We Keep Coding

Import Certificate to Keystore

I have generated the keystore using this command :
keytool -genkeypair -alias test -keyalg RSA -keystore keystore.jks
Under this section i have provided the following response:
What is your first and last name?
[Unknown]: myservice.example.com
Now i have generated the certificate with Common Name:myservice.example.com,
How should i import this certificate to my keystore so my client can connect to my service to a specific port and browser shouldn't display the invalid certificate error ?

How to import .cer public key into java trust store?

Here is the command that I am using to import the public key into my trust store.
$ keytool -import -trustcacerts -file dev.cer -alias my_alias -keystore truststore.jks -storepass mypass -v
The output that I get is:
keytool error: java.lang.Exception: Input not an X.509 certificate
java.lang.Exception: Input not an X.509 certificate
at sun.security.tools.keytool.Main.addTrustedCert(Main.java:2652)
at sun.security.tools.keytool.Main.doCommands(Main.java:1006)
at sun.security.tools.keytool.Main.run(Main.java:340)
at sun.security.tools.keytool.Main.main(Main.java:333)
The content of the dev.cer file looks like:
-----BEGIN PUBLIC KEY-----
... encoded text ...
-----END PUBLIC KEY-----
One more thing worth mentioning that this certificate was generated on Windows running machine and I want to import it in the Linux environemnt. Maybe it has something to do with the special characters.
Any help will be greatly appreciated.

The reason of the keytool error: java.lang.Exception: Input not an X.509 certificate is caused by the fact that instead of importing a certificate, there was an attempt to import a public key (even though the file extension is .cer , the header -----BEGIN PUBLIC KEY----- and the footer -----END PUBLIC KEY----- indicate that the file doesn't contain a valid certificate, but the public key only). Terms public certificate and public key at times by mistake are used interchangeably.

how to import certificate from the server and generate jks for it?

Some outer service which I use change http to https, and now I can't receive responses to my requests from it. So, I want to configure SSLSettings for my http requests. And as I understand I should "convert" public certificate from outer service (site) to jks file, to use in SSLSettings.
When I request to outer service, I receive an exception:
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not
authenticated
I'm novice in ssl.
With command:
openssl s_client -connect some.host:443 | openssl x509 -pubkey -noout
I receive the answer:
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
-----BEGIN PUBLIC KEY-----
//.....
-----END PUBLIC KEY-----
I don't really understand, in what format I receive this public key and
what should I do next to create jks file?
And I don't really understand, Am I in the right direction?

With keytool you can generate your keystore (.jks file ). you should use a command like :
keytool -keystore clientkeystore -genkey -alias client
for more detailed instructions check this url:
https://docs.oracle.com/cd/E19509-01/820-3503/6nf1il6er/index.html

Not sure if i am getting your question right but to generate a keystore you can use the below comand
keytool -genkeypair -keysize 2048 -keyalg RSA -alias testalias -keystore /test.keystore -ext SAN=dns:localhost,ip:xxx.xxx.xxx.xxx
and later extract the public key from it

Can't connect from JAVA to Mongo SSL Replica Set

I'm trying to set up last version of MongoDB with SSL encryption, I was able to connect from mongo shell but I'm getting an error when I connect from a Java Client.
Works
mongo admin --host mongo1.xxxx.com --ssl --sslPEMKeyFile mongoClient.pem --sslCAFile mongoCA.crt
Doesn't work
public static void main(String args[]){
System.setProperty("javax.net.ssl.trustStore","/home/gasparms/truststore.ts");
System.setProperty("javax.net.ssl.trustStorePassword", "mypasswd");
System.setProperty("javax.net.ssl.keyStore", "/home/gasparms/truststore.ts");
System.setProperty("javax.net.ssl.keyStorePassword", "mypasswd");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
MongoClientOptions options = MongoClientOptions.builder().sslEnabled(true)
.build();
MongoClient mongoClient = new MongoClient("mongo1.xxxx.com",options);
System.out.println(mongoClient.getDatabaseNames());
}
I get this error from Mongo side:
2015-06-09T15:08:14.431Z I NETWORK [initandlisten] connection
accepted from 192.168.33.1:38944 #585 (3 connections now open)
2015-06-09T15:08:14.445Z E NETWORK [conn585] no SSL certificate
provided by peer; connection rejected 2015-06-09T15:08:14.445Z I
NETWORK [conn585] end connection 192.168.33.1:38944 (2 connections
now open) 2015-06-09T15:08:14.828Z I NETWORK [conn580] end connection
192.168.33.13:39240 (1 connection now open)
and in java client program
INFORMACIÓN: Exception in monitor thread while connecting to server
mongo1.xxxx.com:27017 com.mongodb.MongoSocketReadException:
Prematurely reached end of stream at
com.mongodb.connection.SocketStream.read(SocketStream.java:88) at
com.mongodb.connection.InternalStreamConnection.receiveResponseBuffers(InternalStreamConnection.java:491)
at
com.mongodb.connection.InternalStreamConnection.receiveMessage(InternalStreamConnection.java:221)
at
com.mongodb.connection.CommandHelper.receiveReply(CommandHelper.java:134)
at
com.mongodb.connection.CommandHelper.receiveCommandResult(CommandHelper.java:121)
at
com.mongodb.connection.CommandHelper.executeCommand(CommandHelper.java:32)
at
com.mongodb.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:83)
at
com.mongodb.connection.InternalStreamConnectionInitializer.initialize(InternalStreamConnectionInitializer.java:43)
at
com.mongodb.connection.InternalStreamConnection.open(InternalStreamConnection.java:115)
at
com.mongodb.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:127)
at java.lang.Thread.run(Thread.java:745)
Creation of Certificates
I have mongoCA.crt and mongoClient.pem that works with mongo shell. Then, I want to import .pem and .crt to a java keystore
openssl x509 -outform der -in certificate.pem -out certificate.der
keytool -import -alias MongoDB-Client -file certificate.der -keystore truststore.ts -noprompt -storepass "mypasswd"
keytool -import -alias "MongoDB-CA" -file mongoCA.crt -keystore truststore.ts -noprompt -storepass "mypasswd"
What I'm doing wrong?

I had the same problem, and for me it turned out to be a problem with the way I created the keystore. I notice that you are using the same file, truststore.ts, for both the truststore and keystore. This can work, but I would suggest using separate files to avoid confusion.
I had already created .pem files for the root CA and for the mongo user, and was able to successfully use them to connect with the mongo shell. From those I created truststore.jks and keystore.jks.
First, to create truststore.jks I ran:
keytool -import -alias root -storepass mypass -keystore truststore.jks -file rootca.pem -noprompt
For keystore.jks you need both the public and private keys so first convert the PEM file to PKCS12 format, and then import to a JKS:
openssl pkcs12 -export -out myuser.pkcs12 -in myuser.pem -password pass:mypass
keytool -importkeystore -srckeystore myuser.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS -deststorepass mypass -srcstorepass mypass

Self Signed Certificate - Can't access relative links from client

I'm running jetty on linux, and using ssl. I have a self signed certificate, and everything works fine in the browser; I just need to tell the browser to trust the certificate since it's from an untrusted source. But if I try to access a link (like an image; https://www.xxxx.com/pictures/picture.jpg) from my web application, it gives me an error:
07/16 08:14:28.708 WARN [log] () EXCEPTION
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:631)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:522)
I think I need to get the client to trust the self signed certificate. I've tried this:
Using keytool, create a certificate for the broker:
keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
Export the broker's certificate so it can be shared with clients:
keytool -export -alias broker -keystore broker.ks -file broker_cert
Create a certificate/keystore for the client:
keytool -genkey -alias client -keyalg RSA -keystore client.ks
Create a truststore for the client, and import the broker's certificate:
keytool -import -alias broker -keystore client.ts -file broker_cert
And I include these when I start Jetty:
javax.net.ssl.keyStore=/path/to/client.ks
javax.net.ssl.keyStorePassword=password
javax.net.ssl.trustStore=/path/to/client.ts
I made sure jetty uses the certificate I generated through browser. What am I missing?

Purchased a certificate for the server, that solved the problem.