I have a Java application accessing a service that uses a StartCom SSL certificate. For this to work, I need to add the StartCom CA certs to Java's truststore, because they're not in there by default yet. I've succesfully done that on linux using these commands
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca -file ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class2 -file sub.class2.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class3 -file sub.class3.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class4 -file sub.class4.server.ca.crt
(From this script)
The same command (adapted appropriately) doesn't work on Windows however. I get:
keytool error: java.lang.RuntimeException: Usage error, trustcacerts is not a legal command
How to make it work?
It was a simple typo. In converting the command I forgot a dash before "trustcacerts". :(
On Mac OS X Mavericks 10.9 I did this:
I always make a tmp directory that I delete later, but you don’t have to:
mkdir ~/tmp
cd ~/tmp
Then download the certs:
curl http://www.startssl.com/certs/ca.crt -O
curl http://www.startssl.com/certs/sub.class1.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class2.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class3.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class4.server.ca.crt -O
Get your Java home:
$ /usr/libexec/java_home
/Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home
Use keytool to install it:
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca -file ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class2 -file sub.class2.server.ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class3 -file sub.class3.server.ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class4 -file sub.class4.server.ca.crt
Remove -trustcacerts
Yes, -trustcacerts is the right syntax.
But for the linked script to work under Cygwin you need to remove sudo from all keytool lines - sudo is unavailable in Cygwin.
Related
I have generated with OpenSSL self signed certificates:
Root CA: cacert.crt (the root CA certificate), and root_key.pem (for
root private key).
Client: client_cert.crt (the client certificate), and client_key.pem (for private key).
Server: server_cert.crt (the server certificate), and server_key.pem (for private key).
Both client and server certificates are signed with the root key.
As I understand it, for two way SSL the server truststore should include the client certificate and the client truststore should include the server certificate.
My question is how to generate with keytool, the two pair of client/server trusstore/keystore starting from these certificates/keys
After some research, I found the following steps:
For client keystore:
openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_cert.crt
For client truststore:
keytool -import -file cacert.crt -alias cacert -keystore ClientTruststore
keytool -import -file client_cert.crt -alias servercert -keystore ClientTruststore
For server keystore:
openssl pkcs12 -export -out server_key.p12 -inkey server_key.pem -in server_cert.crt
SET PASSWORD=MyPassword
keytool -genkey -alias server -keyalg RSA -validity 3650 -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD%
keytool -importcert -alias rootCA -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% -file cacert.crt
keytool -v -importkeystore -srckeystore server_key.p12 -srcstoretype PKCS12 -destkeystore server.keystore -deststoretype JKS -deststorepass %PASSWORD%
For server truststore:
keytool -import -file cacert.crt -alias cacert -keystore ServerTruststore
keytool -import -file client_cert.crt -alias client -keystore ServerTruststore
I tested it with a very simple SSL Client/Server by running the program:
java -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ServerTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloServer.jar
java -Djavax.net.ssl.keyStore=client.pfx -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ClientTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloClient.jar
It is working fine.
Any suggestions of improvements are welcomed.
I'm trying to setup eureka discovery server with https enabled in different machine (say 192.168.1.10) with
keytool -genkey -keystore eurekaserver.jks -alias eurekaserver -storepass server1 -keypass server1 -dname "CN=server1, OU=server1, O=server1, L=kvp, S=TN, C=IN"
keytool -export -alias eurekaserver -file eurekaserver.crt -keystore eurekaserver.jks
keytool -import -alias localhost -file client1.crt -keystore eurekaserver.jks
And tried to view eureka dashboard in another machine's browser (say 192.168.2.20)
keytool -genkey -keystore client1.jks -alias client1 -storepass client1 -keypass client1 -dname "CN=client1, OU=client1, O=client1, L=kvp, S=TN, C=IN"
keytool -export -alias client1 -file client1.crt -keystore client1.jks
keytool -import -alias eurekaserver -file eurekaserver.crt -keystore client1.jks
and converted jks to p12 format and added in certificate
But in browser error recevied as
ERR_BAD_SSL_CLIENT_AUTH_CERT
Can anyone help. what possibly I'm doing wrong ?
I'm trying to add SSL in my client / server nodes but i'm getting a "Handshake timed out" from the client side and a "Failed to process selector key" "Closing NIO session because of unhandled exception" from the server side. I don't know if I am doing things correctly...
I'm using java 11 + ignite 2.7.6 + gridgain 8.7.6
For the keystore creation:
keytool -genkey -alias server-alias -keyalg RSA -keypass password -storepass password -keystore serverkeystore.jks
keytool -genkey -alias client-alias -keyalg RSA -keypass password -storepass password -keystore clientkeystore.jks
Exporting the cer into its own file:
keytool -export -alias server-alias -storepass password -file server.cer -keystore serverkeystore.jks
keytool -export -alias client-alias -storepass password -file client.cer -keystore clientkeystore.jks
Add the certs to the server trust store
keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore publicserverkeystore.jks -keypass password -storepass password
keytool -import -v -trustcacerts -alias client-alias -file client.cer -keystore publicserverkeystore.jks -keypass password -storepass password
Add the certs to the client trust store
keytool -import -v -trustcacerts -alias client-alias -file client.cer -keystore publicclientkeystore.jks -keypass password -storepass password
keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore publicclientkeystore.jks -keypass password -storepass password
Now in the java client node side:
ClientConnectorConfiguration cliConnCfg = new ClientConnectorConfiguration();
cliConnCfg.setJdbcEnabled(false);
cliConnCfg.setOdbcEnabled(false);
cliConnCfg.setThinClientEnabled(false);
cliConnCfg.setSslEnabled(true);
cliConnCfg.setSslClientAuth(true);
igniteConfiguration.setClientConnectorConfiguration(cliConnCfg);
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\clientkeystore.jks");
sslContextFactory.setKeyStorePassword("password".toCharArray());
sslContextFactory.setTrustStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\publicclientkeystore.jks");
sslContextFactory.setTrustStorePassword("password".toCharArray());
igniteConfiguration.setSslContextFactory(sslContextFactory);
Now in the java server node side:
ClientConnectorConfiguration cliConnCfg = new ClientConnectorConfiguration();
cliConnCfg.setJdbcEnabled(false);
cliConnCfg.setOdbcEnabled(false);
cliConnCfg.setThinClientEnabled(false);
cliConnCfg.setSslEnabled(true);
cliConnCfg.setSslClientAuth(true);
igniteConfiguration.setClientConnectorConfiguration(cliConnCfg);
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\serverkeystore.jks");
sslContextFactory.setKeyStorePassword("password".toCharArray());
sslContextFactory.setTrustStoreFilePath("C:\\Program Files\\Java\\jdk-11.0.2\\lib\\security\\publicserverkeystore.jks");
sslContextFactory.setTrustStorePassword("password".toCharArray());
igniteConfiguration.setSslContextFactory(sslContextFactory);
This is the command I am running in cmd:
keytool -importcert -noprompt -trustcacerts -alias microsoftgraph -file C:\Users\myuser\Desktop\cacerts.jks -keystore C:\Program Files\Java\jdk1.8.0_161\jre\lib\security\cacerts -storepass changeit
The error is illegal option: Files\Java\jdk1.8.0_161\jre\lib\security\cacerts Has anyone got an idea as to what is going wrong?
Use
keytool -importcert -noprompt -trustcacerts -alias microsoftgraph -file C:\Users\myuser\Desktop\cacerts.jks -keystore "C:\Program Files\Java\jdk1.8.0_161\jre\lib\security\cacerts" -storepass changeit
I have signed a JAR file using a certificate i received from a trusted CA.
I followed the complete code-signing process by creating a keystore, create CSR,
submitting the CSR to CA and receive the certificate , importing the certificates into keystore (root, chain and code-signing certificates) and then sign the JAR file.
I have the above in below steps
keytool -genkey -keyalg rsa -keysize 2048 -alias myalias -dname "CN=##,O=##,L=##,ST=##,C=##" -keystore mykeystore -storepass mypass
keytool -certreq -alias myalias -file certreq1.pem -keystore mykeystore
keytool -import -trustcacerts -alias myalias1 -file root.crt -keystore mykeystore
keytool -import -trustcacerts -alias myalias2 -file chain.crt -keystore mykeystore
keytool -import -alias myalias3 -file certificate.crt -keystore mykeystore
jarsigner -keystore mykeystore Applet.jar myalias
But still when i open it in the browser, i am getting the publisher as 'UNKNOWN'.
What am i doing wrong here?
I found what i did incorreclty. While importing the code-signing certificate, i should use the same alias as the original one.
keytool -import -alias **myalias** -file certificate.crt -keystore mykeystore
Once this is done, it works.