What characters are valid in an 'alias' for Java 7's keytool command?
I found this page - http://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html - but it doesn't seem to explain in detail what's a valid alias.
The source for keytool doesn't validate it at all, it just calls methods of KeyStore, so it comes down to what KeyStore will accept, which appears to be any string, subject to the case-sensitivity caveat in its Javadoc.
Related
i am trying to include login with facebook feature in flutter application. Going through the steps, i did generated key hash for debug mode. However, i'm not being able to figure out what to replace the above two values in keytool -exportcert -alias YOUR_RELEASE_KEY_ALIAS -keystore YOUR_RELEASE_KEY_PATH | openssl sha1 -binary | openssl base64 for generating release key hash. What should i do?
You may find these info in the file: android/key.properties
Release key alias is any alias you want, remember that as you'll need them for updates. Path is the path where you want the key to be generated.
I was using keystore explorer tool to create a server crt and a private key file from my PKCS12 keystore file. The tools is great.
Is there any corresponding keytool commandline equivalent?
NO. keytool has no operations either to write out a privatekey alone from a keystore or read in a privatekey alone to a keystore. This is why we get hundreds of questions about the latter, mostly on other Stacks where they are on-topic. For the most recent one I answered, see How to resolve : jno_key_entry
For a PKCS12 keystore, openssl pkcs12 -in file -nocerts will extract the privatekey, or privatekeys, in PEM format. By default it/they is/are encrypted and you must give a (new) password, but you can use -nodes to get it/them unencrypted. If there is more than one privatekey in the keystore, you may need to edit the output to select the desired one (or ones).
For other type keystore, use keytool -importkeystore to convert to PKCS12, then continue as above. If (any type) keystore has multiple entries, you can use keytool -importkeystore with -alias to select only the desired entry, and thus not need the editing step above.
Convert .crt, .csr, and .key files to .pfx or .p12 using powershell on Windows server 2016.
I have .cert, .csr, and .key files. But in order to execute the "netsh http add sslcert ..." command, I need the .pfx or .p12 file. And I need this to be done in powershell. Openssl is not an option.
I have accomplished the above using openssl. But Im restricted from downloading software now, so thats not an option any more. Im looking for equivalent of openssl pkcs12 -export -out domain.name.pfx -inkey key.key -in cert.crt command in powershell.
This is an old thread but since I was stuck on the exact same problem and finally found the correct answer that wasn't just everyone shouting to use openssl which sometimes isn't available I thought I'd share here for the next lucky soul.
There is a built-in windows utility call CertUtil which can be called from PS and will do exactly this. It's available out of the box at least as far back as server 2012, cant' speak to older versions.
certutil –MergePFX certfile.cer certfile.pfx
A couple things to keep in mind, the -MergePFX only prompts for the certfile not the key so:
Private key file must have .KEY extension.
Cert and key files must have the same base file name.
Cert and key file must be in the same directory.
If you can use .NET Core 3.0:
Load the certificate via cert = new X509Certificate2(certFile)
If the keyfile is PEM encoded (e.g. starts with "----- BEGIN ") then load it, remember what type it is (human or software), find the base64 contents between the header and footer, and run that through Convert.FromBase64String to get the BER/DER encoded format of the key.
key = RSA.Create()
key.ImportPkcs8PrivateKey(bytes, out _), key.ImportEncryptedPkcs8PrivateKey(password, bytes, out _), or key.ImportRSAPrivateKey(bytes, out _); depending on what format the private key file is in.
certWithKey = cert.CopyWithPrivateKey(key)
File.WriteAllBytes("new.pfx", certWithKey.Export(X509ContentType.Pkcs12, password))
If you can use .NET Core 2.1 / .NET Framework 4.7.2:
Load the cert, as above.
Load the key manually:
RSAPrivateKey
How to get RSACryptoServiceProvider public and private key only in c#
How to parse(Convert to RSAParameters) X.509 private key in C#?
PKCS#8 PrivateKeyInfo
Digital signature in c# without using BouncyCastle
PKCS#8 EncryptedPrivateKeyInfo
X509Certificate2.Import with NCRYPT_ALLOW_PLAINTEXT_EXPORT_FLAG (ImportEncryptedPkcs8Overwrite method)
Use CopyWithPrivateKey/Export/WriteAllBytes as above
If you're stuck on something older:
You could try loading the cert, manually loading the key into an RSACryptoServiceProvider, using cert.set_PrivateKey, and exporting that. Only works on .NET Framework (eliminated from .NET Core because it has too many side effects, especially when done to a cert already in a persisted certificate store).
I am getting this error when trying to login with facebook.
The key hash does not match any stored key hashes.
I faced this similar error before but usually when this error appear, the facebook itself will show the key hash and what I do is just copy the key hash and register it in my facebook app. But the situation now is different because when I get the error above, I did not receive any key hash so I have no idea how to re-generate the key hash.
What I know is, you cannot use the command to re-generate another key hash for the second time like in the following code below.
keytool -exportcert -alias YOUR_RELEASE_KEY_ALIAS -keystore YOUR_RELEASE_KEY_PATH | openssl sha1 -binary | openssl base64
For additional information just in case if this is related, the app is previously developed and the first key hash generated from other device. I copied the project and use another laptop to do the debugging. Just a guess, maybe this is one of the reason why the facebook app isn't showing the mismatch key hash?
You can still generate the key hash with the command
keytool -exportcert -alias androiddebugkey -keystore "your-release-key-path" | "your-openssl-path" sha1 -binary |"your-openssl-path" base64
You may want to check this post How to create Android Facebook Key Hash?
I am using signtool.exe to sign exe file.
I am trying to embed my exe file with the .pfx certificate along with the signed hash of exe(generated signed hash using openssl). I am able to sign only with certificate. But I need to embed the signed hash in the exe as well. Probably signtool.exe sign /as could help. /as option does not expect any argument so not able to pass my hash there.
Could someone please help me sign my exe with certificate and hash.
Thanks,
The version of Signtool shipped with the Windows 10 SDK includes the capability to embed a signed hash into an exe.
From the following page:
https://vcsjones.com/2017/05/07/custom-authenticode-signing/
Starting in the Windows 10 SDK, two new command line switches are available, dg and di. Recall that a signature is always performed on a hash on Authenticode. The dg option changes signtool’s behavior to output a digest that you can sign using anything you’d like. Let’s try this on a copy of notepad.exe.
signtool sign /dg "C:\scratch\dir" /fd SHA256 /f public-cert.cer notepad.exe
This takes a file to a public certificate - there is no key in
public-cert.cer. You could also use the /sha1 option to specify a
certificate in the certificate store that also has only a public key.
This will output a few files in the “C:\scratch\dir” directory. The
digest is the one with the “.dig” extension. This file will have the
Base64 encoded digest to sign. Next, using your custom tool, sign the
digest with the private key for the certificate. You should decode the
Base64 signature before signing if the signing API expects a raw
binary digest.
Next, encode your signature in base64 and place it in a file in the
“C:\scratch\dir” directory with the same name as the digest file, with
the “signed” extension. For example, “notepad.exe.dig.signed”.
The next step is to ingest the signed digest along with the rest of
the Authenticode signature to complete the signing.
signtool sign /di "C:\scratch\dir" notepad.exe
This will complete the signing process, and we now have our own signed
copy of notepad.exe. Appending a signature is done just as before,
except with the /as flag.
This provides great flexibility for signers to use non CSP / CNG
signing options, or offloading the signing process. Signtool can now
also sign just a plain digest file using the /ds option. If you have a
dedicated server for performing Authenticode signing, you can now use
the /dg, /ds, /di options so that only a very small file needs to be
moved to the signing server, instead of the entirely binary if they
are large in size.