I manage a site www.abc.com which already has a SSL certificate which is expiring in 2 weeks. So I created a .CSR from the existing .JKS file and sent it to the CA. I got back a .PEM and imported the pem file to the existing jks and deleted the old certificate in jks.
When I installed the new jks in web logic server 10.3.6 it threw exception saying the keystore does not have the private key. What would have caused this? Deleting the old certificate using its alias would have deleted the private key as well? Is there a way to check the validity of jks before installing it?
Regards,
Arun
Deleting the old certificate caused the private key to be deleted, recreated the JKS and worked just fine.
Related
I need help, first of all, in any of stackoverflow posts I can't found a correct answer.
I'm tring to set my Web application in tomcat server with SSL using Keytool and Certbot
First I used Certbot and generated the respectives .pem files (privkey.pem, fullchain.pem, etc).
After that I did this steps:
Add with OpenSSL my privkey.pem to JKS
My password is too simple "123456", impossible to forget. (I'm just trying)
After that I convert the pkcs12 to JKS with:
Finally Add the chain.pem to my Keystore. In this step I enter the password that I entered previously. And I get the meesage:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
If I edit my server.xml file in Tomcat server with connector 8443 and my keystore, when I start server I get the same error in catalina.out.
The password of your MyDSKeyStore.jks file is '-destkeypass', as a consequence of the way keytool parses the second commandline you used: -deststorepass should be followed be the password. In your case it is followed by -destkeypass.
Remark: Your question seems to be na XY problem: you want to configure a Tomcat SSL connector using certificates in PEM format, so you ask how to transform a PEM certificate into JKS. While the procedure you show is almost correct, it is useless on modern Tomcat's (cf. this answer): Tomcat supports PKCS12 files since version 5.5 at least and supports certificates in PEM format since version 8.5. There is no need to convert anything.
I have to create a KeyStore with a certificate already available in another KeyStore. But when I import that certificate, it is added as a trusted cert entry in the new Keystore.
I have a similar Keystore that works fine. If I do a copy of that Keystore and import it in my Keystore, I'd see that I have 2 private key entry, mine and that of the old Keystore. If I delete my private key and leave the old key, it works.
My question is "how to export the certificate of old Keystore and use it in my new Keystore".
Thanks!
I want to enable SSL for my spring boot application.
I generated a keystore with this command:
keytool -genkey -alias myapp -keyalg RSA -keystore tomcat.keystore
application.properties contains:
server.port = 8443
server.ssl.key-store = classpath:tomcat.keystore
server.ssl.key-store-password = ###
server.ssl.key-password = !&*
server.ssl.enabled=true
First I had created JKS key store with this command:
keytool -genkey -alias tomcat -keystore keystore.jks -validity 3650
But I received error when visited https://localhost:8443:
This site can’t provide a secure connection
localhost uses an unsupported protocol.
Why it's working now and not then ?
I have a few other questions:
1.I looked at a few tutorials and they all suggested to put the keystore file in src/main/resources. Is this really a good idea?
2.What is the key-store-password? what is the key-password?
3.Is this all we have to do to enable SSL ? what about crt and cer files? where are they used ?
About localhost uses an unsupported protocol. make sure the server is supporting a cipher which client can support.
This site can’t provide a secure connection, the message could be becasue the connection is not trusted! of course. here you would simply tell the client to ignore it.
You also set an alias in your JKS file, make sure you tell the server to load the correct alias.
placing the JKS in src/main/resources could be a good practice, but not essential, just make sure it's safe and accessible.
crt and cer are not required explicitly for java, but once you get a signed certificate by a CA, you would import the cert into the JKS to let the server finds the intermediate and root certs(if exists, root is not essential)
Once you generate a key by keytool, just keep the file safe. You need to generate the CSR value, also the same jKS is needed for trusted cert importing.
I also suggest to get some hand of OpenSSL(if possible) over JSSE.
i got CA signed certificate with root and intermediate certificates.
I tried to install certificate in a lot of ways.
But in result after converted storage.jks to txt file.
i saw that my certificate added as Entry type: trustedCertEntry.
Can i install CA signed certificate in storage.jks without private key which use for generate csr file ?
I am installing a wild Card SSL certificate to my keystore which will be used for Apache Tomcat web server.
Description :
My Tomcat Server is installed on windows 2012 server.
And I have certificates provided from COMODO.
The wildcard cert I'm using has already been used previously on a few servers. so I am directly installing same on my apache tomcat server .
so what I've generated a public keystore using keytool providing the same information used while purchasing the certificate using following tool command.
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
Then I have attached my certificates to the generated keystore using following commond
For "Comodo" certificates
i.keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystoreselfservice.keystore
And I have used correct chain of installation of certificate like root , all intermediate, primary from above command.
And while installing each certificate i received the following message
"Certificate added to keystore"
Though I have not got any error .
And when i have opened my keystore there were no certificate chain , means there is individual entry of each certificate . but there is no chain hierarchy of certificates like Root then intermediate then primary.
And in my final PI or certifcate, i am getting provider as local first name instead of Comodo .
EXAMPLE :
CN=nims.ABC.com,OU=abcCommunications,O=abc Group LLC, L=Roseville,ST=Minnesota,C=US
Provider must be
CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
So I would like to know which steps I have missed or used any extra steps .
Please provide a solution to install a wild card certificate .
Thanks in advance
You did everything correctly. The trust chain is important for another aspect. If you trust one 'certificate' of the chain, you trust the following 'certificates' of the chain too. So to trust all certs of a CA you just have to trust the root CA's cert.
What you realy need to make the wild card certificate work on you server is to import the private key part of it.
I assume you mean Tomcat using Java SSL (JSSE) not APR/Native (OpenSSL). If you want Tomcat-APR, change your question.
If the cert you want to use is already in use on other servers, and you "generated a public keystore using" the keytool command you showed on the NEW server, you generated a NEW KEY which is different from the key the other servers used and different from the key included in the certificate, thus the certificate DOES NOT MATCH that new key and cannot be used with that new key. You also implicitly generated (and have not replaced) a self-signed cert, with both subject and issuer (what you call provider) identifying you rather than a CA like Comodo. This certificate is not good for general use but can be useful for some testing, which is why keytool does it implicitly.
You need to get the certificate, the ALREADY EXISTING private key that MATCHES the certficate, and the needed chain cert(s) into your JKS as a privateKey entry. If an existing SSL server is Java (using JSSE), just copy its JKS. If you want or need to change the password(s) on the copy for your new server, see keytool -storepassword and keytool -keypasswd.
If an existing server is OpenSSL (including Apache httpd and nginx), convert the OpenSSL PEM format to PKCS#12 (preferably on the old server); depending on that server's file layout this is something like
openssl pkcs12 -export -in certfile -inkey keyfile -certfile chaincert -out xxx
and then use keytool to convert PKCS#12 to JKS (preferably on the new server)
keytool -importkeystore -srckeystore xxx -srcstoretype pkcs12 -destkeystore yyy
Note you must use a password on the PKCS#12. This does not need to be the same as the old server keyfile (if any) or the new server JKS, but it's usually more convenient if it is.
If an existing server is IIS, you should be able to export the cert WITH private key AS PFX/PKCS#12 from the Certificate snapin of mmc, and then convert the PKCS12 to JKS as just above.
If an existing server is something else, add it to the question.