Keytool generated certificate

Similar Messages

• How to use "keytool" generated certificates in B2B

  Hi,
  I have generated few certificate stores(files containing private key and trust certificate) in ".jks" format and exported client certificate from them in ".der" format using "keytool" commands in java. Now I want to use them for SSL authentication.
  Is there any possible way of doing this ?
  I tried to open these keystores in Wallet Manager but it did not accept those keystores. Even I tried to create a keystore with name "ewallet.pk12" (in PKCS12 format) but wallet manager did not accept it's password.
  Please provide a solution if it exists.
  Thanks in advance.
  Regards,
  Anuj Dwivedi

  Hi,
  If you are generating key/certficates may be you could make the "keytool" to generate the keystore in PKCS12 format. This format can be opened using Oracle Wallet Manager. Here's the command,
  keytool -genkey -keyalg "RSA" -keystore ewallet.p12 -storepass welcome1 -storetype PKCS12
  The above command would create a wallet in the current directory and the same can be opened in the "Oracle wallet manager".
  Other Approach:
  If you want to export just certificates alone from "JKS" format keystore and add it to the ewallet.p12 as an trusted entry, you can very well do that.
  One thing note here, make sure keys are generated using algorithm "RSA". Sample commands below,
  1. keytool -genkey -keyalg RSA -keystore test.jks
  2. keytool -export -file test.crt -keystore test.jks
  3. You could import the certifcate "test.crt" created in the previous step to ewallet.p12 using "Oracle wallet manager".
  Regards,
  Sinkar
  [From Ramesh Team]

• Can i generate certificates using java api

  can i generate certificates signed by my private key using java API.
  I found cetificatFactory must generate a certificate from a file,
  but how can i generate this file?
  Thanks

  visit :
  http://java.sun.com/j2se/1.3/docs/tooldocs/win32/jarsigner.html
  http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
  u can create ur own certificate
  Edward

• Generating certificate with predefined certificate SerialNumber field

  Hi!
  I need to generate certificate (programmatically or using keytool), which should contain predefined serial number in. F.e.:, after generating certificate we see:
  Owner: CN=SomeBody, O=SomeBody.com, L=A, C=B
  Issuer: CN=SomeBody, O=SomeBody.com, L=A, C=B
  Serial number: 25fca39d
  Valid from: Fri Feb 13 12:15:09 EET 2004 until: Sat Feb 12 12:15:09 EET 2005
  Certificate fingerprints:
           MD5:  87:41:93:58:71:7C:DC:59:50:F2:79:92:86:CC:0A:8C
           SHA1: 24:2B:27:6B:17:AB:9B:6D:1D:6D:4F:A0:D9:CA:42:AC:51:5D:6A:54Field "Serial number" should be predefined. Am I able to do this?
  Thanks.

  keytool doesn't seem to do it, and Java doesn't really offer much help in programmatically creating certificates at all.
  However, at least glancing at the documentation, the bouncycastle (http://www.bouncycastle.org ) provider seems to have this capability. See for example the classes
  org.bouncycastle.x509.X509V1CertificateGenerator and org.bouncycastle.x509.X509V3CertificateGenerator

• Self Generated certificate validity issue in ACS 4.0 for Windows

  Hi,
  Is there any solution to extend the validity time of self generated certificate on ACS, by default the validity is set for one year.
  As the server certificate on one of the ACS which is CA has expired and need to renew it.
  Is it possible only one certificate from third party can be used both as a server certificate and certificate from CA for other ACS servers.
  Thanks in Advance
  Regards,
  Ahmed

  Other solution would be to create an in house(Microsoft probably) CA, and get a certificate for your ACS server. Go through the installation steps of Microsoft CA before, as the validity date for Server Certificate(i guess) is configured during initial install of CA.
  Regards,
  Prem

• Generate certificates valid for smart card (Windows logon) with third party PKI (not Microsoft)

  Hello everyone
  today I am working on a mounted on a Red Hat Enterprise PKI
  Linux Server release 5.5 (Tikanga) is Easycert 5.2.2.15. We need to know what are the necessary data that we have to go to the PKI so it can generate certificates of users in Active Directory for use with a USB Token (ACOS5-64 CHIP CRYPTO) functioning as Smart
  Card to make the login of users on computers.
  On the other hand also we need to know the necessary settings between the third party pki and the domains controllers (Windows 2012).
  Greetings and I hope for you response.
  TechCach

  > It is for Windows 2012.
  nothing changed since Windows Server 2003. Here is a KB article:
  http://support2.microsoft.com/kb/281245
  > Is
  the
  scenario
  supported
  by
  microsoft?
  yes, of course. See KB article above.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Install self generated certificates

  Hi all,
  Can anyone advise on how to install a self generated certificates as a trusted server/client server?
  Regards
  Ken

  Hi Ken,
  Which version of WebServer are you using?
  The following docs for WebServer 6.1 sp5 gives all of the information that you should need about installing certificates:
  http://docs.sun.com/source/819-0130/agcert.html#wp1004981
  Hope this helps

• Generating certificates *without* keytool

  I'm trying to replace some Java code based on Baltimore KeyTools so that it uses only what ships in the JCE. In particular, I'd like to be able to create a self-signed certificate given a DN and some other bits of information, then generate and process certificate requests, without forking a subshell, running 'keytool', etc. I've gone through everything I can find on-line, and through Weiss's "Java Cryptography Extensions" book, but have drawn a blank. I'd be buy-you-a-beer grateful to anyone who could point me in the right direction.
  Thanks,
  Greg Wilson
  p.s. I've looked at Bouncy Castle, and understand that I could add it to my application to do these things. However, I'd still like to know if this can be done using just the JCE...

  Simply put:
  Creating a certificate (X.509), a certificate request (PKCS#10), and other cryptographic formats (like PKCS#7 or CMS), requires ASN.1 encoding and decoding routines. They are not difficult to write, but they need to be correctly written. You'll need to add a third-party library to encode/decode ASN.1.
  Then you'll need to create and test a lot of code just to prepare a PKCS#10 request.
  Imagine the maintenance issues (finding someone that can understand RFCs and deal with ASN.1 definitions correctly etc.)
  Stick to BouncyCastle instead. (Using BouncyCastle also requires some ASN.1 and RFC knowledge, but you're simply an user, not a builder. It's fairly easier being just an user.)
  There is some code in rt.jar that you "could" try to use, like sun.misc.....PKCS7, but I strongly recommend not to use such Sun classes directly. (Imagine using your code in a non-Sun JDK like IBM's (in Websphere environments) or BEA's (in Weblogic environments).

• Keytool exporting certificate chain

  I went through the steps of generating a key pair with keytool and created a certificate signing request.
  Using openSSL I signed the certificate and imported it back into the keystore.
  When I run:
  keytool -list -v -keystore myKS.jks -alias my_site
  I see the certificate and it indicates its in a chain of two certificates. So far so good.
  However, when I export the certificate, only the site certificate is exported and not the full chain.
  How do I export the chain into a single file?
  If I can't, is there a way I can glue the root certificate and the site certificate into a single file?

  check this out
  http://www-106.ibm.com/developerworks/java/library/j-certgen/?ca=dgr-jw17j-certgen
  i hope it will help you.

• Java (JSSE), keytool and certificates

  Hello,
  I have a few basic problems with Certificates and JSSE.
  I need to code a client-server program for company internal use. For this program I need a secure way of communication over TCP. Thus I thought SSL is the thing I need. Now I have a few basic problems with the 'SSL-Idea'.
  What I know (or what I think to know):
  The server have access to a private key which I previously generated with
  keytool -genkey -dname "cn=Programm Name, ou=something, o=company name, c=country-code" -alias myalias -keypass keypass -keystore /some/where/keystore -storepass storepass -validity 180well... the server have access to this keystore to decrypt any incoming data encrypted with the public key of this private key. I am correct?
  What I further (tink to) know is, that the client get the signed public key after opening the socket to this server. After verifying the reliability of this public key, the client can now decrypt all outgoing data to the server with its public key. I think, that the client now itself send a key for further decryption to the server. Correct? The further encryption should now be a symmetric one.
  My problem is now: Where the is the public key? And how can I sign it?
  What I already did:
  keytool -certreq -alias myalias -file cert-request.csr -keystore /some/where/keystoreI think this is the request which I should send to some CA and get back the signed public key? If yes, is there a way to do it myself, because it's for internal use anyway?
  And another thing: I read (and tried to understand) the JSSE Reference Guid and the contained examples (SSLSocketClientWithClientAuth and ClassFileServer). For these examples the server AND the client need access to the keystore which I though this keystore containing the private key. But this couldn't be the truth, because the private key should only be accessable by the server.
  which files are now needed on which side? And where to get these needed files?
  Well, I need some kind of explanation help here and appreciative any help :)
  Regards,
  Martin

  The server have access to a private key which I
  previously generated with
  keytool -genkey -dname "cn=Programm Name,
  ou=something, o=company name, c=country-code" -alias
  myalias -keypass keypass -keystore
  /some/where/keystore -storepass storepass -validity
  180well... the server have access to this keystore to
  decrypt any incoming data encrypted with the public
  key of this private key. I am correct?Yes.
  >
  What I further (tink to) know is, that the client get
  the signed public key after opening the socket
  to this server. After verifying the reliability of
  this public key, the client can now decrypt all
  outgoing data to the server with its public key. I
  think, that the client now itself send a key for
  further decryption to the server. Correct? The
  further encryption should now be a symmetric one.More or less.
  >
  My problem is now: Where the is the public
  key? And how can I sign it?The public key is in the keystore, and it was signed at the same time it and the private key were created.
  What I already did:
  keytool -certreq -alias myalias -filecert-request.csr -keystore
  /some/where/keystoreI think this is the request which I should send to
  some CA and get back the signed public key? If yes,
  is there a way to do it myself, because it's for
  internal use anyway?
  And another thing: I read (and tried to understand)
  the JSSE Reference Guid and the contained examples
  (SSLSocketClientWithClientAuth and ClassFileServer).
  For these examples the server AND the client need
  access to the keystore which I though this keystore
  containing the private key. But this couldn't be the
  truth, because the private key should only be
  accessable by the server.
  which files are now needed on which side? And where
  to get these needed files?
  Well, I need some kind of explanation help here and
  appreciative any help :)
  Regards,
  Martin
  I think you are really asking several questions here, but I'll try to answer them.
  When you use keytool -genkey, a keypair is created. A keypair consists of a private key and a public key. keytool stores the public key in a self-signed certificate. You can immediately use this self-signed certificate to make SSL connections, provided the peer has been configured to trust it. Most peers, e.g. IE and mozilla, are configured to trust certificates signed by set of well known CAs and will complain when they receive your certificate. If you would like to avoid these complaints, you can get your certificate signed by one of these CAs. To do so, you would create a CSR using keytool -certreq,, and send the CSR to CA (along with $$$). The CA will do what they need to verify you and when satisfied they'll send you a certificate or certificate chain. You can then import this with keytool -import. This will replace the self-signed certificate that was there originally.
  This describes what happens at the server side. You may optionally configure SSL to require client-side authentication. If you do, you must repeat the above process for each client. The clients do not share keystores with the server.

• Keytool generated keys portable to other platforms?

  I generated asymmetric keys using Java Keytool on Windows NT. Are the keys portable to Unix ? Also, can programs like Perl, ASP read these keys? Thank you.

  This is not completely correct. Key tool does not allow export of
  private keys. It is a real drag for developers.You no need to export anything. BTW, PKCS#12 keystore could be created by using keytool with appropriate JCE provider with PKCS#12 support. Then you can open it on other platform, that supports PKCS#12 (i.e. mozilla or msie web browsers can do it). For more detail on PKCS#12 refer to OpenSSL PKCS#12 FAQ. http://www.drh-consultancy.demon.co.uk/pkcs12faq.html

• Use BC to generate certificate

  Hello, everyone,
  I am trying to generate my own certificate instead of asking it from a CA such as verisign.com. And I know that the provider from Sun can not do that. So, I turned to BC provider. But, I really have no idea about how to generate my certificate programmablely. Is there any tutorial or sample code talking about how to do that using BC? Or, is there any other method to learn how to do that?
  Your help is highly appreciated!
  Regards

  X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
  KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); // key pair algorithm
  keyPairGenerator.initialize(1024); // key size
  KeyPair keyPair = keyPairGenerator.generateKeyPair(); // generate keys
  int usage = X509KeyUsage.digitalSignature | X509KeyUsage.dataEncipherment; // set key usage, it's optional
  X509KeyUsage keyUsage = new X509KeyUsage(usage);
  certificateGenerator.addExtension("2.5.29.15", false, keyUsage);
  certificateGenerator.setSerialNumber(BigInteger.ONE); // set serial number
  String x509Name = "CN=SomeName";
  certificateGenerator.setIssuerDN(new X509Name(x509Name));
  certificateGenerator.setSubjectDN(new X509Name(x509Name));
  Calendar nextYearDate = Calendar.getInstance();
  nextYearDate.add(Calendar.YEAR, 1); // Valid for 1 year
  certificateGenerator.setNotAfter(nextYearDate.getTime());
  certificateGenerator.setNotBefore(Calendar.getInstance().getTime());
  certificateGenerator.setSignatureAlgorithm("SHA1withRSA");
  certificateGenerator.setPublicKey(keyPair.getPublic());
  String alias = Long.toHexString(SecureRandom.getInstance("SHA1PRNG").nextLong());
  X509Certificate certificate = certificateGenerator.generateX509Certificate(keyPair.getPrivate());

• Generating certificates pem file

  Hi,
  I am new to configuring client side ssl, I understand
  the client (which will actually run inside WLS 8.1) needs to specify programatically or by a system property a .pem file containing trusted servers certificates. So if I understand correctly, I might have a couple of certificates, each from a different server I will be communicating with, so how should I "merge" them into one .pem file? Shouldn't there be some command line tool available? Or should they simply be inserted manually into the same file with the
  "-----BEGIN CERTIFICATE-----"
  "-----END CERTIFICATE-----"
  header/footer to seperate them?
  Any help would be apreciated,
  Thanks,
  Uri.

  That's also what I thought.
  I am actually using BEA's JRockit but I suppose they have a keytool similar to the one sun provides.
  I know how to import a CA certificate to a truststore,
  The thing is I need to invoke a web service via ssl, and as I was reading through the docs I encountered this section, regarding the configuration of ssl client in WebLogic:
  <i>To configure basic SSL support for your client application, follow these steps:
  Set the filename of the file containing trusted Certificate Authority (CA) certificates. Do this by either:
  Setting the System property weblogic.webservice.client.ssl.trustedcertfile to the name of the file that contains a collection of PEM-encoded certificates.
  Executing the BaseWLSSLAdapter.setTrustedCertificatesFile(String ca_filename) method in your client application.</i>
  (http://e-docs.bea.com/wls/docs81/webserv/security.html#1053203)
  Maybe I missunderstood the text and PEM is simply the default encoding? that is, the encoding used for any JKS?

• Generate Certificates for WLC and clients

  Hi Guys
  I've been working acording the following document to integrate my WLC 5508 with LDAP for internal users:
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  However when I try to generate the device certificate on Windows Server 2012, I see the steps are different, for example when I reach the step 4 (of Generate a Device Certificate for the WLC section), the CA ask me for a Certificate Signing Request instead of Create and submit request to this CA option, as appears in the document.
  How do I get this? 
  Thanks in advance for your support!
  Marcelo

  Hi,
  If you are trying to get a device certificate for WLC, then you may need to use 3rd party software like openSSL for this.
  Below post may help you to see how you can do this
  http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Error generating certificate request in JES DSEE 6.0

  If I try to generate a CA signed certificate request through the DSCC interface, I get an error message that the given subject "CN=...,O=..." is improperly formatted.
  I get the same error while performing this operation through command line.
  Any kind of help on what could be the reason for the same, is highly appreciated.
  Thanks
  Prabhjeet

  Well the fact that both tools are issuing the same error is an indication that there is really an improper format in the Subject DN. Without the complete value, it is hard to explain the reason.
  Do the CN and O values only contain Ascii characters or UTF-8 encoded characters ?
  Regards,
  Ludovic.