steps
Any help is greatly appreciated....!
After Step6: we need to create client CRT with root CRT in it as follows
cat java-client2.crt cacert.crt > client_chain.crt
Then in step 7: import client_chain.crt as below
keytool -v -importcert -alias java-client2-key -file client_chain.crt -trustcacerts -storetype BKS -keystore mykeystore.bks -keypass bks123 -storepass bks123 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-ext-jdk15on-154.jar
Related
I have generated with OpenSSL self signed certificates:
Root CA: cacert.crt (the root CA certificate), and root_key.pem (for
root private key).
Client: client_cert.crt (the client certificate), and client_key.pem (for private key).
Server: server_cert.crt (the server certificate), and server_key.pem (for private key).
Both client and server certificates are signed with the root key.
As I understand it, for two way SSL the server truststore should include the client certificate and the client truststore should include the server certificate.
My question is how to generate with keytool, the two pair of client/server trusstore/keystore starting from these certificates/keys
After some research, I found the following steps:
For client keystore:
openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_cert.crt
For client truststore:
keytool -import -file cacert.crt -alias cacert -keystore ClientTruststore
keytool -import -file client_cert.crt -alias servercert -keystore ClientTruststore
For server keystore:
openssl pkcs12 -export -out server_key.p12 -inkey server_key.pem -in server_cert.crt
SET PASSWORD=MyPassword
keytool -genkey -alias server -keyalg RSA -validity 3650 -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD%
keytool -importcert -alias rootCA -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% -file cacert.crt
keytool -v -importkeystore -srckeystore server_key.p12 -srcstoretype PKCS12 -destkeystore server.keystore -deststoretype JKS -deststorepass %PASSWORD%
For server truststore:
keytool -import -file cacert.crt -alias cacert -keystore ServerTruststore
keytool -import -file client_cert.crt -alias client -keystore ServerTruststore
I tested it with a very simple SSL Client/Server by running the program:
java -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ServerTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloServer.jar
java -Djavax.net.ssl.keyStore=client.pfx -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ClientTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloClient.jar
It is working fine.
Any suggestions of improvements are welcomed.
I'm trying to setup eureka discovery server with https enabled in different machine (say 192.168.1.10) with
keytool -genkey -keystore eurekaserver.jks -alias eurekaserver -storepass server1 -keypass server1 -dname "CN=server1, OU=server1, O=server1, L=kvp, S=TN, C=IN"
keytool -export -alias eurekaserver -file eurekaserver.crt -keystore eurekaserver.jks
keytool -import -alias localhost -file client1.crt -keystore eurekaserver.jks
And tried to view eureka dashboard in another machine's browser (say 192.168.2.20)
keytool -genkey -keystore client1.jks -alias client1 -storepass client1 -keypass client1 -dname "CN=client1, OU=client1, O=client1, L=kvp, S=TN, C=IN"
keytool -export -alias client1 -file client1.crt -keystore client1.jks
keytool -import -alias eurekaserver -file eurekaserver.crt -keystore client1.jks
and converted jks to p12 format and added in certificate
But in browser error recevied as
ERR_BAD_SSL_CLIENT_AUTH_CERT
Can anyone help. what possibly I'm doing wrong ?
I'm trying to add SSL in my client / server nodes but i'm getting a "Handshake timed out" from the client side and a "Failed to process selector key" "Closing NIO session because of unhandled exception" from the server side. I don't know if I am doing things correctly...
I'm using java 11 + ignite 2.7.6 + gridgain 8.7.6
For the keystore creation:
keytool -genkey -alias server-alias -keyalg RSA -keypass password -storepass password -keystore serverkeystore.jks
keytool -genkey -alias client-alias -keyalg RSA -keypass password -storepass password -keystore clientkeystore.jks
Exporting the cer into its own file:
keytool -export -alias server-alias -storepass password -file server.cer -keystore serverkeystore.jks
keytool -export -alias client-alias -storepass password -file client.cer -keystore clientkeystore.jks
Add the certs to the server trust store
keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore publicserverkeystore.jks -keypass password -storepass password
keytool -import -v -trustcacerts -alias client-alias -file client.cer -keystore publicserverkeystore.jks -keypass password -storepass password
Add the certs to the client trust store
keytool -import -v -trustcacerts -alias client-alias -file client.cer -keystore publicclientkeystore.jks -keypass password -storepass password
keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore publicclientkeystore.jks -keypass password -storepass password
Now in the java client node side:
ClientConnectorConfiguration cliConnCfg = new ClientConnectorConfiguration();
cliConnCfg.setJdbcEnabled(false);
cliConnCfg.setOdbcEnabled(false);
cliConnCfg.setThinClientEnabled(false);
cliConnCfg.setSslEnabled(true);
cliConnCfg.setSslClientAuth(true);
igniteConfiguration.setClientConnectorConfiguration(cliConnCfg);
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\clientkeystore.jks");
sslContextFactory.setKeyStorePassword("password".toCharArray());
sslContextFactory.setTrustStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\publicclientkeystore.jks");
sslContextFactory.setTrustStorePassword("password".toCharArray());
igniteConfiguration.setSslContextFactory(sslContextFactory);
Now in the java server node side:
ClientConnectorConfiguration cliConnCfg = new ClientConnectorConfiguration();
cliConnCfg.setJdbcEnabled(false);
cliConnCfg.setOdbcEnabled(false);
cliConnCfg.setThinClientEnabled(false);
cliConnCfg.setSslEnabled(true);
cliConnCfg.setSslClientAuth(true);
igniteConfiguration.setClientConnectorConfiguration(cliConnCfg);
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\serverkeystore.jks");
sslContextFactory.setKeyStorePassword("password".toCharArray());
sslContextFactory.setTrustStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\publicserverkeystore.jks");
sslContextFactory.setTrustStorePassword("password".toCharArray());
igniteConfiguration.setSslContextFactory(sslContextFactory);
I have created certificate through Openssl
Openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
and then created a PKCS#12 file using OpenSSL:
openssl pkcs12 -export -in tls.crt -inkey tls.key -out tls.p12
and after that convert it to JKS using
keytool -importkeystore -srckeystore tls.p12 -srcstoretype PKCS12 -destkeystore tls.jks -deststoretype JKS
now when importing this jks file through keytool like this
keytool -import -noprompt -trustcacerts -alias "nginxsvc" -file tls.jks -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"
I am getting
keytool error: java.lang.Exception: Input not an X.509 certificate
The -import needs a certificate file, not a JKS.
Try :
keytool -import -noprompt -trustcacerts -alias "nginxsvc" -file tls.crt -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"
I have signed a JAR file using a certificate i received from a trusted CA.
I followed the complete code-signing process by creating a keystore, create CSR,
submitting the CSR to CA and receive the certificate , importing the certificates into keystore (root, chain and code-signing certificates) and then sign the JAR file.
I have the above in below steps
keytool -genkey -keyalg rsa -keysize 2048 -alias myalias -dname "CN=##,O=##,L=##,ST=##,C=##" -keystore mykeystore -storepass mypass
keytool -certreq -alias myalias -file certreq1.pem -keystore mykeystore
keytool -import -trustcacerts -alias myalias1 -file root.crt -keystore mykeystore
keytool -import -trustcacerts -alias myalias2 -file chain.crt -keystore mykeystore
keytool -import -alias myalias3 -file certificate.crt -keystore mykeystore
jarsigner -keystore mykeystore Applet.jar myalias
But still when i open it in the browser, i am getting the publisher as 'UNKNOWN'.
What am i doing wrong here?
I found what i did incorreclty. While importing the code-signing certificate, i should use the same alias as the original one.
keytool -import -alias **myalias** -file certificate.crt -keystore mykeystore
Once this is done, it works.