I am trying to install SSL certificate in Tomcat7. This is what i have done so far.
installed ssl certificate received on email
sudo ./keytool -import -trustcacerts -alias download.addressdoctor -keystore /usr/local/tomcat7/bin/keystore.jks -file /usr/local/tomcat7/conf/certx509.cer
Installed Intermediate certificate
sudo ./keytool -import -trustcacerts -alias intermediate -keystore /usr/local/tomcat7/bin/keystore.jks -file /usr/local/tomcat7/conf/combined.cer
These is my entries in keystore
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: adnewkey
Creation date: Sep 10, 2014
Entry type: trustedCertEntry
Owner: CN=website.com, OU=IT, O=company, L=City, ST=state, C=country
*******************************************
*******************************************
Alias name: mykey
Creation date: Sep 10, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=website.com, OU=IT, O=company
Now if i try to check the certificate through https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
It says it is self signed certificate, whereas i installed the certificate received from verisign. If i remove the entry "alias mykey" then it will show error no root certificate found.
Can you please help me in pointing out what i am doing wrong, also for running SSL certificate what values should be present in the keystore.
Thanks,
Related
How can I replace a new intermediate CA Certificate in a keystore file?
Hi,
I have a keystore file running on a server to support Tomcat TLS/HTTPS services.
In this keystore file, there are 3 certificates -
end certificate (tomcat)
intermediate CA Certificate (my_ssl_ca_v2_b)
Root CA Certificate (my_root_ca)
Here is the cert list.
C:\Program Files\Java\jre1.8.0_144\bin>keytool.exe -list -keystore C:\mycert\
my.keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
tomcat, Oct 10, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): 3C:15:E8:D0:46:A8:8D:1F:93:52:9D:54:35:48:69:71:ED:49:44:65
my_ssl_ca_v2_b, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 0C:C3:60:CB:C6:91:0A:90:E4:0G:91:BE:3B:A6:D7:5B:C3:7B:8A:0F
my_root_ca, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 6C:23:89:FA:A8:E5:7D:E1:45:BE:75:84:15:E8:D8:41:73:59:FD:19
It was working fine.
Couple of days before, the intermediate CA Certificate in the file was expired. I got the new updated intermediate CA Certificate later.
Now, the question is - how can I replace the expired intermediate CA Certificate in the keystore file with the new one?
I understand I can use keytool -delete and -import option to delete and re-import the intermediate CA my_ssl_ca_v2_b.
However, how can I replace the intermediate CA cert inside the PrivateKeyEntry (Alias tomcat) in the keystore file as following?
**Alias name: tomcat**
Creation date: Oct 10, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
...
...
Certificate[2]:
Owner: CN=My SSL CA v2 - A, O=eBay Inc, C=US
Issuer: CN=My Root CA, O=eBay Inc, C=us
Serial number: 6800000004b4491dd58df45b9b000000000004
**Valid from: Wed Oct 14 18:35:33 UTC 2015 until: Wed Oct 14 18:45:33 UTC 2020**
...
...
Certificate[3]:
Owner: CN=My Root CA, O=eBay Inc, C=us
Issuer: CN=My Root CA, O=eBay Inc, C=us
Serial number: 4500888247008e884cd02d71a035810e
I can't use keytool -delete and -import option to delete and re-import the alias tomcat with the End Cert file because that will delete the private key as well and the private key will never be back.
Can you please teach me the exact steps to replace a intermediate CA Certificate in keystore? Thanks a lot!
-Jun
This isn't really a programming or development question, even though you use the result on tomcat, and may get closed.
You need to create a file containing the whole chain -- end-entity, intermediate and root certs, in that order, in PEM. If you don't already have the EE cert in PEM you can extract it with keytool -export[cert] -keystore ksfile -alias tomcat -rfc -file eecert. Obviously you have the new intermedate cert that you just got, and if you don't have the root already (and it didn't change) export that also. You can combine the files with cat a b c >d on Unix or COPY a+b+c d on Windows, or use any text editor you like. Then import it to the privatekey entry like keytool -import[cert] -keystore ksfile -alias tomcat -file chainfile.
I have two Spring Boot applications each running in their own docker container.
One is REST Client and the other is REST API.
When the client calls the API ( i.e. GET https://localhost:8443/api/someResource ), I get the following error:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Each spring boot app has its own keystore and self-signed certificate stored in
src/main/resources/keystore.p12
... here's what I have in the application.yml files:
following properties:
server.ssl.key-store: classpath:keystore.p12
server.ssl.key-store-password: somethingsecure
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: client or server (depending which .yml file your looking at)
I tested this outside of Docker and everything worked fine! I simply exported the API certificate out of the keystore.p12 file and imported it into my JRA cacerts file.
You can see from my REST Client Dockerfile, I do the same thing there:
FROM openjdk:8-jdk-alpine
EXPOSE 8443
WORKDIR /usr/src/app
COPY client.jar client.jar
COPY server.crt server.crt
RUN keytool -v -import -noprompt -alias server -file server.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "client.jar"]
I've turned SSL debugging on and can see the following:
trustStore is: /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
...
adding as trusted cert:
Subject: CN=localhost, OU=Development, O=Microgen, L=Fleet, ST=Hampshire, C=UK
Issuer: CN=localhost, OU=Development, O=Microgen, L=Fleet, ST=Hampshire, C=UK
Algorithm: RSA; Serial number: 0x4c1fbbc3
Valid from Mon Apr 16 09:49:33 GMT 2018 until Tue Apr 16 09:49:33 GMT 2019
Any ideas?
Thanks,
Ben
I am no expert but when exporting the certificate and importing I wonder if in your new location the certificate chain is the same as the location you took it from.
Here is a link that might provide some insight, under the Cause section
https://confluence.atlassian.com/kb/connecting-to-ssl-services-802171215.html
I've managed to figure this out this morning. The server certificate was simply corrupt and since regenerating, this worked.
I have sucessfully imported the certificate by below command:
keytool -import -alias "alias-name" -file
"C:\somepath\Certificate\portal.cer
-keystore C:\Program Files\Java\jdk1.7.0_79\jre\lib\cacerts"
Now I am trying to delete the imported certificate with
keytool -delete -alias "alias-name" -keystore
"C:\Program Files\Java\jdk1.7.0_79\jre\lib\cacerts" -storepass changeit
But I am end with the below error message:
KeyTool error : java.lang.Exception : Alias does not exist
For Ubuntu / Linux
List all entries from your keystore with the respective alias
keytool -list -v -keystore "myKeyStore.jks" -storepass myPassword
The verbose option '-v' is important, in order to see the aliases
Example output:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: 1
Creation date: Dec 4, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=yourname.com, O=Your Name, C=XX
Issuer: CN=Issuer CA, O=Issuer Name, C=XX
Serial number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Valid from: Mon Feb 25 10:04:56 GMT 2019 until: Wed Feb 24 10:04:56 GMT 2021
Certificate fingerprints:
SHA1: 9F:35:31:B1:A9:C2:37:8D:61:2F:9B:ED:82:3F:45:26:E1:D9:18:83
SHA256: 34:65:C8:B6:4D:24:9D:20:3C:24:7B:B7:7B:F5:6B:F3:BE:79:11:BE:4F:8C:21:D2:9E:86:CC:AD:17:84:01:C4
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
...
Check if the alias exists. You can list all entries using:
keytool -list -keystore "C:\Program Files\Java\jdk1.7.0_79\jre\lib\cacerts" -storepass changeit
This command will show all existing aliases in the file. If it's not there, that's why you can't delete it.
In sometimes you may get this error even the alias present in the keystore. Which may be you are not given the alias name properly while passing as arguments.
Ex : letsencryptisrgx1 [jdk]
In the above alias name you can see the square brackets which is the issue in my case.
When I give the entire name in double quotes it works.
$JAVA_HOME/bin/keytool -list -v -alias "letsencryptisrgx1 [jdk]" -keystore $JAVA_HOME/lib/security/cacerts
Is there a way in keytool to print the publick key of a certificate? I tried:
keytool -printcert -file client.crt
But it gives only the following information:
Owner: CN=client, OU=as, O=as, L=as, ST=as, C=as
Issuer: EMAILADDRESS=as, CN=ca, OU=as, O=as, L=as, ST=as, C=as
Serial number: 3
Valid from: Tue Apr 10 12:18:47 GMT+05:30 2012 until: Wed Apr 10 12:18:47 GMT+05
:30 2013
Certificate fingerprints:
MD5: 26:C0:29:E9:8C:AB:C3:9E:95:38:74:8A:87:D3:86:8D
SHA1: 5C:5A:BA:47:44:83:7E:CB:48:BE:DD:E5:39:51:24:42:C6:C5:60:8B
SHA256: DA:26:B8:C8:F4:04:3E:62:F3:7F:3B:EC:1D:9F:85:66:28:00:45:55:66:
15:FF:BB:37:77:97:59:F0:EC:0B:B6
Signature algorithm name: SHA1withRSA
Version: 1
There is no public key in this.
You can do it with:
keytool -list -rfc -keystore mykeystore.jks -alias certificate_alias -storepass password
Example run:
PS c:\sample> keytool -list -rfc -keystore mykeystore.jks -alias cert_alias -storepass password
Alias name: cert_alias
Creation date: Apr 25, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
-----BEGIN CERTIFICATE-----
MIIB4zCCAUygAwIBAgIIRzI14w7rL20wDQYJKoZIhvcNAQENBQAwMzELMAkGA1UEBhMCVVMxDTAL
BgNVBAoTBE5vbmUxFTATBgNVBAMTDE5vbmUgb3U9Tm9uZTAgFw0xNDA0MjQxNzQ0NDJaGA8yMTE0
MDQyNTE3NDQ0MlowMzELMAkGA1UEBhMCVVMxDTALBgNVBAoTBE5vbmUxFTATBgNVBAMTDE5vbmUg
b3U9Tm9uZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAivXBBtFnJTm1NbHysv3Mnpn/lCg6
1onJDxr/jkvI8+1Bljs1jktyYOeKDWxJwpDU7QyIqttgtDvRT4Yaew5WiQyADIyY0cBTvp3S7uKx
M5C3zxZdG6WTflU7xcYnGk3/d0VhwA6BL9YPsRaS/K+ww1yvxWKIOPW68wDe0ccvGWcCAwEAATAN
BgkqhkiG9w0BAQ0FAAOBgQB/5qDMA9fmlCWlOD9aHjBD6I8zAOSshMCFK8XcZJHowag8WtZyL3DR
insx2HoDlBewIJAEtAplo2NpeFyNtK93PS7zV+vwEYHCu46Db3klMksp3MmSXD39QPlmwfsGZlja
K8Ww0TsR5GtccFMH41KKa+PlvVZNEdZumdrca59olQ==
-----END CERTIFICATE-----
You can do that With openssl.
If this certificate is DER-encoded (binary), use:
openssl x509 -inform der -in client.crt -pubkey -noout
for PEM-encoded use -inform pem option (or no -inform at all).
To see details of public key, use:
openssl x509 -inform der -in client.crt -pubkey -noout | openssl rsa -pubin -text -noout
You can print the cert to pem format, then use openssl to print public key from the pem format.
add -rfc option to -printcert
keytool -printcert -rfc -file client.crt
save the output like below to a file client.pem
-----BEGIN CERTIFICATE-----
MIIB4zCCAUygAwIBAgIIRzI14w7rL20wDQYJKoZIhvcNAQENBQAwMzELMAkGA1UEBhMCVVMxDTAL
......
-----END CERTIFICATE-----
then use openssl
openssl x509 -inform pem -text -in client.pem
so you got the public key
Keytool list rfc just prints the base64 encoded version of whole certificate, not the public key. Keytool doesn't support the printing the public key of Certificate. We can use openssl for this purpose.
keytool -export -alias myalias -keystore mystore.jks | openssl x509 -inform der -pubkey -noout
I want to use Google Maps in my application, I have followed this tutorial to generate MD5 fingerprint of my eventappkey.keystore. But keytool generates SHA1 fingerprint instead of MD5, due to which I am unable to register for Google Api as google accepts MD5 fingerprint of keystore.
I have looked at other answers which suggest to use jdk1.6. But is there a better way so that I do not need to move to jdk1.6. Any suggestion would be greatly appreciated.
If you add the -v (verbose) option to your command line, like
keytool -v -list -alias alias_name -keystore my-release-key.keystore
it should show you the MD5 fingerprint
If use android studio then use this method :
Syntax:
keytool -list -v -keystore "%USERPROFILE%\.android\debug.keystore" -alias androiddebugkey -storepass android -keypass android
Example:
C:\Program Files\Java\jdk1.7.0_71\bin>keytool -list -v -keystore c:\users\your_u
ser_name\.android\debug.keystore -alias androiddebugkey -storepass android -keyp
ass android
keytool error: java.lang.Exception: Keystore file does not exist: c:\users\your_
user_name\.android\debug.keystore
java.lang.Exception: Keystore file does not exist: c:\users\your_user_name\.andr
oid\debug.keystore
at sun.security.tools.KeyTool.doCommands(KeyTool.java:738)
at sun.security.tools.KeyTool.run(KeyTool.java:340)
at sun.security.tools.KeyTool.main(KeyTool.java:333)
C:\Program Files\Java\jdk1.7.0_71\bin>keytool -list -v -keystore C:\Users\sriniv
as\.android\debug.keystore -alias androiddebugkey -storepass android -keypass an
droid
Alias name: androiddebugkey
Creation date: Apr 8, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Android Debug, O=Android, C=US
Issuer: CN=Android Debug, O=Android, C=US
Serial number: 4e7c69e7
Valid from: Wed Apr 08 15:17:20 IST 2015 until: Fri Mar 31 15:17:20 IST 2045
Certificate fingerprints:
MD5: 9D:C3:05:CB:FF:CA:06:31:8C:FC:FE:44:6C:94:BC:90
SHA1: 2F:88:EF:9D:1B:3E:35:87:18:7D:56:B5:95:83:9A:EF:C1:B3:25:B4
SHA256: 0F:D2:BC:2C:58:1B:16:3D:E3:5C:76:7D:C3:49:3A:A0:9D:95:4E:3E:6B:
71:0B:F7:2B:23:72:54:B8:57:62:A2
Signature algorithm name: SHA256withRSA
Version: 3