I generated my private key with openssl and it is file serverkey.pem, I have also serverreq.pem that I sent to cert authority. They will send me signed certificate.
Is there any way how to convert serverkey.pem into Java Key Store? Do I have to generate something else or does it need only private key serverkey.pem? Can I do it with Keytool?
I know how to import cacerts and the signed cert into existing JKS, but I don't know how to create JKS from private key PEM. Thanks for any help.
Related
I want to connect AWS Certificate Manager to fetch a public / private certificates from my Java application could be deployed on AWS or outside as well. The certificates are for MongoDb Atlas SSL Connections.
I have tried GET Certificate API for self-signed certificates which does not return me the private key (just the .pem encoded certificate and certificate chain). But in order to use this certificate from Java client for secure connection MongoDB, I need the private key as well to convert it to proper JKS / PFX format.
At the moment I do not have access to a private certificate for Export Certificate API which by documentation gives the private key as well which is needed to convert the certificate to PFX / JKS format.
Also, I am using OPENSSL for converting the .PEM encoded certificate to PFX / JKS format but in this case, I have to do it from Java code itself.
So I have two questions:
How do I fetch private key from AWS Certificate manager (for public/ self-signed certificates) so that I can convert it to PFX format?
Is that the correct way to convert PFX/JKS format (from Java code instead of using openssl from terminal) or am I missing something?
I'm taking over an existing project where I have keys/certs (root and intermediate CA) that were created with openssl. I was told to try to use keytool to generate client certs for client authentication for SSL in Java.
I am not a crypto person so this is all pretty new, but I've used Bouncy Castle in this poc that generates client certs correctly in that a client can authenticate with our service and an SSL connection is established.
public X509Certificate buildEndEntityCert(PublicKey entityKey, PrivateKey caKey, X509Certificate caCert, String clientName)
throws Exception {
String name = "CN=Test";
X509v3CertificateBuilder certBldr = new JcaX509v3CertificateBuilder(
caCert.getSubjectX500Principal(),
BigInteger.ONE,
new Date(System.currentTimeMillis()),
new Date(System.currentTimeMillis() + VALIDITY_PERIOD),
new X500Principal(name),
entityKey);
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
certBldr.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert))
.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(entityKey))
.addExtension(Extension.basicConstraints, false, new BasicConstraints(false))
.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation))
.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth));
ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(caKey);
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certBldr.build(signer));
}
I call this method with the intermediateCredential I load on startup for the caKey and caCert parameters. Is there a similar way I can do this with keytool?
If there is not a command or set of commands that I can do to accomplish this, is there an even way to do this? Like create a new truststore, import those certs, and then create new certs from that truststore acting as a CA?
In java 7 and 8 (but not earlier) yes the -gencert option of keytool can do this. I haven't yet tested java 9 but I expect it will retain this; new javas almost never drop useful functionality.
A truststore contains only certs, without keys. To sign anything, including a child cert, you need a cert AND key, or depending on your perspective a key AND cert, which means a keystore.
Both java 7 and 8 can use either JKS or PKCS12 format for a keystore (j8 can also use either for truststore, j7 only JKS) but if you currently have the CA key and cert in PEM format, as OpenSSL normally uses, you need to get them into one of the keytool-supported formats. That is a question that has been asked and answered many times already:
How to import an existing x509 certificate and private key in Java keystore to use in SSL?
How do I import the private and public keys (pvk,spc) and certificates (cer) into the keystore?
How can i create keystore from an existing certificate (abc.crt) and abc.key files?
Importing the private-key/public-certificate pair in the Java KeyStore
convert certificate from pem into jks
How to create keystore from cer files
Is it possible to convert an SSL certificate from a .key file to a .pfx?
Convert a CERT/PEM certificate to a PFX certificate
using OpenSSL to create .pfx file
How to create .pfx file from certificate and private key?
How to use .key and .crt file in java that generated by openssl?
How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?
We are trying to get a valid SSL for our tomcat server and we are using the KeyTool to manage keystore
....but the I think any one with security background can help!!
I create a key store
Generate a public and private key pair in it.
Generate a CSR.
Submit the CSR and get Certificate and Trust Chain.
I import the Certificate
I must import Trust Chain
Set 6 is my problem. I have two options:
Append Certificate to key pair (named tomcat)
Below:
Or import the CAs to Keystore. As below
Should I do both?! If first option ( Append Certificate to Key-pair) is enough, then why should some one need to add a certificate to key store?
A key pair is basically represented as private-key and certificate chain in a java keystore. And the certificates contains the public key. When you generate the keypair using the keytool command, it asks you for some details that are required to put on the self-signed certificate it will be generating and associating with that private-key. So in this case your certificate chain contains 1 certificate.
When you generate a CSR, and have received your signed certificate and the other chain-of-trust certificates (i.e: CA and SubCA's certs) in a single file like p7b, you will be adding them to your current key pair, i.e: you will be associating the certificate chain to its corresponding private-key. So, in this case, you would chose the Import CA Reply option on the keystore-explorer.
When you do that, the keystore-explorer will construct the certificate chain like this:
CA Certificate (self-signed)
|
|__ 2. Sub CA Certificate (signed by the above CA)
|
|__ 1. Sub-sub CA Certificate (if any) (signed by the above Sub CA)
|
|__ 0. End Entity Certificate (your certificate, signed by the above cert)
To see how it looks on the keystore using the keytool, when you -list the keystore contents, you will see a PrivateKeyEntry with Certificate chain length: x.
So to answer your option 1: When you want to edit this certificate chain, like add a certificate or remove a certificate, you can use the Edit Certificate Chain option the keystore-explorer provides.
To answer your option 2: Just like the key pair entries exist in a keystore, a certificate can also exist by itself. It is called Certificate Entry. When a keystore contains only certificates, it is called a truststore. You might have heard of cacerts file the java installation folder contains. It is the truststore file, which contains all the CA's and SubCA's certificates java would want to trust. When you have a new organization's certificate that you want java to trust, you would add that certificate in the cacert file. In this case you would chose the Import Trusted Certificate option.
If you are importing the CA's reply, you are technically supposed to associate it with it's corresponding private key. So you should be doing the Import CA's Reply.
I test subEthaSMTP SMTP server. Everything is OK, but I want use SSL/TLS. I read the article about this and have a question.
I have csr, crt and key file, but into article used to PKCS12 , JKS, and SunX509.
Is it possible use csr, crt and key or how to convert it into need format.
P.S. Sorry I am not expert in Java.
The CSR is a Certificate Sign Request. You should already self-sign the certificate or send to a certicate authority. If you are lost in this point, read the certificates howto.
Then you should have a CRT file (The CRT is a X.509 certificate in DER format) self-signed or signed by a Certificate authority, to create a PKCS#12 certificate you should:
Transform the DER certificate to PEM.
Mix PEM and KEY private key file into the PKCS#12 fileformat.
The openssl commands are here in "Converting Using OpenSSL" section.
This stuff is not Java, It's just SSL/TLS.
Current situation:
We do a POST to a certain url using HTTPS/SSL. For this to work my (former) colleague posted this question: Java HTTPS client certificate authentication
So basicly we have a keystore in .p12 format and the truststore is a .jks file.
We have no control over the server that receives our POST request.
Issue:
The server admins have provided us with some new .der files because their old certificate was about to expire.
As I'm fairly new to SSL certificates and keytool- and openssl-commands I have no idea how to proceed from here.
1) Is it necessary to generate new .p12 and .jks files? Or do I only need to generate a new .jks file?
2) How do I generate these files from a .der certificate? I have found some websites with the most keytool/openssl commands but I haven't been able to successfully generate what I need.
The last command I tried (to no avail) was:
keytool -storepass dsmserver -keystore c:\temp\newkeystore.jks -importcert -alias "c:\temp\newcert.der" -trustcacerts
Wait, which certificate expired? If it was theirs, there shouldn't have been any need to send you a new file (after all, you don't have to update your browser when, say, stackoverflow.com's SSL certificate expires and they install a new one). If you're doing mutual authentication (client certificate authentication), then there are four certificates involved: your certificate, their certificate, the certificate of the authority that signed your certificate, and the certificate of the authority that signed their certificate. They send you their certificate and you check to see that it was properly signed by a certificate authority that you trust (that's what the truststore is for - it's a list of the certificate authorities that you trust to sign certificates from their side). Subsequently, you send your certificate and they check to see that it was properly signed by a certificate authority that they trust. (Of course, all of this is automatically done for you behind the scenes in JSSE by the SSL handshake procedure)
Remember, a certificate is a (signed) assertion that such-and-such name is identified by a particular public key. So if their certificate expired, they'll generate a new one, get it signed by a CA that you already trust, and replace the old one with this one. When your software (automatically, as part of the behind-the-scenes SSL handshake) gets the new one, it will check to see who the signer ("issuer") was and if it's in your list of trusted authorities (and properly signed). If this checks out, you'll accept it automatically. They don't need to send you anything out-of-band to make this happen, unless they're changing certificate authorities and you don't already trust the new one. If so, you can use
keytool -import -keystore <truststore> -file <certificate file> -alias <someca>
If, on the other hand, your certificate is the one that expired, then they shouldn't be sending you anything unrequested. Instead, you should be generating a CSR via:
keytool -genkey -alias <myalias> -keystore <keystore>.p12 -storetype pkcs12
keytool -certreq -alias <myalias> -file request.csr -keystore <keystore>.p12 -storetype pkcs12
This will update the keystore with a new private key and create a file named "request.csr" which you should then send to them (or to a CA that's in their truststore) for a signature. They will respond with a signed certificate which you will then import back into your keystore using:
keytool -import -alias <myalias> -file <signed certificate>.cer
If I had to guess, it looks like they tried to perform these three steps for you, and tried to send you the certificate and the corresponding private key, which is invalid - Java will (rightly!) try its best to stop you from importing that because the private key itself was tainted when they sent it over an untrusted channel (e-mail, I presume?) This defeats the purpose of PKI - nobody should ever have access to your private key except for you.
Download the file from the below link:ImportKey.Java
Run the following commands:
javac ImportKey.java
java ImportKey key.der cert.der
- arg1 is your key and arg2 iscertificate.
Commands will put your keys to Java Key Store.