Received a keystore file fac_sign.p12 to get the production access with keystore password but when I view the details of the certificate there no alias name to get the certificate. Below is the result(copied just top lines) when I run the command
keytool -list -v -keystore usr/local/HIService/Keys/fac_sign.p12
-storetype PKCS12
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name:
Creation date: Jan 15, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=Specialist :7786786786, OU=Specialist, O=Specialist, L=MT HELEN, ST=VIC, C=AU
Issuer: CN=Medicare Australia Organisation Certification Authority, OU=Medicare Australia, O=GOV, C=AU
Serial number: 4abcd
Valid from: Wed Feb 19 12:40:07 EST 2014 until: Tue Feb 19 12:39:59 EST 2019
Certificate fingerprints:
MD5: 4C:B2:A4:6C:5D:B7:71:7A:35:4A:39:33:D7:87:64:93
SHA1: C7:46:01:A3:B9:A6:E4:D3:7E:5D:98:9D:D3:22:B9:7A:B6:D1:79:66
In java code below line of code is returning NULL because keystoreAlias=""
(KeyStore.PrivateKeyEntry) keystore.getEntry(keystoreAlias,new KeyStore.PasswordProtection(keystorePassword.toCharArray()));
Please suggest.
I had the same problem because OpenJDK 8/9 has a bug which prevents loading keys with empty aliases. But it's easy to change the alias using keytool.
keytool -changealias -alias "" -destalias "new-alias" -keystore ./keystore.p12
Open with "keystore explorer" (http://keystore-explorer.org/downloads.html), change alias field and save.
Related
I am trying to get packages using Straight.el from my .emacs file. It uses gnu-tls.cli to fetch. Since, Emacs informed that connection failed, I ran the command from command prompt.
The following is error message I getting. Thanks in advance.
$ ./gnutls-cli --x509cafile nil -p 443 raw.githubusercontent.com
Resolving 'raw.githubusercontent.com'...
Connecting to '185.199.108.133:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `C=US,ST=California,L=San Francisco,O=GitHub\, Inc.,CN=*.github.io', issuer `C=US,O=DigiCert Inc,CN=DigiCert TLS RSA SHA256 2020 CA1', RSA key 2048 bits, signed using RSA-SHA256, activated `2022-03-18 00:00:00 UTC', expires `2023-03-21 23:59:59 UTC', SHA-1 fingerprint `8f0e792471c5a7d2a7467630c13cb72a13b001b2'
Public Key ID:
340d31153bfb96af64ef26fcc00cc8da0d2071d8
Public key's random art:
+--[ RSA 2048]----+
| .o. +oo. |
| .oE + . |
| . . o + |
| . + o o |
| S o |
| o o = . |
| . . ..X |
| +o+. |
| .*= |
+-----------------+
- Certificate[1] info:
- subject `C=US,O=DigiCert Inc,CN=DigiCert TLS RSA SHA256 2020 CA1', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2021-04-14 00:00:00 UTC', expires `2031-04-13 23:59:59 UTC', SHA-1 fingerprint `1c58a3a8518e8759bf075b76b750d4f2df264fcd'
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
Error setting the x509 trust file
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
We recently renewed our code signing certificate which I also use for signing PowerShell modules.
The original certificate was from VeriSign which was acquired by DigiCert and they are now the CA. This causes our PowerShell modules update to fail because the old modules and the new modules were signed by different root CAs:
PackageManagement\Install-Package : Authenticode issuer 'CN=XXX, O=XXX, L=XXX, C=XXX' of the new module 'MODULE' with version '1.0.x'
from root certificate authority 'CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US' is not matching with the authenticode issuer 'CN=XXX, O=XXX, L=XXX, C=XXX' of the previously-installed module 'MODULE' with version '1.0.y' from root certificate authority 'CN=VeriSign Class 3
Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US'. If you still
want to install or update, use -SkipPublisherCheck parameter.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\2.2.4\PSModule.psm1:9807 char:50
+ ... talledPackages = PackageManagement\Install-Package #PSBoundParameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Exception
+ FullyQualifiedErrorId : AuthenticodeIssuerMismatch,Validate-ModuleAuthenticodeSignature,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage
Anyone has any idea how this can be solved?
I am unable to see Glassfish's log in the eclipse console.
I have tried right-clicking on the GlassFish server in Servers -> Glassfish -> View log file but it shows me a file which ends with this:
2018-09-04T18:36:51.945+0100|Severe: The SSL certificate has expired: [
[
Version: V3
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 135786214035069526348186531221551781468391756233528066061569654028671100866720352830303278016129003918213826297308054231261658522889438712013757624116391437358730449661353175673177742307421061340003741057138887918110217006515773038453829253517076741780039735595086881329494037450587568122088113584549069375417
public exponent: 65537
Validity: [From: Sat Aug 22 17:41:51 BST 1998,
To: Wed Aug 22 17:41:51 BST 2018]
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
SerialNumber: [ 35def4cf]
Certificate Extensions: 7
[1]: ObjectId: 1.2.840.113533.7.65.0 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 0D 30 0B 1B 05 56 33 2E 30 63 03 02 06 C0 ..0...V3.0c....
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O3
0010: 98 90 9F D4 ....
]
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US]
which does not change at all, whether I stop,restart,run a webapp on the GF server, etc, and if I actually look at the file (...\glassfish5\glassfish\domains\domain1\logs\server.log) I find that the content that it is showing is at around line 5400 and there are actually 8600 lines in the server.log file, so there are actually over 3000 lines in the server.log file than the last ones that are shown in eclipse. For example, the timestamp in the log extract is 18:36 but the current time is 21:21 and the current tail of hte file is this:
[2018-09-04T21:02:45.234+0100] [glassfish 5.0] [INFO] [AS-WEB-GLUE-00172] [javax.enterprise.web] [tid: _ThreadID=100 _ThreadName=Thread-23] [timeMillis: 1536091365234] [levelValue: 800] [[
Loading application [__admingui] at [/]]]
[2018-09-04T21:02:45.235+0100] [glassfish 5.0] [INFO] [NCLS-CORE-00022] [javax.enterprise.system.core] [tid: _ThreadID=100 _ThreadName=Thread-23] [timeMillis: 1536091365235] [levelValue: 800] [[
Loading application __admingui done in 2,175 ms]]
[2018-09-04T21:14:29.419+0100] [glassfish 5.0] [INFO] [] [] [tid: _ThreadID=30 _ThreadName=Thread-8] [timeMillis: 1536092069419] [levelValue: 800] [[
doGet - name=null]]
Furthermore, the server.log file, when I open it in Notepad++, maddeningly does not refresh when the file is modified. I have to reload it from disk to see changes in the file.
Consequently, the only way it seems that I can actually monitor this log file is by using a tail -f from cygwin.
Anyone have any ideas how to fix this, in particular how I can see glassfish's log output, including SOPs, in real time in eclipse? It works fine in Netbeans.
Thanks very much for any help.
EDIT
I have noticed that when I restart the server, in eclipse's console the server.log file is re-read, but always (it seems) only up to the same point: the bit where the severe warning about the SSL certificate expiry appears:
2018-09-04T23:27:33.879+0100|Info: visiting unvisited references
2018-09-04T23:27:34.425+0100|Severe: The SSL certificate has expired: [
[
Version: V3
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 135786214035069526348186531221551781468391756233528066061569654028671100866720352830303278016129003918213826297308054231261658522889438712013757624116391437358730449661353175673177742307421061340003741057138887918110217006515773038453829253517076741780039735595086881329494037450587568122088113584549069375417
public exponent: 65537
Validity: [From: Sat Aug 22 17:41:51 BST 1998,
To: Wed Aug 22 17:41:51 BST 2018]
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
SerialNumber: [ 35def4cf]
Certificate Extensions: 7
[1]: ObjectId: 1.2.840.113533.7.65.0 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 0D 30 0B 1B 05 56 33 2E 30 63 03 02 06 C0 ..0...V3.0c....
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O3
0010: 98 90 9F D4 ....
]
]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[CN=CRL1, OU=Equifax Secure Certificate Authority, O=Equifax, C=US]
Here, the server.log stops. No further content from the server.log file ever appears in eclipse's console.
What's strange, is that it - on a fresh glassfish install - initially isn't a problem and everything's logged as expected. But after a while, the log will become empty.
I finally found that removing the expired certificates from glassfish returns logging to normal.
What i did:
Figure out the aliases for the expired certificates. Run:
cd domains/<domain>/config
keytool -v -list -keystore cacerts.jks
For example you'll see that the equifax you've mentioned will resolve to the following alias: equifaxsecureca
Remove the certificate from your certs file: RUN:
keytool -delete -keystore cacerts.jks -alias equifaxsecureca -storePass changeit
For convenience, the below script is what i currently (28th july) use on glassfish & payara.
cd ${GLASSFISH_HOME}/glassfish/domains/domain1/config/ && \
for cert in "equifaxsecureca" "gtecybertrustglobalca" "utnuserfirstclientauthemailca" "deutschetelekomrootca2" "secomvalicertclass1ca" "valicertclass2ca" "entrustsslca" "certplusclass2primaryca" "certplusclass3pprimaryca" "utndatacorpsgcca" "utnuserfirstobjectca" "utnuserfirstobjectca [jdk]" "utnuserfirsthardwareca" "cert_45_deutsche_telekom_root_ca_245" "cert_29_certplus_class_2_primary_ca29" "cert_38_deutsche_telekom_root_ca_238" "utnuserfirsthardwareca [jdk]" "certplusclass3pprimaryca [jdk]" "certplusclass2primaryca [jdk]" "utnuserfirstclientauthemailca [jdk]"; \
do \
keytool -delete -keystore cacerts.jks -alias "$cert" -storePass changeit || echo "cert not present";\
done
keytool can be found in your jdk/bin folder.
The same applies to payara as well.
I signed my apk using the command:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore
MyFocusKeystore.keystore
C:\Users\Public\Documents\Unity_Projects\Shapes\Focus.apk myfocus
and zipaligned it using the command:
zipalign -v 4 "C:\Program Files\Android\Android
Studio\jre\bin\Focus.apk" "C:\Program Files\Android\Android
Studio\jre\bin\Focus-zipaligned.apk"
I verified everything and uploaded it in Google Developer Console. But I got the below upload error:
RSA uses digest algorithm SHA-256 and signature algorithm RSA which is
not supported on API Level(s) 16-17 for which this APK is being
verified.
Could someone help me fix this problem? Thanks in advance!
Add the flag -sigalg SHA1withRSA to the command.
The default value of this flag is SHA256withRSA and SHA256 is not supported on SDK 16 and 17 apparently.
Note that if you switch to using apksigner (available in SDK Tools) to sign your app, you won't have to think about this since it will automatically select the best algorithms for your app based on the minSdkVersion. If you decide to switch (which I'd recommend you to), keep in mind that you'll need to sign after you zip-align.
I am running this command:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore
my-release-key.keystore android-release-unsigned.apk alias_name
but I get this error
how do i fix this ?
The problem is probably that your unsigned APK and keystore are not located in the same folder.
You'll need to know the path to both the unsigned APK and the keystore from previos step. I recommend moving them into the same directory so the command is easier to type.
Instead of android-release-unsigned.apk you should use name of your app like this NameOfMyApp.apk
Whole command should look like this:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore NameOfMyApp.keystore NameOfMyApp.apk NameOfMyApp
This will work only if you have your NameOfMyApp.keystore
More about this at Chapter 6: Publishing your app
The solution to this is uninstalling and reinstalling the JDK.
I followed this:
https://www3.ntu.edu.sg/home/ehchua/programming/howto/JDK_Howto.html