I would like to generate a certificate, public key, private key and all other things needed in order to connect Windows Azure via java code. I prefer using only keytool.
How do I do that?
The java code requires a JKS file with private key in it.
Thx!
Keytool can help you up to certain extent however combination of Keytool and OpenSSL will give you everything you need to have your Java based application connect to Windows Azure (both management portal as well as SSL enabled Web Application.
Please follow the documentation as Migrating Keys from 'keytool' to 'OpenSSL'
Using "keytool" to generate a private and public key pair.
Using "keytool" to export the self-signed certificate from PrivateKeyEntry.
Using "keytool" to display details of a certificate.
Using "OpenSSL" to view certificate exported by "keytool".
Writing "DumpKey.java" to dump key pair out of "keytool" keystore files.
Using "OpenSSL" to convert dumped key pair from binary to Base64 encoding.
Using "OpenSSL" to view key pair dumped and converted from "keytool" keystore files.
Related
Is there a way to establish my public key generated using java.security.KeyPairGenerator to the ssh server that i want to access key based? That is java equivalent of ssh-copy-id?
You can use Portecle it is an open source software that will enable you to create a key-store and generate Key Pair. All that is done by GUI no need to write any code or command.
Portecle is a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more.
you can downloaded from this website: Portecle
In Eclipse EE 3.7, I've installed the JavaFX SDK and created a JavaFX Project. When I open the build.fxbuild file and select the Build Properties tab, there's a section titled Signing Properties. And it asks for the following information,
Keystore
Store-Password
Alias
Key-Password
For the Keystore field, it provides options for browsing the filesystem and workspace, but I don't know where to locate the keystore. Can anybody help me figure out how to do information signing via an Fx Build Configuration file?
For many applications (for example a standalone application), code signing is simply not required - it can introduce complications and can degrade performance and user experience. Code signing is only required for WebStart and Browser Embedded applications which require resources outside of the Java sandbox. If you are certain you actually need to sign your application, then continue reading.
Here are the steps to create your own keystore for signing using the java keytool. For test purposes you can generate your own self signed certificates. For a real application deployed to the general public which minimizes security warnings, it is best to purchase a code signing certificate.
An example commmand line for creating a keystore to be used for code signing is:
keytool -genkey -alias signFiles -keystore examplestore
You will be prompted to enter passwords for the key and keystore.
The JavaFX deployment packaging documentation has information on how to sign applications via the standard JavaFX SDK. You could just follow that description and sign your jars using, for instance, the JavaFX ant tasks.
However, it would seem that Eclipse has some inbuilt functionality for doing the signing. If you want to take advantage of that, follow the instructions above to create your keystore. After you have an appropriate keystore, enter the values used in creating the keystore into the appropriate fields for the Eclipse IDE to perform the signing.
Matching the fields up with the example command line for keystore generation I provided earlier.
Keystore - file location of the keystore containing your signing key: examplestore
Store-Password - password you assigned to access the keystore
Alias - friendly name to refer to the key: signFiles
Key-Password - password you assigned to access the key in the keystore
Although there is a default keystore provided in the Java JDK installation directory, this is not usually the same keystore which would be associated with your own signing keys and certificate. The keystore provided with the JDK is primarily used to store certificates for certificate authorities used in validating SSL connections. As the java keystores produced by a given jdk vendor follow one generic format, you could also use it for storing signing keys and certificates. However, I would not advise this and would instead advise creating and using your own keystore. Generally you want to keep the keystore containing your code signing keys separate from other information, backed up and very secure.
Suppose I have an application which in some way retrieves a client certificate (private/public key pair) at runtime via a secure channel (so I don't have this client certificate at build time).
How can I use this client certificate for client authentication without using keytool and not using some on persistent/ondisk keystore. So I do not want (actually I can't) to import it using a command line keytool?
Actually I want to replicate the functionality done in libcurl. You just set the client certificate (with private key) and your done. It doesn't involve a keystore.
All this has to be done in Java/Android.
You can do it in Java by defining your own KeyManager as described in the JSSE Reference Guide. I can't speak for Android.
I just got this working and I dont think you'll be very happy with my answer but it does work :)
So the hard part is to get the pkcs12 certificate you need to perform client authentication, if your certificate is already in pkcs12 then you've got all the hard stuff out of the way and you can refer to the second answer on SSL client authentication in Android to see how to use that certificate.
if you just have a public private key pair and not a pkcs12 certificate then you will need to make one. As far as I could tell there is no way in java/android to create this certificate so you need to use the android NDK and openssl.
if you download the openssl-android project from https://github.com/guardianproject/openssl-android you can use it to build openssl. By default it compiles as a .so shared object but only some of the android devices I tried to run this code on were able to link against libcrypto, so, although im sure there is a better way I went into the Android.mk files and replaced include $(BUILD_SHARED_LIBRARY) with include $(BUILD_STATIC_LIBRARY) in a few places so that I could compile a .a static library.
I then used the info from Android NDK: Link using a pre-compiled static library to link the libcrypto.a I compiled to my native code.
This native code uses openssl to first create an X509 certificate and then uses it to create a PKCS12 file which can be used in the manner I mentioned before located at SSL client authentication in Android
first you need to get your public and private keys into native land as EVP_PKEY pointers which can happen in a variety of ways based on what format your keys are in then you can use the following code to create an X509 certificate
X509 *public_key_cert = X509_new();
X509_gmtime_adj(X509_get_notBefore(public_key_cert),0);
X509_gmtime_adj(X509_get_notAfter(public_key_cert), (long) 60*60*24*365);
X509_set_pubkey(public_key_cert,evp_pub_key);
This creates the most minimally valid X509 certificate which is valid for 1 year. You may want to do other stuff like sign the certificate if you are going to run your own certificate authority, or set any of a large set of headers which contain various bits of information.
next you need to create the pkcs12 certificate using the X509 cert like this:
PKCS12 *pkcs12 = PKCS12_create(password, "Some Sort of Friendly Name", evp_priv_key, public_key_cert, NULL, 0, 0, 0, 0, 0);
password is a char* containing the password which will be used to encrypt the private key using triple-DES
Now that you have a pkcs12 certificate you can go over to SSL client authentication in Android and get client authentication going.
Good Luck!
I will need to export a certificate in windows store to a p12 file. Similar to what you can do from firefox/IE browser but in JAVA. The only way I am able to do it currently is doing a C# with double Cpp wrappers or MCPP with wrapper using JNI which is not really useful. I have tried using SUNMSCAPI but I was not able to.. Any inputs appreciated.. Thank you..
If the above is certainly not possible, can a keystore be created with these certs?
You can use the Java standard keystore API, with Bouncy Castle. You can load the keystore called Windows-MY, that contains all the certificates stored in the Windows keystore.
KeyStore.getInstance("Windows-MY");
The reference to the Windows keystore provides method to extract certificates, via the KeyStore.getCertificate(String alias) method.
Once you retrieved the certificate, export it to a PKCS12 file.
I have a problem with a keystore in pkcs12 format, which contains a private key I need to use to authenticate myself (using mutual authentication) to a remote SSL server. The keystore file can be read perfectly fine by Firefox, and when used, I can access the remote server without problems.
However, my Java program does not work with the keystore file. And if I use keytool to list keys inside the file, it seems empty -- while it is clearly not!
How can I get Java/keytool to see the private key inside the keystore?
Java can only understand JKS format which stands for Java KeyStore.
Here is a good article to generate the .jks from pkcs12
http://blog.asyd.net/2009/07/how-to-convert-a-pkcs12-to-jks/