How can I add the "Server Authentication" EKU to a CSR or private key using Keytool?
Here is what i'm doing:
Generate key-pair with ">Keytool -genseckey -dname="CN="my.server.com" ...
Generate CSR using the key-pair created in step #1.
Submitting the CSR to a Windows Enterprise CA, asking for a Web Server cert.
The CA rejects the CSR with "The certificate is not valid for the requested usage.". How can I add the "requested usage" using keytool so that the CA will issue the cert?
You can do this only with the JDK7 or later version of keytool. OpenJDK 7 should have this version.
Related
I am using Liberty 16.0.0.4 and i want to get image from facebook account image so i ran this next command to add facebook certificate to Liberty server
keytool -importcert -keystore /pathToServer/Servers/'03- Liberty 16.0.0.4'/wlp/usr/servers/MyProjectServer/resources/key.jks -file facebook.crt -alias facebooksigner
and the certificate successfully added to liberty key.jks file and i see it when list certificates on this file.
But my problem when i try to get image using URL url = new URL(pictureUrl);
it fires
[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=California, C=US was sent from the target host.
Note: i added <keyStore id="defaultKeyStore" password="{xor}EzY9Oi0rJg=="/> into server.xml
So can u guess why this happen? thanks :)
For SSL to work, the client needs to trust the chain that the server presents to it - from the top (root) level all the way down.
You say that you've put a Facebook cert into your trust store, but is the full chain trusted? At the very least, the root CA that signed the Facebook cert needs to be in the trust store.
In 16.0.0.4 (and earlier), java SE API's will never use the keystore or truststore defined in server.xml. They'll use the JRE's 'cacerts' or whatever alternative you define in the well-known SE system properties that control the trust and key stores.
In 17.0.0.1 (and later), java SE callers can use keystores defined in server.xml if transportSecurity-1.0 is loaded.
i got CA signed certificate with root and intermediate certificates.
I tried to install certificate in a lot of ways.
But in result after converted storage.jks to txt file.
i saw that my certificate added as Entry type: trustedCertEntry.
Can i install CA signed certificate in storage.jks without private key which use for generate csr file ?
I am installing a wild Card SSL certificate to my keystore which will be used for Apache Tomcat web server.
Description :
My Tomcat Server is installed on windows 2012 server.
And I have certificates provided from COMODO.
The wildcard cert I'm using has already been used previously on a few servers. so I am directly installing same on my apache tomcat server .
so what I've generated a public keystore using keytool providing the same information used while purchasing the certificate using following tool command.
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
Then I have attached my certificates to the generated keystore using following commond
For "Comodo" certificates
i.keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystoreselfservice.keystore
And I have used correct chain of installation of certificate like root , all intermediate, primary from above command.
And while installing each certificate i received the following message
"Certificate added to keystore"
Though I have not got any error .
And when i have opened my keystore there were no certificate chain , means there is individual entry of each certificate . but there is no chain hierarchy of certificates like Root then intermediate then primary.
And in my final PI or certifcate, i am getting provider as local first name instead of Comodo .
EXAMPLE :
CN=nims.ABC.com,OU=abcCommunications,O=abc Group LLC, L=Roseville,ST=Minnesota,C=US
Provider must be
CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
So I would like to know which steps I have missed or used any extra steps .
Please provide a solution to install a wild card certificate .
Thanks in advance
You did everything correctly. The trust chain is important for another aspect. If you trust one 'certificate' of the chain, you trust the following 'certificates' of the chain too. So to trust all certs of a CA you just have to trust the root CA's cert.
What you realy need to make the wild card certificate work on you server is to import the private key part of it.
I assume you mean Tomcat using Java SSL (JSSE) not APR/Native (OpenSSL). If you want Tomcat-APR, change your question.
If the cert you want to use is already in use on other servers, and you "generated a public keystore using" the keytool command you showed on the NEW server, you generated a NEW KEY which is different from the key the other servers used and different from the key included in the certificate, thus the certificate DOES NOT MATCH that new key and cannot be used with that new key. You also implicitly generated (and have not replaced) a self-signed cert, with both subject and issuer (what you call provider) identifying you rather than a CA like Comodo. This certificate is not good for general use but can be useful for some testing, which is why keytool does it implicitly.
You need to get the certificate, the ALREADY EXISTING private key that MATCHES the certficate, and the needed chain cert(s) into your JKS as a privateKey entry. If an existing SSL server is Java (using JSSE), just copy its JKS. If you want or need to change the password(s) on the copy for your new server, see keytool -storepassword and keytool -keypasswd.
If an existing server is OpenSSL (including Apache httpd and nginx), convert the OpenSSL PEM format to PKCS#12 (preferably on the old server); depending on that server's file layout this is something like
openssl pkcs12 -export -in certfile -inkey keyfile -certfile chaincert -out xxx
and then use keytool to convert PKCS#12 to JKS (preferably on the new server)
keytool -importkeystore -srckeystore xxx -srcstoretype pkcs12 -destkeystore yyy
Note you must use a password on the PKCS#12. This does not need to be the same as the old server keyfile (if any) or the new server JKS, but it's usually more convenient if it is.
If an existing server is IIS, you should be able to export the cert WITH private key AS PFX/PKCS#12 from the Certificate snapin of mmc, and then convert the PKCS12 to JKS as just above.
If an existing server is something else, add it to the question.
I manage a site www.abc.com which already has a SSL certificate which is expiring in 2 weeks. So I created a .CSR from the existing .JKS file and sent it to the CA. I got back a .PEM and imported the pem file to the existing jks and deleted the old certificate in jks.
When I installed the new jks in web logic server 10.3.6 it threw exception saying the keystore does not have the private key. What would have caused this? Deleting the old certificate using its alias would have deleted the private key as well? Is there a way to check the validity of jks before installing it?
Regards,
Arun
Deleting the old certificate caused the private key to be deleted, recreated the JKS and worked just fine.
We use openssl to generate a self signed root certificate and derive a user certificate from it with Java using the bouncycastle library. The user certificate is used to sign PDF documents again from java with a mix of bouncycastle and openssl.
The root certificate is installed in Adobe Reader, but Adobe reader says, signature is invalid because there is no trusted root certificate in the chain. Authority key identifier of signature certificate matches subject key identifier of root certificate even inside Adobe Reader. If the root certificate and the user certificate are installed in windows key store, the certificate chain is shown.
If we derive the user certificate with openssl instead of Java/bouncycastle and sign a pdf with it, everything looks fine, but the java generated certificate fails.
What am I doing wrong?
Root Certificate is <Root Cert>
PDF signed with openssl generated certificate: <openssl pdf>