I am trying to enable SSL in my application for which i have to update the PFX cert in CACERTS. Below are the steps I did but I am getting below error
when trying to import the PFX in CACERTS.
"keytool error: java.lang.Exception: Input not an X.509 certificate"
Create a jks file and generate a CSR from that JKS
keytool -genkeypair -alias abc03.dc.abc.com -keyalg RSA -keystore /opt/logo/certificates/abc03.dc.abc.com.jks -keysize 2048 -dname "CN=abc03.dc.abc.com,O=DT,L=xxx,ST=xxx,C=xxx" -ext san=dns:abc03.dc.abc.com
keytool -certreq -alias abc03.dc.abc.com -keystore /opt/logo/certificates/abc03.dc.abc.com.jks -file /opt/logo/certificates/abc03.dc.abc.com.csr -ext san=dns:abc03.dc.abc.com -ext EKU=serverAuth,clientAuth
Get it signed by CA
Import the root , Intermediate & server cert into the jks that i created
keytool -import -keystore abc03.dc.abc.com.jks -alias root -file root.cer
keytool -import -keystore abc03.dc.abc.com.jks -alias intermediate -file intermediate.cer
keytool -import -keystore abc03.dc.abc.com.jks -alias mykey -file abc03.dc.abc.com.cer
convert the JKS to PKCS12
keytool -importkeystore -srckeystore abc03.dc.abc.com.jks -destkeystore abc03.dc.abc.com.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass password
Importing the PKCS12 into CACERTS (this is where i get the error)
keytool -importkeystore -deststorepass MY-KEYSTORE-PASS -destkeystore cacerts -srckeystore abc03.dc.abc.com.p12 -srcstoretype PKCS12
keytool -importkeystore -deststorepass MY-KEYSTORE-PASS -destkeystore cacerts -srckeystore abc03.dc.abc.com.p12 -srcstoretype PKCS12
Can you advise me on how to fix this or is there another way of doing it. Thanks for your help :)
There are two tools that might help:
http://portecle.sourceforge.net/
https://keystore-explorer.org/index.html
Related
I am adding a cert to the Java keystore and I get the following warning. The command is successful.
keytool -import -trustcacerts -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -storepass changeit -noprompt -alias my_root_ca.pem -file /usr/share/ca-certificates/foo/my_root_ca.pem
The warning is:
Warning: use -cacerts option to access cacerts keystore
How do I get rid of this warning?
Thanks
It's quite easy. If you check keytool manual you can see the following:
$ keytool -importcert -help
keytool -importcert [OPTION]...
Imports a certificate or a certificate chain
Options:
... removed for clearity
-cacerts access the cacerts keystore
To get rid of that warning you must use -cacerts option instead of calling cacert keystore:
keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias my_root_ca.pem -file /usr/share/ca-certificates/foo/my_root_ca.pem
Basic use of a key tool to generate a keypair, CSR, and sign with root ca and import certificate reply
#"Generate key pair"
keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore mykeystore.jks -keypass jks123 -storepass jks123 -storetype JKS
#"Generate cert request(CSR)"
keytool -certreq -alias mykey -file my.csr -storetype JKS -keystore mykeystore.jks -keypass jks123 -storepass jks123
#"Create root ca key and ca cert using openssl"
openssl req -x509 -newkey rsa:2048 -sha256 -nodes -out cacert.crt -outform PEM -keyout cakey.pem
#"Import ca cert to keystore as trust CRT"
keytool -importcert -alias root-ca -file cacert.crt -keystore mykeystore.jks -storepass jks123 -storetype JKS
#"Sign the CSR using self signed root CA created in step 3"
openssl x509 -req -days 365 -in my.csr -CA cacert.crt -CAkey cakey.pem -set_serial 300661 -out my.crt
#Import the signed certifcate to key store"
keytool -v -importcert -alias mykey -file my.crt -trustcacerts -storetype JKS -keystore mykeystore.jks -keypass jks123 -storepass jks123
#list key store
keytool -v -list -storetype JKS -keystore mykeystore.jks -keypass jks123 -storepass jks123
I am trying to generate a keystore. I have set a password for the keystore but I am trying to not set a password for the key.
keytool -storepass "$password" -keystore ${PFX_broker}server.keystore.jks -alias $brokerCertAlias -validity $validity -genkey -dname "CN=$CN" -noprompt;
The above command will prompt me for a key password which defaults to the store pass when I press enter.
Is it possible to skip setting a password for the key altogether and not have a prompt?
There are parameters to specify key and store passwords
-keypass <your-pass> and -storepass <your-pass>
E.g.
keytool -storepass pass123 -keypass pass123 -keystore keystore.jks -alias myalias -validity 99 -genkey -noprompt
keytool reference
I know this is an old question but I'm facing the same issue and adding -keypass password and because I have a store source too, I'm adding -srcstorepass password for me works. Try this:
keytool -storepass "$password" -keystore ${PFX_broker}server.keystore.jks -alias $brokerCertAlias -validity $validity -genkey -dname "CN=$CN" -noprompt -keypass "$password" -srcstorepass "$password"
But might be different in your case.
It seems keytool always requires a password for both the store and the key. There is no way around it.
I have the following steps:
1) Open Terminal and cd to where your .keystore is located
2) keytool -storepasswd -new NEWPASSWORD -keystore YOURKEYSTORE.keystore
3) enter your current password
My question is instead of doing step 3, how can I do it with a keytool command?
Thanks.
You could do with -storepass
keytool -storepasswd -new {NEW_PASSWORD} -keystore {KEYSTORE.keystore} -storepass {OLD_PASSWORD}
Close but not quite, eventually I figured out that the password should be changed in two locations, keypasswd & storepasswd:
1) keytool -storepass XXX -keypasswd -keypass XXXXX -new XXXX -keystore "c:\temp\XXXX.keystore" -alias XXX
2) keytool -storepass XXX -storepasswd -new XXXX -keystore "c:\temp\XXX.keystore" -alias XXX
I am trying to generate a certificate for CA2 such that:
There is a root CA called CA0.
There is an intermediate CA called CA1.
There is another intermediate CA called CA2.
CA0 signs the certificate of CA1.
CA1 signs the certificate of CA2.
I generate CA2 using various methods using keytool.
Method 1: CA0 signs CA1 and writes to file; CA1 signs CA2 and writes to file; CA0 is exported from keystore to file
# Start afresh
rm -f foo.jks
rm -f *.cer
# Generate self-signed CA0 (root), CA1 (intermediate) and CA2 (another intermediate).
keytool -genkeypair -keystore foo.jks -storepass stpass -alias ca0 -keypass kpass0 -dname CN=CA0 -ext bc=ca:true
keytool -genkeypair -keystore foo.jks -storepass stpass -alias ca1 -keypass kpass1 -dname CN=CA1
keytool -genkeypair -keystore foo.jks -storepass stpass -alias ca2 -keypass kpass2 -dname CN=CA2
# CA0 signs CA1.
keytool -certreq -keystore foo.jks -storepass stpass -alias ca1 -keypass kpass1 |
keytool -gencert -keystore foo.jks -storepass stpass -alias ca0 -keypass kpass0 -ext bc=ca:true -outfile ca1.cer
# CA1 signs CA2.
keytool -certreq -keystore foo.jks -storepass stpass -alias ca2 -keypass kpass2 |
keytool -gencert -keystore foo.jks -storepass stpass -alias ca1 -keypass kpass1 -ext bc=ca:true -outfile ca2.cer
# Export CA0
keytool -export -keystore foo.jks -storepass stpass -alias ca0 -file ca0.cer
When I open Firefox and go to Preferences > Advanced > View Certificates > Authorities, click Import and import ca0.cer, ca1.cer and ca2.cer one by one, they get imported fine. Then if I select CA2 and click View > Details, I can see the complete certificate chain in the Certificate Hierarchy pane. All this is good.
Method 2: CA0 signs CA1 and imports it to keystore; CA1 signs CA2 and imports it to keystore; CA0, CA1 and CA2 are exported from keystore to files
# Start afresh
rm -f foo.jks
rm -f *.cer
# Generate self-signed CA0 (root), CA1 (intermediate) and CA2 (another intermediate).
keytool -genkeypair -keystore foo.jks -storepass stpass -alias ca0 -keypass kpass0 -dname CN=CA0 -ext bc=ca:true
keytool -genkeypair -keystore foo.jks -storepass stpass -alias ca1 -keypass kpass1 -dname CN=CA1
keytool -genkeypair -keystore foo.jks -storepass stpass -alias ca2 -keypass kpass2 -dname CN=CA2
# CA0 signs CA1.
keytool -certreq -keystore foo.jks -storepass stpass -alias ca1 -keypass kpass1 |
keytool -gencert -keystore foo.jks -storepass stpass -alias ca0 -keypass kpass0 -ext bc=ca:true |
keytool -importcert -keystore foo.jks -storepass stpass -alias ca1 -keypass kpass1
# CA1 signs CA2.
keytool -certreq -keystore foo.jks -storepass stpass -alias ca2 -keypass kpass2 |
keytool -gencert -keystore foo.jks -storepass stpass -alias ca1 -keypass kpass1 -ext bc=ca:true |
keytool -importcert -keystore foo.jks -storepass stpass -alias ca2 -keypass kpass2
# Export CA0, CA1 and CA2
keytool -export -keystore foo.jks -storepass stpass -alias ca0 -file ca0.cer
keytool -export -keystore foo.jks -storepass stpass -alias ca1 -file ca1.cer
keytool -export -keystore foo.jks -storepass stpass -alias ca1 -file ca2.cer
Again, I can import ca0.cer, ca1.cer and ca2.cer to Authorities in Firefox.
Method 3: CA0 signs CA1 and imports it to keystore; CA1 signs and CA2 and exports to file; CA0 and CA1 are exported from keystore to files
# Start afresh
rm -f foo.jks
rm -f *.cer
# Generate self-signed CA0 (root), CA1 (intermediate) and CA2 (another intermediate).
keytool -genkeypair -keystore foo.jks -storepass stpass -alias ca0 -keypass kpass0 -dname CN=CA0 -ext bc=ca:true
keytool -genkeypair -keystore foo.jks -storepass stpass -alias ca1 -keypass kpass1 -dname CN=CA1
keytool -genkeypair -keystore foo.jks -storepass stpass -alias ca2 -keypass kpass2 -dname CN=CA2
# CA0 signs CA1.
keytool -certreq -keystore foo.jks -storepass stpass -alias ca1 -keypass kpass1 |
keytool -gencert -keystore foo.jks -storepass stpass -alias ca0 -keypass kpass0 -ext bc=ca:true |
keytool -importcert -keystore foo.jks -storepass stpass -alias ca1 -keypass kpass1
# CA1 signs CA2.
keytool -certreq -keystore foo.jks -storepass stpass -alias ca2 -keypass kpass2 |
keytool -gencert -keystore foo.jks -storepass stpass -alias ca1 -keypass kpass1 -ext bc=ca:true -outfile ca2.cer
# Export CA0 and CA1
keytool -export -keystore foo.jks -storepass stpass -alias ca0 -file ca0.cer
keytool -export -keystore foo.jks -storepass stpass -alias ca1 -file ca1.cer
This time I can import ca0.cer and ca1.cer into Authorities of Firefox but I cannot import ca2.cer. When I select ca2.cer in the 'Select File Containing CA certificate(s) to import' dialog box and click Open, nothing happens at all. The dialog box disappears and the certificate does not appear in the Authorities pane.
keytool -export writes only the first certificate in the chain to -outfile, see keytool manual:
If alias refers to a trusted certificate, that certificate is output. Otherwise, alias refers to a key entry with an associated certificate chain. In that case, the first certificate in the chain is returned.
Whereas keytool -gencert writes the whole chain to -outfile. You can see that when you add -rfc (output in PEM format) to the command:
-----BEGIN CERTIFICATE-----
MIICqDCCAmagAwIBAgIEHhRohzALBgcqhkjOOAQDBQAwDjEMMAoGA1UEAxMDQ0ExMB4XDTE2MDYw
...
hkjOOAQDBQADLwAwLAIUfkhluVSKCpemYFYfKf2KfT7UQaACFFA8SLiKbfOo6xh5e01S1YXJhM/P
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICqDCCAmagAwIBAgIEZgEJrjALBgcqhkjOOAQDBQAwDjEMMAoGA1UEAxMDQ0EwMB4XDTE2MDYw
...
hkjOOAQDBQADLwAwLAIUd2DS+rPrJqlGwziqenDdVaYQWaoCFHleJS/5XfDk+GaEMSUw53gQ0vd7
-----END CERTIFICATE-----
So, ca2.cer contains two certificates (CA1 and CA2) in DER format, simply concatenated. No surprise that Firefox cannot process this.
I don't think there is any standard that allows concatenated DER certificates. PKCS#7 would be the usual binary format for certificate chains. Concatenated PEM files are pretty common too, but not DER.
The keytool documentation says nothing about writing out the chain to the file. In fact, it says "the X.509 certificate":
The command reads the request from infile (if omitted, from the standard input), signs it using alias's private key, and outputs the X.509 certificate into outfile (if omitted, to the standard output).
Taking a look at the sources of keytool, it writes the generated certificate to the file and the chain - excluding the root:
dumpCert(cert, out);
for (Certificate ca: keyStore.getCertificateChain(alias)) {
if (ca instanceof X509Certificate) {
X509Certificate xca = (X509Certificate)ca;
if (!isSelfSigned(xca)) {
dumpCert(xca, out);
}
}
}
The root certificate is not included because the processing side would verify the chain up to a trust anchor (the root CA) anyway (same concept as SSL chain verification).