I have to create a KeyStore with a certificate already available in another KeyStore. But when I import that certificate, it is added as a trusted cert entry in the new Keystore.
I have a similar Keystore that works fine. If I do a copy of that Keystore and import it in my Keystore, I'd see that I have 2 private key entry, mine and that of the old Keystore. If I delete my private key and leave the old key, it works.
My question is "how to export the certificate of old Keystore and use it in my new Keystore".
Thanks!
I am installing a wild Card SSL certificate to my keystore which will be used for Apache Tomcat web server.
Description :
My Tomcat Server is installed on windows 2012 server.
And I have certificates provided from COMODO.
The wildcard cert I'm using has already been used previously on a few servers. so I am directly installing same on my apache tomcat server .
so what I've generated a public keystore using keytool providing the same information used while purchasing the certificate using following tool command.
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
Then I have attached my certificates to the generated keystore using following commond
For "Comodo" certificates
i.keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystoreselfservice.keystore
And I have used correct chain of installation of certificate like root , all intermediate, primary from above command.
And while installing each certificate i received the following message
"Certificate added to keystore"
Though I have not got any error .
And when i have opened my keystore there were no certificate chain , means there is individual entry of each certificate . but there is no chain hierarchy of certificates like Root then intermediate then primary.
And in my final PI or certifcate, i am getting provider as local first name instead of Comodo .
EXAMPLE :
CN=nims.ABC.com,OU=abcCommunications,O=abc Group LLC, L=Roseville,ST=Minnesota,C=US
Provider must be
CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
So I would like to know which steps I have missed or used any extra steps .
Please provide a solution to install a wild card certificate .
Thanks in advance
You did everything correctly. The trust chain is important for another aspect. If you trust one 'certificate' of the chain, you trust the following 'certificates' of the chain too. So to trust all certs of a CA you just have to trust the root CA's cert.
What you realy need to make the wild card certificate work on you server is to import the private key part of it.
I assume you mean Tomcat using Java SSL (JSSE) not APR/Native (OpenSSL). If you want Tomcat-APR, change your question.
If the cert you want to use is already in use on other servers, and you "generated a public keystore using" the keytool command you showed on the NEW server, you generated a NEW KEY which is different from the key the other servers used and different from the key included in the certificate, thus the certificate DOES NOT MATCH that new key and cannot be used with that new key. You also implicitly generated (and have not replaced) a self-signed cert, with both subject and issuer (what you call provider) identifying you rather than a CA like Comodo. This certificate is not good for general use but can be useful for some testing, which is why keytool does it implicitly.
You need to get the certificate, the ALREADY EXISTING private key that MATCHES the certficate, and the needed chain cert(s) into your JKS as a privateKey entry. If an existing SSL server is Java (using JSSE), just copy its JKS. If you want or need to change the password(s) on the copy for your new server, see keytool -storepassword and keytool -keypasswd.
If an existing server is OpenSSL (including Apache httpd and nginx), convert the OpenSSL PEM format to PKCS#12 (preferably on the old server); depending on that server's file layout this is something like
openssl pkcs12 -export -in certfile -inkey keyfile -certfile chaincert -out xxx
and then use keytool to convert PKCS#12 to JKS (preferably on the new server)
keytool -importkeystore -srckeystore xxx -srcstoretype pkcs12 -destkeystore yyy
Note you must use a password on the PKCS#12. This does not need to be the same as the old server keyfile (if any) or the new server JKS, but it's usually more convenient if it is.
If an existing server is IIS, you should be able to export the cert WITH private key AS PFX/PKCS#12 from the Certificate snapin of mmc, and then convert the PKCS12 to JKS as just above.
If an existing server is something else, add it to the question.
I manage a site www.abc.com which already has a SSL certificate which is expiring in 2 weeks. So I created a .CSR from the existing .JKS file and sent it to the CA. I got back a .PEM and imported the pem file to the existing jks and deleted the old certificate in jks.
When I installed the new jks in web logic server 10.3.6 it threw exception saying the keystore does not have the private key. What would have caused this? Deleting the old certificate using its alias would have deleted the private key as well? Is there a way to check the validity of jks before installing it?
Regards,
Arun
Deleting the old certificate caused the private key to be deleted, recreated the JKS and worked just fine.
We use openssl to generate a self signed root certificate and derive a user certificate from it with Java using the bouncycastle library. The user certificate is used to sign PDF documents again from java with a mix of bouncycastle and openssl.
The root certificate is installed in Adobe Reader, but Adobe reader says, signature is invalid because there is no trusted root certificate in the chain. Authority key identifier of signature certificate matches subject key identifier of root certificate even inside Adobe Reader. If the root certificate and the user certificate are installed in windows key store, the certificate chain is shown.
If we derive the user certificate with openssl instead of Java/bouncycastle and sign a pdf with it, everything looks fine, but the java generated certificate fails.
What am I doing wrong?
Root Certificate is <Root Cert>
PDF signed with openssl generated certificate: <openssl pdf>
How can I add the "Server Authentication" EKU to a CSR or private key using Keytool?
Here is what i'm doing:
Generate key-pair with ">Keytool -genseckey -dname="CN="my.server.com" ...
Generate CSR using the key-pair created in step #1.
Submitting the CSR to a Windows Enterprise CA, asking for a Web Server cert.
The CA rejects the CSR with "The certificate is not valid for the requested usage.". How can I add the "requested usage" using keytool so that the CA will issue the cert?
You can do this only with the JDK7 or later version of keytool. OpenJDK 7 should have this version.