JKS and Openssl commands

Java Keytool Command

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

  • Generate a Java keystore and key pair

    keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

  • Generate a certificate signing request (CSR) for an existing Java keystore

    keytool -certreq -alias mydomain -keystore keystore.jks -file 8gwifi.csr

  • Import a root or intermediate CA certificate to an existing Java keystore

    keytool -import -trustcacerts -alias root -file 8gwifiCA.crt -keystore keystore.jks

  • Import a signed primary certificate to an existing Java keystore

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

  • Generate a keystore and self-signed certificate  

    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

  • Check a stand-alone certificate

    keytool -printcert -v -file 8gwifi.crt

  • Check which certificates are in a Java keystore

    keytool -list -v -keystore keystore.jks

  • Check a particular keystore entry using an alias

    keytool -list -v -keystore keystore.jks -alias mydomain

  • Delete a certificate from a Java Keytool keystore

    keytool -delete -alias 8gwifi -keystore keystore.jks

  • Change a Java keystore password

    keytool -storepasswd -new new_storepass -keystore keystore.jks

  • Export a certificate from a keystore

    keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

  • List Trusted CA Certs

    keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

  • Import New CA into Trusted Certs

    keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts


OpenSSL Commands

  • Generate a new private key and Certificate Signing Request 
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key
  • Generate a self-signed certificate  
    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privatekey.key -out certificate.crt
  • Generate a certificate signing request (CSR) for an existing private key 
    openssl req -out CSR.csr -key privatekey.key -new
  • Generate a certificate signing request based on an existing certificate 
    openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privatekey.key
  • Remove a passphrase from a private key 
    openssl rsa -in privateKey.pem -out newprivatekey.pem
  • Convert a DER file (.crt .cer .der) to PEM 
    openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER 
    openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM 
    openssl pkcs12 -in keyStore.pfx -out keystore.pem -nodes

    You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) 
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile

 

-
Marcadores: , , ,

Importing a SSL certificate into a Java Keystore via a PKCS12 file

 Here are the instructions on how to import a SSL certificate into the Java Keystore from a PKCS12 (pfx or p12) file.

  1. Create a new keystore
    1. Navigate to C:\Program Files\Java\jdk_xxxx\bin\ via command prompt
  2. Execute: keytool -genkey -alias mycertificate -keyalg RSA -keysize 2048 -keystore mykeystore
    1. Use password of: Use the same password/passphrase as the PKCS12 file
    2. What is your first and last name?  (should be the dns you're going to use) [Unknown]:  server.mydomain.com
      What is the name of your organizational unit? [Unknown]: MyCompanysITDepartment
      What is the name of your organization?  [Unknown]:  MyCompany
      What is the name of your City or Locality?  [Unknown]:  CITY
      What is the name of your State or Province?  [Unknown]:  STATE
      What is the two-letter country code for this unit?  [Unknown]:  US
      Is CN=...................................... correct?  [no]:  yes
      Enter key password for <mycertificate>
      (RETURN if same as keystore password): Hit Return/Enter
  3. Empty the keystore
    1. Execute via command prompt: keytool -delete -alias mycertificate -keystore mykeystore
    2. Ensure nothing is in the keystore by executing: keytool -v -list -keystore mykeystore
  4. Import the PKCS12 File
    1. Execute via command prompt: keytool -v -importkeystore -srckeystore whateverthefileis.p12 -srcstoretype PKCS12 -destkeystore mykeystore -deststoretype JKS
    2. Enter the PKCS12 password/passphrase for both the Source and Destination password.

 

source: https://jackstromberg.com/2013/05/importing-a-ssl-certificate-into-a-java-keystore-via-a-pkcs12-file/ 


-
Marcadores: , ,
Assinar: Postagens (Atom)

Updatable objects appear as 'no longer supported'

  Symptoms In some scenarios, the following validation warning appears on an updatable object: " Object is no longer supported. Enforci...

Mais vistos

  • JKS and Openssl commands
    Java Keytool Command These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. A...
  • Kaspersky Security Center WSUS Files Storage Location
     Kaspersky seems to be storing windows update files on the C Drive: Here -> C:\ProgramData\KasperskyLab\adminkit\1093\.working Change fo...
  • DFSR clean Staging folder
     This particular error is generally experienced when people attempt a non NTFS volume such as ReFS to a DFSR replication group as documented...