JKS and Openssl commands

Java Keytool Command

These commands allow you to generate a new Java Keytool keystore file, create a CSR, and import certificates. Any root or intermediate certificates will need to be imported before importing the primary certificate for your domain.

  • Generate a Java keystore and key pair

    keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

  • Generate a certificate signing request (CSR) for an existing Java keystore

    keytool -certreq -alias mydomain -keystore keystore.jks -file 8gwifi.csr

  • Import a root or intermediate CA certificate to an existing Java keystore

    keytool -import -trustcacerts -alias root -file 8gwifiCA.crt -keystore keystore.jks

  • Import a signed primary certificate to an existing Java keystore

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

  • Generate a keystore and self-signed certificate  

    keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

  • Check a stand-alone certificate

    keytool -printcert -v -file 8gwifi.crt

  • Check which certificates are in a Java keystore

    keytool -list -v -keystore keystore.jks

  • Check a particular keystore entry using an alias

    keytool -list -v -keystore keystore.jks -alias mydomain

  • Delete a certificate from a Java Keytool keystore

    keytool -delete -alias 8gwifi -keystore keystore.jks

  • Change a Java keystore password

    keytool -storepasswd -new new_storepass -keystore keystore.jks

  • Export a certificate from a keystore

    keytool -export -alias mydomain -file mydomain.crt -keystore keystore.jks

  • List Trusted CA Certs

    keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

  • Import New CA into Trusted Certs

    keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts


OpenSSL Commands

  • Generate a new private key and Certificate Signing Request
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key
  • Generate a self-signed certificate 
    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privatekey.key -out certificate.crt
  • Generate a certificate signing request (CSR) for an existing private key
    openssl req -out CSR.csr -key privatekey.key -new
  • Generate a certificate signing request based on an existing certificate
    openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privatekey.key
  • Remove a passphrase from a private key
    openssl rsa -in privateKey.pem -out newprivatekey.pem
  • Convert a DER file (.crt .cer .der) to PEM
    openssl x509 -inform der -in certificate.cer -out certificate.pem
  • Convert a PEM file to DER
    openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
    openssl pkcs12 -in keyStore.pfx -out keystore.pem -nodes

    You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile 

 

Importing a SSL certificate into a Java Keystore via a PKCS12 file

 Here are the instructions on how to import a SSL certificate into the Java Keystore from a PKCS12 (pfx or p12) file.

  1. Create a new keystore
    1. Navigate to C:\Program Files\Java\jdk_xxxx\bin\ via command prompt
  2. Execute: keytool -genkey -alias mycertificate -keyalg RSA -keysize 2048 -keystore mykeystore
    1. Use password of: Use the same password/passphrase as the PKCS12 file
    2. What is your first and last name?  (should be the dns you're going to use) [Unknown]:  server.mydomain.com
      What is the name of your organizational unit? [Unknown]: MyCompanysITDepartment
      What is the name of your organization?  [Unknown]:  MyCompany
      What is the name of your City or Locality?  [Unknown]:  CITY
      What is the name of your State or Province?  [Unknown]:  STATE
      What is the two-letter country code for this unit?  [Unknown]:  US
      Is CN=...................................... correct?  [no]:  yes
      Enter key password for <mycertificate>
      (RETURN if same as keystore password): Hit Return/Enter
  3. Empty the keystore
    1. Execute via command prompt: keytool -delete -alias mycertificate -keystore mykeystore
    2. Ensure nothing is in the keystore by executing: keytool -v -list -keystore mykeystore
  4. Import the PKCS12 File
    1. Execute via command prompt: keytool -v -importkeystore -srckeystore whateverthefileis.p12 -srcstoretype PKCS12 -destkeystore mykeystore -deststoretype JKS
    2. Enter the PKCS12 password/passphrase for both the Source and Destination password.

 

source: https://jackstromberg.com/2013/05/importing-a-ssl-certificate-into-a-java-keystore-via-a-pkcs12-file/ 


Mobile Access SSL Network Extender (SNX) remote users with Windows 11 24H2 fail to connect

  Cause The conflict resolution mechanism in Windows 11 24H2 is different than in earlier versions of Windows. Solution On the Windows endpo...

Mais vistos