I am a newbie to java security and know pretty much nothing about it. I have an existing jar that was given to me couple of years which was digitally signed. However, that signature is now expired and I need to sign it again. The client has bought an X.509 certificate from Comodo and Comodo gave him the following 4 files.
1) AddTrustExternalCARoot.crt
2) COMODOCodeSigningCA2.crt
3) UTNAddTrustObject_CA.crt
4) "application_specific_key".crt
I would like to know what the next steps are in order to sign the jar file I have. I have tried doing the following things but I keep getting an error when I use jarsigner to sign the applet jar
1) keytool -import -alias AddTrustExternalCARoot -keystore altis.keystore -file AddTrustExternalCARoot.crt
2) keytool -import -alias COMODOCodeSigningCA2 -keystore altis.keystore -file COMODOCodeSigningCA2.crt
3)keytool -import -alias UTNAddTrustObject_CA -keystore altis.keystore -file UTNAddTrustObject_CA.crt
4)keytool -import -alias "application_specific_alias" -keystore altis.keystore -file "application_specific_alias".crt
5) jarsigner "application_jar_file" "application_specific_alias"
jarsigner: Certificate chain not found for: "application_specific_alias". "application_specific_alias" must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
What am I missing?
You need to have the certificate along with the private key in a PKCS12 format.
To get this file you need to follow the link that COMODO provided via e-mail using the SAME COMPUTER and the SAME BROWSER that you used to place the order in the first place.
The certificate will be installed using your browser and you'll be able to export it in the PKCS12 format.
To export the certificate COMODO provides the following guides:
Internet Explorer / Chrome browsers:
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/71/0/how-do-i-backup-my-digital-id-certificate-windows-ie
After you have exported the certificate along with the private key in the PKCS12 format you should sign the JAVA applet using the following guide:
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/531/0/signing-jar-files
If your .jar file already have a certificate, you can open it in a compression utility and remove the content from the META-INF folder. Then you can sign the applet.
Related
i am trying to include login with facebook feature in flutter application. Going through the steps, i did generated key hash for debug mode. However, i'm not being able to figure out what to replace the above two values in keytool -exportcert -alias YOUR_RELEASE_KEY_ALIAS -keystore YOUR_RELEASE_KEY_PATH | openssl sha1 -binary | openssl base64 for generating release key hash. What should i do?
You may find these info in the file: android/key.properties
Release key alias is any alias you want, remember that as you'll need them for updates. Path is the path where you want the key to be generated.
how to access the directory and export to pem format. As there is no help avaliable on the internet.
Please find the detailed explanation below to execute the command.
Open the CLI. ==> Open command line interface (CLI) using the following method
a. In windows:
i. Press windows + R
ii. Type “cmd” and press enter
b. In Linux:
i. Press ctrl + Alt + T
Go to the directory where the JDK is located by typing the below command:
cd
Note: may be different in Linux environment.
Then it will go to the path where JDK is located.
3. run the following command to export the certificate (in PEM format) for the new upload key
keytool -export -rfc -keystore upload-keystore.jks -alias upload -file upload_certificate.pem
Replace the italic and boldfaced content in the command with the actual values
a. upload-keystore.jks ==> replace with “/”
example: “D:\keystore\mykeystore.jks”
b. upload ==> replace with alias of jks file which is given while creating jks file
example: mykeystorealias
c. upload_certificate.pem ==> replace with “/name-of-pem-file” (path and name of the pem file where you want to create pem file)
example: "D:\keystore\my-pem-certificate.pem"
After replacing the required values in the above command. It will look like below:
keytool -export -rfc -keystore "D:\keystore\mykeystore.jks" -alias mykeystorealias -file "D:\keystore\my-pem-certificate.pem"
Note: and may be different in Linux environment
Once the above command is successfully executed, it will prompt for password of jks file (which is given while creating the jks file). Enter the password of the jks file.
After successful creation of pem file, success message is displayed as below:
Certificate stored in file <D:\keystore\my-pem-certificate.pem>
Note: The directory paths shown in screenshots are taken from windows environment. The path will be different for Linux environment.
I was using keystore explorer tool to create a server crt and a private key file from my PKCS12 keystore file. The tools is great.
Is there any corresponding keytool commandline equivalent?
NO. keytool has no operations either to write out a privatekey alone from a keystore or read in a privatekey alone to a keystore. This is why we get hundreds of questions about the latter, mostly on other Stacks where they are on-topic. For the most recent one I answered, see How to resolve : jno_key_entry
For a PKCS12 keystore, openssl pkcs12 -in file -nocerts will extract the privatekey, or privatekeys, in PEM format. By default it/they is/are encrypted and you must give a (new) password, but you can use -nodes to get it/them unencrypted. If there is more than one privatekey in the keystore, you may need to edit the output to select the desired one (or ones).
For other type keystore, use keytool -importkeystore to convert to PKCS12, then continue as above. If (any type) keystore has multiple entries, you can use keytool -importkeystore with -alias to select only the desired entry, and thus not need the editing step above.
I've built a dummy app and I'll like to test it on my iPhone. I know that I need to be enrolled in apple developer program and I’m in. I don’t have a MAC, so I had to rent one from macincloud[dot]com.
At this moment, I need to generate a signing certificate request, but I don’t have access to Keychain Access utility. The guys from macincloud offer access to the terminal, but not to Keychain Utility. I know that I need to use security tool from command line, but that’s all.
After 6 hours on two different days, I didn’t find any tutorial/description about how to use the security tool in order to generate the signing certificate request.
Do you have any idea about what do I need to do in command line to generate a signing certificate request?
Run the following in the terminal:
openssl genrsa -out mykey.key 2048
Save this private key file as you will use it later.
Run the following command, replacing the e-mail address, CN (certificate name), and C (country) values with your own:
openssl req -new -key mykey.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourAddress#example.com, CN=John Doe, C=US"
Now in iOS Dev Portal, just use the generated CertificateSigningRequest.certSigningRequest
If you are doing this for Apple Push / APNS, you will also want to know about these 2 additional commands to generate the needed .p12 file:
openssl x509 -in XXXXX.cer -inform DER -out XXXXX.pem -outform PEM
openssl pkcs12 -export -inkey XXXXX.key -in XXXXX.pem -out XXXXX.p12
where XXXXX is your "mykey" value and the xxxxx.cer file is what you download from the Apple portal.
I've seen a couple questions about how to convert a PFX to a cert file, but I need to go the other way.
I have two files:
bob_cert.cert
bob_key.pem
I'd like to convert them to a single .pfx file. Is there a tool that does this?
openssl pkcs12 -inkey bob_key.pem -in bob_cert.cert -export -out bob_pfx.pfx
I created .pfx file from .key and .pem files.
Like this openssl pkcs12 -inkey rootCA.key -in rootCA.pem -export -out rootCA.pfx
That's not the direct answer but still maybe it helps out someone else.
Here is how to do this on Windows without third-party tools:
Import certificate to the certificate store. In Windows Explorer select "Install Certificate" in context menu.
Follow the wizard and accept default options "Local User" and "Automatically".
Find your certificate in certificate store. On Windows 10 run the "Manage User Certificates" MMC. On Windows 2013 the MMC is called "Certificates". On Windows 10 by default your certificate should be under "Personal"->"Certificates" node.
Export Certificate. In context menu select "Export..." menu:
Select "Yes, export the private key":
You will see that .PFX option is enabled in this case:
Specify password for private key.
If you have a self-signed certificate generated by makecert.exe on a Windows machine, you will get two files: cert.pvk and cert.cer. These can be converted to a pfx using pvk2pfx
pvk2pfx is found in the same location as makecert (e.g. C:\Program Files (x86)\Windows Kits\10\bin\x86 or similar)
pvk2pfx -pvk cert.pvk -spc cert.cer -pfx cert.pfx