I used the -validity property of the keytool to generate a keystore and self sign a jar. During the process, I saw the debug message that says
[info] Warning:
[info] This jar contains entries whose signer certificate will expire within six
months.
I am using the following commands,
keytool -genkey -alias signFiles -keypass mypass -keystore mystore -storepass mypass-alias store -validity 365
keytool -selfcert -keystore mystore -alias store
Am I doing something wrong here? Actually I wanted to sign the jar with a certificate for 1 year.
Cheers,
J
Add -validity 365 to your -selfcert command.
Related
Using keytool from the command-line, I added a new cert to a store. But the anger-inducing window manager that I find myself currently stuck with manages to fail at cut-and-paste, and replaced one of the characters of the alias with a ? character. How do I change or delete that alias?
keytool -list -keystore truststore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
hail.ucc.nau.edu:8636-cert-1?, Dec 1, 2017, trustedCertEntry,
.....
keytool -delete -keystore truststore -alias 'hail.ucc.nau.edu:8636-cert-1?'
Enter keystore password:
keytool error: java.lang.Exception: Alias <hail.ucc.nau.edu:8636-cert-1?> does not exist
.....
keytool -delete -keystore truststore -alias 'hail.ucc.nau.edu:8636-cert-1\?'
Enter keystore password:
keytool error: java.lang.Exception: Alias <hail.ucc.nau.edu:8636-cert-1\?> does not exist
.....
keytool -delete -keystore truststore -alias 'hail.ucc.nau.edu:8636-cert-1'
Enter keystore password:
keytool error: java.lang.Exception: Alias <hail.ucc.nau.edu:8636-cert-1> does not exist
Thanks for any assistance,
- rob.
The special character you are seeing, may not be that actual character as suggested by #Pavel Lechev in the comment. If the keytool delete doesn't work, you can use the KeyStore Explorer software to do it. It has nice GUI providing all the keytool functionalities.
Or you could write a small tool/class using KeyStore api to delete your unwanted alias. You could list out all the aliases, identify it, and delete it (to identify the alias, you could do startsWith()).
after server rebuild we have install a own certificate in a server with CentOS 6.x and tomcat7 and it it works but showing in navigation address bar a red cross indicating chrome doesn't trust in us, logically. This certificate was installed in certstore01 key store.
keytool -list -keystore certstore01 -storepass pass4certstore01
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
mkyong, Aug 25, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): XX:XX:X:XX
Afther that we have re-key acquired certificate from GoDaddy and we have installed the chain without problem:
keytool -import -trustcacerts -keystore certstore02 -alias root -file gdroot-g2_cross.crt -storepass pass4certstore02
keytool -import -trustcacerts -keystore certstore02 -alias intermed -file gdig2.crt -storepass pass4certstore02
keytool -import -trustcacerts -keystore certstore02 -alias latiendamiga.com -file myIssuedCertByCA.crt -storepass pass4certstore02
and it is showed perfectly:
keytool -list -keystore certstore02 -storepass pass4certstore02
keytool -list -keystore csltndmg -storepass cgr7hd9qgah6g0qgg33
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
root, Sep 5, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): XX:XX:...
latiendamiga.com, Sep 5, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): XX:XX:...
intermed, Sep 5, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): XX:XX:...
then we have change the server.xml file from
keystoreFile="/path4certstore/certstore01"
keystorePass="pass4certstore01"
to
keystoreFile="/path4certstore/certstore02"
keystorePass="pass4certstore02"
and it stop to work, I mean it work wit the first server.xml configuration but not with the second one.
Could somebody help me at this point?
Thanks in advance.
Because when I run keytool in cmf.exe fill all fields and keep asking me back
keytool -genkey -v -keystore [keystore_name].keystore -alias [alias_name] -keyalg RSA -keysize 2048 -validity 10000
Do not generate the keystore, after asking if everything is correct, and I put yes becomes responsive again. Because? I'm doing wrong?
Not sure what is going wrong for you. And it works for me.
Try giving all the parameters in one go, like this :
keytool -genkey -v -keystore test.jks -alias test
-keyalg RSA -keysize 2048 -validity 10000 -storepass test-keypass test-dname "CN=test.com,OU=Test,O=Test,L=Test,S=Test,C=Test"
This should store the keystore without prompting for confirmation.
I had the same issue, and I realized that it was because of my OS language (I have spanish by default), so when I answered with "si" it worked
I wanted to create a certificate into a PKCS12 keystore format with keytool program.
The keystore has extension .pfx.
How do I achieve this?
If the keystore is PKCS12 type (.pfx) you have to specify it with -storetype PKCS12 (line breaks added for readability):
keytool -genkey -alias <desired certificate alias>
-keystore <path to keystore.pfx>
-storetype PKCS12
-keyalg RSA
-storepass <password>
-validity 730
-keysize 2048
Additional answer to the key of the question.
With JDK 8 (1.8.0_121-b13) you don't get an exception if you remove -storetype pkcs12 but the keytool creates a JKS keystore instead, and the .pfx extension is ignored.
It also asks for a -keypass mykeypassword which the keytool doesn't support for PKCS12.
%JAVA_HOME%/bin/keytool -genkeypair -alias mykey -keyalg EC -dname "cn=CN, ou=OU, o=O, c=C" -validity 365 -keystore keystore.pfx -keypass mykeypassword -storepass mystorepassword -v
(translated)
Generating keypair (Type EC, 256 Bit) and self-signed certificate (SHA256withECDSA) with a validity of 365 days
for: CN=CN, OU=OU, O=O, C=C
[keystore.pfx saved]
List the contents:
%JAVA_HOME%/bin/keytool -list -keystore keystore.pfx -storepass mystorepassword
(translated)
Keystore-Type: JKS
Keystore-Provider: SUN
Keystore contains 1 entry.
mykey, 25.04.2017, PrivateKeyEntry,
Certificate-Fingerprint (SHA1): A1:6C:5F:8F:43:37:1A:B6:43:69:08:DE:6B:B9:4D:DB:05:C9:D5:84
You see it's a Java keystore.
The next problem is, that even if you specify -storetype pkcs12 when you -list the keystore, the keytool will still display the store as a JKS keystore!
Let's try that:
%JAVA_HOME%/bin/keytool -genkeypair -alias mykey -keyalg EC -dname "cn=CN, ou=OU, o=O, c=C" -validity 365 -storetype pkcs12 -keystore keystore.pkx -keypass mykeypassword -storepass mystorepassword -v
(translated)
Warning: No support for different keystore and key password for PKCS12 keystores. The value of -keypass will be ignored.
Generating keypair (Type EC, 256 Bit) and self signed certificate (SHA256withECDSA) with a validity of 365 Days
für: CN=CN, OU=OU, O=O, C=C
[keystore.pkx saved]
Now list the contents:
%JAVA_HOME%/bin/keytool -list -keystore keystore.pkx -storepass mystorepassword
(translated)
Keystore-Type: JKS // ??
Keystore-Provider: SUN
Keystore contains 1 entry
mykey, 25.04.2017, PrivateKeyEntry,
Certificate Fingerprint (SHA1): EA:C2:36:C6:55:69:CB:32:22:C7:14:83:67:47:D2:7E:06:8E:13:14
I need to change expiry date of jar being signed by a certificate to say 30 days. Hence I execute in sequence (I provide relevant inputs for the first command). But in-spite of the -validity option being given as 30 days, the jarsigner command says the certificate expires after 6 months(which is default). How can I change this any idea ? Below is the list of commands i use
keytool -genkey -keystore test -alias testAlias -validity 30 <br>
keytool -selfcert -alias testAlias -keystore test <br>
jarsigner -keystore "C:\test" "C:\some.jar" testAlias
Your key has a validity of 30 days; the certificate that you are generating and signing with that key is not being specified, and so defaults to 180 days.
It is the value of the -validity flag specified in the -selfcert command that is important here. I just tested this:
cp myKeystore myKeystore-TEST
keytool -selfcert -validity 30 -alias myAlias -keystore myKeystore-TEST
jarsigner -keystore myKeystore-TEST myApplet.jar myAlias
and when the browser popped up the dialog, I could verify that the expiration date was listed as today+30 days. jarsigner -verbose -certs -verify myApplet.jar is much more verbose, listing summary of the certificate and the key as well:
sm 697 Thu Dec 01 04:02:34 EST 2011 applet/Main.class
X.509, CN=Todd Kaufmann, OU=Unknown, O=..., L=Pittsburgh, ST=PA, C=US
[certificate will expire on 12/31/11 12:48 PM]
X.509, CN=Todd Kaufmann, OU=Unknown, O=..., L=Pittsburgh, ST=PA, C=US
[certificate will expire on 1/23/12 4:08 AM]
...
s = signature was verified
m = entry is listed in manifest
Where 12/31/11 is 30 days from my test now, and the other date is 90 days after I created the keystore, which I can verify with keytool -v -list -keystore myKeystore-TEST. The man page for keytool says 90 days is the default for keys.