I have created a public private key pair using the KeyPairGenerator class in Java. From this key pair I have generated the CSR request using the PKCS10 class which has been sent to a CA for verification. The question is how do I load this public private key pair into a keystore? I cant use KeyStore.SetKeyEntry as it requires a certificate parameter along with the private key.
I thought that I would have to wait for the CA to send back a certificate which should then be used for loading the key pair. But If I create the keystore using the keytool command -
keytool -genkey -keyalg RSA -keysize 2048 -sigalg sha1withRSA -alias aliasname -validity 365 -keystore keystorename
and then load this keystore into the Java keystore class, the keystore object contains a privatekeyentry and a CertificateEntry. How is this possible without obtaining a certificate back from the CA.
The keytool command that you used creates a self-signed certificate. When you receive the new certificate signed by the CA, you can import that certificate into the keystore, which will then replace the self-signed certificate.
About your Java question, you will either need to generate a self-signed certificate based on the public key that you created (and signed by the private key), or you will need to wait for the CA to return your signed certificate and use that with the private key in SetKeyEntry.
Related
I have a blah.p7b certificate type PKCS#7 which i want to import it to a java keystore using keytool in order to enable HTTPS on tomcat , i don't have the alias name and keystore when the certificate was generated i took it from the client whose want to enable https on our web-application server that they use, can this works without having the original alias name and keystore ?
when i tried to import the certificate i used this command
keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass <mypasswd> -alias "myalias"
but it gives me this error
keytool error: java.lang.Exception: Certificate reply does not contain public key for <mydomain>
Please help...
If you haven't got the original KeyStore you are hosed. You have to generate a new KeyStore, a new keypair, a new CSR, get it signed, and then import the signed cert and its chain into the KeyStore using the same alias as the keypair.
I'm using Not-yet commons SSL to develop my own TLS Socket.
But always got No private keys found in keystore on following code
private SSLServer sslS=null;
//...
sslS=new SSLServer();
KeyMaterial km=new KeyMaterial(certChain, privateKeyFile, certPassword.toCharArray(), privateKeyPassword.toCharArray());
The certChain used original JRE's cacert:
C:/Program Files/Java/jre1.8.0_101/lib/security/cacerts
This give me a java.security.KeyStoreException: No private keys found in keystore!
The certChain used my own:
keytool -certreq -alias 127.0.0.1 -keystore ServerKey.jks -file 127.0.0.1.csr
This give me a java.security.KeyStoreException: failed to extract any certificates or private keys - maybe bad password?
But I can 100% sure that my password is right. My password is a simple "123456", there is no reason I can do wrong on it.
The privateKey I generated by:
keytool -genkey -alias 127.0.0.1 -keyalg RSA -keystore ServerKey.jks -keysize 2048
How can I solve this problem, any suggestion ?
keytool command is supposed to generate public-private key pairs. I use the following command to generate the public-private key pair:
keytool -genkey -alias test -keystore test keystore -validity 1000
If I open and see the keystore , I see the following:
C:\Program Files\Java\jdk1.7.0_25\bin>keytool -list -keystore testkeystore Enter keystore password:
Keystore type: JKS Keystore provider: SUN
Your keystore contains 1 entry
test, May 1, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): 0C:FB:51:84:1C:3F:74:C7:1C:F9:F1:DE:E6:89:90:E6: 39:78:F3:FD
I am confused as to what is the public key here and what is the private key here. Can anyone help ?
The entry contains both the private key and a self-signed certificate containing the public key.
I'm facing a problem right now and I can't understand why I can't read a KeyStore on Java 6. The piece code is like this:
KeyStore ks = KeyStore.getInstance("jks");
FileInputStream file = new FileInputStream(<path to file>);
ks.load(file, <password>);
String alias = (String)ks.aliases().nextElement();
PrivateKey key = (PrivateKey)ks.getKey(alias, ConstantsUtils.CERT_PASS.toCharArray());
Certificate[] chain = ks.getCertificateChain(alias);
I'm using this certificate to sign a PDF from Java code, but variables key and chain stay null, so the keystore can't retreive my private key.
The Keystore was created by keytool importing a certificate with the next line (Windows 7):
C:\Program Files\Java\jdk1.6.0_37\bin>keytool -importcert -file "<path to cert>" -keystore <path to keystore -alias "<alias>" -keypass <password> -storepass <password>
Imported certificate is from a third party, and should work properly. I don't know if is something wrong importing the certificate or if I'm coding something in a bad way.
You're importing a certificate. Unless it corresponds to a private key already in the KeyStore, and you don't agree to the 'trust CA certs?' prompt, this will create a trusted certificate, and looking for it via a PrivateKey will fail.
And if you're importing a certificate from a third party, you won't have their private key, unless they are spectacularly incompetent.
In short what you're doing doesn't make sense.
Well, finally I found the ultimate solution.
My problem was that I had 2 files, one a certificate (we'll call it certificate.crt) and the other one was the private key (we'll call it private_key.pem). As EJP said previously the problem was around the private key import process. I had 2 different files so I was importing just certificate.crt file into a .jks file, and private_key.pem gave me an error when I tried to import (obviously). So my solution was to merge both files (certificate.crt and private_key.pem) into one PKCS#12 file with this command:
openssl pkcs12 -inkey private_key.pem -in certificate.cert -export -out certificate.pfx
Now, the new certificate.pfx is a keystore which contains public and private key, correctly formated so, with some changes in my code it was possible to obtain the private key and sign my document:
KeyStore ks = KeyStore.getInstance("PKCS12");
FileInputStream file = new FileInputStream(<path to .pfx file>);
ks.load(file, <password>);
String alias = (String)ks.aliases().nextElement();
PrivateKey key = (PrivateKey)ks.getKey(alias, ConstantsUtils.CERT_PASS.toCharArray());
Certificate[] chain = ks.getCertificateChain(alias);
So thats all. Thank you EJP, I was missunderstanding you, and you made me think in the right way. I was facing this four days so I'm pretty hyped up right now.
I am getting this weird error from my java code:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
The command I used to generate the keystore:
keytool -genkey -alias tomcat -keystore keystore.jks
Here is my java code:
import java.security.cert.PKIXParameters;
import java.security.KeyStore;
import java.io.FileInputStream;
public class MyKeyTest {
public static void main(String[] args) throws Exception {
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
String password = "mypass";
ks.load(new FileInputStream("keystore.jks"), password.toCharArray());
new PKIXParameters(ks);
}
}
I tried to google around for this error but mostly it says this happens when keystore was not found or is not permissive to be read.
But neither of these two cases is true in my case. Any ideas?
Some brief and simplified background just case it's not clear. The PKIXParameters object is used for client certificate validation. This is a way for you to allow or disallow access to your web resources. The way this typically works is that
you have a list of certificate authority (CA) certificates you trust (this is your trust store).
your application asks the client to provide a digital certificate (the client certificate)
the client cert will include the CA certificate which signed the client cert. If the CA certificate is on your list, the client passes the validation.
The keystore.jks file is your trust store. Your trust store does not currently contain any certificates(just a useless private key). To add a ca certificate you would use this command
keytool -import -alias <an alias for the CA cert> -file <the trusted CA cert> -keystore <your keystore>
As an example, export a CA certificate from your browser to a file and then import it into your trust store
Go to your control panel/internet options/Content tab and click on certificates.
select the "Trusted Root Certificate Authorities" tab and select a certificate (for example the "Microsoft Root Certificate Authority")
click export and save it to file (for this example I used "msroot.cer").
at your command prompt run the following command
keytool -import -alias msroot -file msroot.cer -keystore keystore.jks
Now when your run your java code using this updated keystore.jks, it should run just fine.