I was using keystore explorer tool to create a server crt and a private key file from my PKCS12 keystore file. The tools is great.
Is there any corresponding keytool commandline equivalent?
NO. keytool has no operations either to write out a privatekey alone from a keystore or read in a privatekey alone to a keystore. This is why we get hundreds of questions about the latter, mostly on other Stacks where they are on-topic. For the most recent one I answered, see How to resolve : jno_key_entry
For a PKCS12 keystore, openssl pkcs12 -in file -nocerts will extract the privatekey, or privatekeys, in PEM format. By default it/they is/are encrypted and you must give a (new) password, but you can use -nodes to get it/them unencrypted. If there is more than one privatekey in the keystore, you may need to edit the output to select the desired one (or ones).
For other type keystore, use keytool -importkeystore to convert to PKCS12, then continue as above. If (any type) keystore has multiple entries, you can use keytool -importkeystore with -alias to select only the desired entry, and thus not need the editing step above.
Related
i am trying to include login with facebook feature in flutter application. Going through the steps, i did generated key hash for debug mode. However, i'm not being able to figure out what to replace the above two values in keytool -exportcert -alias YOUR_RELEASE_KEY_ALIAS -keystore YOUR_RELEASE_KEY_PATH | openssl sha1 -binary | openssl base64 for generating release key hash. What should i do?
You may find these info in the file: android/key.properties
Release key alias is any alias you want, remember that as you'll need them for updates. Path is the path where you want the key to be generated.
I am getting this error when trying to login with facebook.
The key hash does not match any stored key hashes.
I faced this similar error before but usually when this error appear, the facebook itself will show the key hash and what I do is just copy the key hash and register it in my facebook app. But the situation now is different because when I get the error above, I did not receive any key hash so I have no idea how to re-generate the key hash.
What I know is, you cannot use the command to re-generate another key hash for the second time like in the following code below.
keytool -exportcert -alias YOUR_RELEASE_KEY_ALIAS -keystore YOUR_RELEASE_KEY_PATH | openssl sha1 -binary | openssl base64
For additional information just in case if this is related, the app is previously developed and the first key hash generated from other device. I copied the project and use another laptop to do the debugging. Just a guess, maybe this is one of the reason why the facebook app isn't showing the mismatch key hash?
You can still generate the key hash with the command
keytool -exportcert -alias androiddebugkey -keystore "your-release-key-path" | "your-openssl-path" sha1 -binary |"your-openssl-path" base64
You may want to check this post How to create Android Facebook Key Hash?
I am a newbie to java security and know pretty much nothing about it. I have an existing jar that was given to me couple of years which was digitally signed. However, that signature is now expired and I need to sign it again. The client has bought an X.509 certificate from Comodo and Comodo gave him the following 4 files.
1) AddTrustExternalCARoot.crt
2) COMODOCodeSigningCA2.crt
3) UTNAddTrustObject_CA.crt
4) "application_specific_key".crt
I would like to know what the next steps are in order to sign the jar file I have. I have tried doing the following things but I keep getting an error when I use jarsigner to sign the applet jar
1) keytool -import -alias AddTrustExternalCARoot -keystore altis.keystore -file AddTrustExternalCARoot.crt
2) keytool -import -alias COMODOCodeSigningCA2 -keystore altis.keystore -file COMODOCodeSigningCA2.crt
3)keytool -import -alias UTNAddTrustObject_CA -keystore altis.keystore -file UTNAddTrustObject_CA.crt
4)keytool -import -alias "application_specific_alias" -keystore altis.keystore -file "application_specific_alias".crt
5) jarsigner "application_jar_file" "application_specific_alias"
jarsigner: Certificate chain not found for: "application_specific_alias". "application_specific_alias" must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
What am I missing?
You need to have the certificate along with the private key in a PKCS12 format.
To get this file you need to follow the link that COMODO provided via e-mail using the SAME COMPUTER and the SAME BROWSER that you used to place the order in the first place.
The certificate will be installed using your browser and you'll be able to export it in the PKCS12 format.
To export the certificate COMODO provides the following guides:
Internet Explorer / Chrome browsers:
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/71/0/how-do-i-backup-my-digital-id-certificate-windows-ie
After you have exported the certificate along with the private key in the PKCS12 format you should sign the JAVA applet using the following guide:
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/531/0/signing-jar-files
If your .jar file already have a certificate, you can open it in a compression utility and remove the content from the META-INF folder. Then you can sign the applet.
I've built a dummy app and I'll like to test it on my iPhone. I know that I need to be enrolled in apple developer program and I’m in. I don’t have a MAC, so I had to rent one from macincloud[dot]com.
At this moment, I need to generate a signing certificate request, but I don’t have access to Keychain Access utility. The guys from macincloud offer access to the terminal, but not to Keychain Utility. I know that I need to use security tool from command line, but that’s all.
After 6 hours on two different days, I didn’t find any tutorial/description about how to use the security tool in order to generate the signing certificate request.
Do you have any idea about what do I need to do in command line to generate a signing certificate request?
Run the following in the terminal:
openssl genrsa -out mykey.key 2048
Save this private key file as you will use it later.
Run the following command, replacing the e-mail address, CN (certificate name), and C (country) values with your own:
openssl req -new -key mykey.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourAddress#example.com, CN=John Doe, C=US"
Now in iOS Dev Portal, just use the generated CertificateSigningRequest.certSigningRequest
If you are doing this for Apple Push / APNS, you will also want to know about these 2 additional commands to generate the needed .p12 file:
openssl x509 -in XXXXX.cer -inform DER -out XXXXX.pem -outform PEM
openssl pkcs12 -export -inkey XXXXX.key -in XXXXX.pem -out XXXXX.p12
where XXXXX is your "mykey" value and the xxxxx.cer file is what you download from the Apple portal.
I've seen a couple questions about how to convert a PFX to a cert file, but I need to go the other way.
I have two files:
bob_cert.cert
bob_key.pem
I'd like to convert them to a single .pfx file. Is there a tool that does this?
openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx
I created .pfx file from .key and .pem files.
Like this openssl pkcs12 -inkey rootCA.key -in rootCA.pem -export -out rootCA.pfx
That's not the direct answer but still maybe it helps out someone else.
Here is how to do this on Windows without third-party tools:
Import certificate to the certificate store. In Windows Explorer select "Install Certificate" in context menu.
Follow the wizard and accept default options "Local User" and "Automatically".
Find your certificate in certificate store. On Windows 10 run the "Manage User Certificates" MMC. On Windows 2013 the MMC is called "Certificates". On Windows 10 by default your certificate should be under "Personal"->"Certificates" node.
Export Certificate. In context menu select "Export..." menu:
Select "Yes, export the private key":
You will see that .PFX option is enabled in this case:
Specify password for private key.
If you have a self-signed certificate generated by makecert.exe on a Windows machine, you will get two files: cert.pvk and cert.cer. These can be converted to a pfx using pvk2pfx
pvk2pfx is found in the same location as makecert (e.g. C:\Program Files (x86)\Windows Kits\10\bin\x86 or similar)
pvk2pfx -pvk cert.pvk -spc cert.cer -pfx cert.pfx