I'm trying to use KeyStore in order to get info from a keystore.
I've generated the keystore using this command:
keytool -genkey -alias server -keyalg RSA -keystore server.keystore -validity 365 taken this page.
Checking its info keytool -list -v -keystore server.keystore I get the following:
Alias name: server
Creation date: Apr 30, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
(other info here)
Using this command: keytool -list -keystore server.keystore -alias server I get this:
server, Apr 30, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1): 28:65:5B:0C:B3:3C:C9:AA:F1:7C:CE:91:23:77:DD:0D:F8:54:70:B9
Now, my java code:
keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(getClass().getResourceAsStream(KEYSTORE_FILE_PATH), "myPass".toCharArray());
keyStore.getCertificate("server").getPublicKey().getEncoded(); //here I get a null pointer exception - keystore.getCertificate("server") returns null.
Doing keyStore.aliases() returns an EmptyEnumeration.
The application uses maven, java ee 7 and I've copied the keystore file in the resources folder of my application. KEYSTORE_FILE_PATH has the value of "/server.keystore".
Thanks.
Class.getResourceAsStream() returns null when there is no resource with the specified name.
KeyStore.load() resets the key store to the empty state when passed a null input stream.
It means that at runtime your code does not find the keystore resource and silently proceeds with the empty keystore.
add a guarding condition that checks that getResourceAsStream() returned non-null value before passing it value into KeyStore.load().
review your code and building/packaging process in maven to ensure that keystore file is present at the proper location.
There are some questions about getResourceAsStream() that can be of help for you.
Related
I have a keystore with 16 certificates inside. different aliases.
When I use this keystore in SiapUi/ReadyApi and hit the url:
https:x.y.z.com/...
I can see the 200 response successfully.
So,When I view the keystore by:
keytool -list -v -keystore keystore.jks
I expect to see word "x.y.z.com" in CN or SubjectAlternativeName But I couldn't!!!
But I can find:
a.b.z.com and a.y.z.com
I have created a self signed certificate using the following command:
keytool -genkeypair -keyalg RSA -alias test-api -keystore test-api.p12 -storepass password -validity 3650 -keysize 2048 -storetype pkcs12
I then imported this keystore into new truststore:
keytool -import -trustcacerts -alias test-api-2018 -file test.crt -keystore trusted-keystore.p12 -storetype pkcs12
In Java, creating a custom SSL store provider (org.springframework.boot.context.embedded.SslStoreProvider). As a part of it, loaded keystore and truststore using the following Java code:
try {
try (final InputStream keyStoreStream = new ByteArrayInputStream(Base64.decode(keyStoreEncoded))) {
keyStore = KeyStore.getInstance(KEYSTORE_TYPE_PKCS12);
LOGGER.info("Loading a KeyStore object based on the decoded value.");
keyStore.load(keyStoreStream, serverSslKeyPassword.toCharArray());
}
....
trustStore.load(trustStoreStream, serverSslTrustStorePassword.toCharArray());
}
Created custom implementation of EmbeddedServletContainerCustomizer and set SSL Provider:
public void customize(final ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) {
configurableEmbeddedServletContainer.setSslStoreProvider(awsSslStoreProvider);
}
Application fails to start because of the following error:
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
at java.security.KeyStore.setKeyEntry(KeyStore.java:1136)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:253)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
... 19 common frames omitted
I just jad this problem to today, the problem occurs when the security config in the application.properties file isnt configured properly, this causes the certificate chain to break.
in my case i used
server.ssl.key-password=123456789
instead of
server.ssl.key-store-password=123456789
minor issues like this can cause issues.
This also happens when using BouncyCastle as PKCS12 key store provider and the key alias is using incorrect upper case.
E.g. (incorrect):
server.ssl.key-alias=17B2E92E5694C7AE11A65C4A4EBFC75558399E05
instead (correct):
server.ssl.key-alias=17b2e92e5694c7ae11a65c4a4ebfc75558399e05
The strange thing about this error is that the key is found, so obviously is not case sensitive, but the check for ks.getCertificateChain(keyAlias) is.
I have a blah.p7b certificate type PKCS#7 which i want to import it to a java keystore using keytool in order to enable HTTPS on tomcat , i don't have the alias name and keystore when the certificate was generated i took it from the client whose want to enable https on our web-application server that they use, can this works without having the original alias name and keystore ?
when i tried to import the certificate i used this command
keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass <mypasswd> -alias "myalias"
but it gives me this error
keytool error: java.lang.Exception: Certificate reply does not contain public key for <mydomain>
Please help...
If you haven't got the original KeyStore you are hosed. You have to generate a new KeyStore, a new keypair, a new CSR, get it signed, and then import the signed cert and its chain into the KeyStore using the same alias as the keypair.
keytool command is supposed to generate public-private key pairs. I use the following command to generate the public-private key pair:
keytool -genkey -alias test -keystore test keystore -validity 1000
If I open and see the keystore , I see the following:
C:\Program Files\Java\jdk1.7.0_25\bin>keytool -list -keystore testkeystore Enter keystore password:
Keystore type: JKS Keystore provider: SUN
Your keystore contains 1 entry
test, May 1, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): 0C:FB:51:84:1C:3F:74:C7:1C:F9:F1:DE:E6:89:90:E6: 39:78:F3:FD
I am confused as to what is the public key here and what is the private key here. Can anyone help ?
The entry contains both the private key and a self-signed certificate containing the public key.
I have imported a certificate into a private ~/.keystore file:
keytool -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
mylyn-mantis, Jul 15, 2010, trustedCertEntry
and am trying to sign a jar with it, but I get a 'certificate chain not found' error.
jarsigner -verbose /home/robert/file.jar mylyn-mantis
jarsigner: Certificate chain not found for: mylyn-mantis. mylyn-mantis must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
How can I solve this problem?
It seems that your keystore contains only a certificate (public key) you need a complete key entry, with a private key, and the whole certificate chain to be able to sign anything
Short Answer
Use your alias key instead of key store like this:
jarsigner -verbose -keystore [Your signature storage path] -signedjar [signed filename] [unsigned filename] [Your alias key]
More Details
Here are the easiest way to solve this error:
Go to bin folder .. it may be in this path:
C:\Users[Your computer name]\jdk\bin
or this path:
C:\Program Files\Java\jre1.8.0_77\bin
To prevent issues caused by the configuration of environment variables, please copy both the empty package to be signed, and your key store [the private key for signature] to the bin directory under JDK.
Get your alias key by run this command:
keytool -keystore [your key store] -list -v
Finally run this command:
jarsigner -verbose -keystore [Your signature storage path] -signedjar [signed filename] [unsigned filename] [Your alias key]
I faced same issue. I am having .p12 file issued by CA and I was trying to sign jar file. However I was getting error:
jarsigner: Certificate chain not found for:
Basically I was copying alias name from console. It was having wrong character 'question mark' (?) causing this error. Instead I redirected output of keytool to text file and then I copied alias name from there.
Issue this command:
keytool -list -v -storetype pkcs12 -keystore "mycertificate.p12" > cert.txt
(This is very important. Always redirect to txt file. Do not copy from console output. It can contain wrong characters)
Find out alias name in certificate. Open cert.txt and copy string as it is mentioned in front of "Alias name:"
Let's say this string is "my alias name, a.p.’s my ca limited id"
Use jarsigner:
jarsigner -storetype pkcs12 -keystore "mycertificate.p12" myjarfile.jar "my alias name, a.p.’s my ca limited id"
I had this error, but it was a different issue. When you send off a CSR to a CA it comes from a particular private key with a particular alias that you generated. When you receive the cert back again you must import it using the same alias name or else the two certs will not be wired together.
If you have done it right, when you use keytool -list -v you wil see a single entry with the alias name, of type
Entry type: PrivateKeyEntry
Certificate chain length: 3
For the entry.
If you have done it wrong the you will have two entries
Entry type: PrivateKeyEntry
Certificate chain length: 1
and
Entry type: trustedCertEntry
I encountered this error because I was using a Jenkins "certificate" credential. The Jenkins credential configuration dialog has a text box called Description, whose help says it is a free comment describing the credential. In fact, the Jenkins pipeline block withCredentials uses the Description text box to populate the environment variable named in the aliasVariable property.
withCredentials([certificate(
credentialsId: my_credentials,
keystoreVariable: 'MY_KEYSTORE',
aliasVariable: 'MY_ALIAS', // Set value in Description textbox
passwordVariable: 'MY_PASSWORD')]) {
bat 'mvn clean deploy -Dmy.keystore=%MY_KEYSTORE% -Dmy.alias=%MY_ALIAS% -Dmy.password=\"%MY_PASSWORD%\"'
}
This is not mentioned in the Jenkins documentation.
mylyn-mantis should be the actual alias name you used when you generate the signing key.