I wanted to create a certificate into a PKCS12 keystore format with keytool program.
The keystore has extension .pfx.
How do I achieve this?
If the keystore is PKCS12 type (.pfx) you have to specify it with -storetype PKCS12 (line breaks added for readability):
keytool -genkey -alias <desired certificate alias>
-keystore <path to keystore.pfx>
-storetype PKCS12
-keyalg RSA
-storepass <password>
-validity 730
-keysize 2048
Additional answer to the key of the question.
With JDK 8 (1.8.0_121-b13) you don't get an exception if you remove -storetype pkcs12 but the keytool creates a JKS keystore instead, and the .pfx extension is ignored.
It also asks for a -keypass mykeypassword which the keytool doesn't support for PKCS12.
%JAVA_HOME%/bin/keytool -genkeypair -alias mykey -keyalg EC -dname "cn=CN, ou=OU, o=O, c=C" -validity 365 -keystore keystore.pfx -keypass mykeypassword -storepass mystorepassword -v
(translated)
Generating keypair (Type EC, 256 Bit) and self-signed certificate (SHA256withECDSA) with a validity of 365 days
for: CN=CN, OU=OU, O=O, C=C
[keystore.pfx saved]
List the contents:
%JAVA_HOME%/bin/keytool -list -keystore keystore.pfx -storepass mystorepassword
(translated)
Keystore-Type: JKS
Keystore-Provider: SUN
Keystore contains 1 entry.
mykey, 25.04.2017, PrivateKeyEntry,
Certificate-Fingerprint (SHA1): A1:6C:5F:8F:43:37:1A:B6:43:69:08:DE:6B:B9:4D:DB:05:C9:D5:84
You see it's a Java keystore.
The next problem is, that even if you specify -storetype pkcs12 when you -list the keystore, the keytool will still display the store as a JKS keystore!
Let's try that:
%JAVA_HOME%/bin/keytool -genkeypair -alias mykey -keyalg EC -dname "cn=CN, ou=OU, o=O, c=C" -validity 365 -storetype pkcs12 -keystore keystore.pkx -keypass mykeypassword -storepass mystorepassword -v
(translated)
Warning: No support for different keystore and key password for PKCS12 keystores. The value of -keypass will be ignored.
Generating keypair (Type EC, 256 Bit) and self signed certificate (SHA256withECDSA) with a validity of 365 Days
für: CN=CN, OU=OU, O=O, C=C
[keystore.pkx saved]
Now list the contents:
%JAVA_HOME%/bin/keytool -list -keystore keystore.pkx -storepass mystorepassword
(translated)
Keystore-Type: JKS // ??
Keystore-Provider: SUN
Keystore contains 1 entry
mykey, 25.04.2017, PrivateKeyEntry,
Certificate Fingerprint (SHA1): EA:C2:36:C6:55:69:CB:32:22:C7:14:83:67:47:D2:7E:06:8E:13:14
Related
Can I use something like:
keytool -genkeypair -keystore node1.keystore -alias **name1,name2,name3** \
-dname "CN=node1.example.com,O=Hadoop" -keyalg RSA \
-keysize 2048 -storepass changeme -keypass changeme
after server rebuild we have install a own certificate in a server with CentOS 6.x and tomcat7 and it it works but showing in navigation address bar a red cross indicating chrome doesn't trust in us, logically. This certificate was installed in certstore01 key store.
keytool -list -keystore certstore01 -storepass pass4certstore01
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
mkyong, Aug 25, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): XX:XX:X:XX
Afther that we have re-key acquired certificate from GoDaddy and we have installed the chain without problem:
keytool -import -trustcacerts -keystore certstore02 -alias root -file gdroot-g2_cross.crt -storepass pass4certstore02
keytool -import -trustcacerts -keystore certstore02 -alias intermed -file gdig2.crt -storepass pass4certstore02
keytool -import -trustcacerts -keystore certstore02 -alias latiendamiga.com -file myIssuedCertByCA.crt -storepass pass4certstore02
and it is showed perfectly:
keytool -list -keystore certstore02 -storepass pass4certstore02
keytool -list -keystore csltndmg -storepass cgr7hd9qgah6g0qgg33
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
root, Sep 5, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): XX:XX:...
latiendamiga.com, Sep 5, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): XX:XX:...
intermed, Sep 5, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): XX:XX:...
then we have change the server.xml file from
keystoreFile="/path4certstore/certstore01"
keystorePass="pass4certstore01"
to
keystoreFile="/path4certstore/certstore02"
keystorePass="pass4certstore02"
and it stop to work, I mean it work wit the first server.xml configuration but not with the second one.
Could somebody help me at this point?
Thanks in advance.
I'm trying to create certificate key-store file with command line but it gives me an exception:
c:\Program Files\Java\jre7\bin>keytool.exe -genkey -alias srccodes -keyalg AES -
keystore C:\srccodes.jks -keysize 128
Enter keystore password:
Re-enter new password:
keytool error: java.lang.Exception: Cannot derive signature algorithm
-genkey option is for generating a public key and associated private key, so it only works with asymmetric algorithm (AES is symmetric so you can't use -genkey with it).
Use -genseckey instead. Note also that JKS can not store non public-key pairs, so you must use JCEKS format, to specify this add -storeType JCEKS, finally your command must be:
keytool.exe -genseckey-alias srccodes -keyalg AES -keystore C:\srccodes.jceks -keysize 128 -storeType JCEKS
For more info take a look at: Keytool documentation
Hope this helps,
Question is around how to quickly generate a self signed certificate that you can use with Agg Cat services OR with other intuit services.
Is there a simple script.
Here is a simple script I created for this :
#!/bin/bash
if (( $# != 2 ))
then
echo "Usage: aliasname password"
exit 1
fi
keytool -genkey -keystore ./$1.p12 -deststoretype PKCS12 -storepass $2 -alias $1 -keyalg "RSA" -keysize 2048 -validity 9000
openssl pkcs12 -in $1.p12
keytool -v -importkeystore -srckeystore ./$1.p12 -srcstoretype PKCS12 -srcstorepass $2 -destkeystore ./$1.jks -deststoretype JKS -deststorepass $2
This will create an SSL certificate and print the private key and public cert.
You use the pub cert during app creation
Use the private key in the sample app of API Explorer.
I used the -validity property of the keytool to generate a keystore and self sign a jar. During the process, I saw the debug message that says
[info] Warning:
[info] This jar contains entries whose signer certificate will expire within six
months.
I am using the following commands,
keytool -genkey -alias signFiles -keypass mypass -keystore mystore -storepass mypass-alias store -validity 365
keytool -selfcert -keystore mystore -alias store
Am I doing something wrong here? Actually I wanted to sign the jar with a certificate for 1 year.
Cheers,
J
Add -validity 365 to your -selfcert command.