CSS 11503 SSL Module: .pfx file export to sftp

Similar Messages

• CSS 11503 - SSl - Unable to clear/delete rsakey

  Hi,
  We have recently configured an ssl redirect service on the CSS11503. This works great.
  The css was then cleared of all configuration including all ssl cert/key associations inorder to test recovery.
  The problem we are experiencing is that there is a rsakey file that is shown as existing but cannot be used or deleted.
  Can anyone explain this?
  Also when the generated digital certificates have been authenticated by Verisign. When trying to download to cisco a vendor code is required which we do not have?
  Has anyone had similar problems?

  Ravi,
  There are multiple types supported by the CSS SSL Module and WebNS.
  If you select apache, you will get a PEM certificate.
  WIN2000 IIS 5 uses PKCS12, and NT IIS4 uses DER
  PEM, DER, and PKCS12 is supported by the CSS.
  This info can be found at
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080157875.html#1063169
  I generally tell people to select apache, but the others should work. I agree, Cisco should be listed at the Apache website.

• CSS without SSL Module needing sticky sessions

  Hello All,
  If anyone can help with this sticky situation I'd appreciate it.
  I have a customer with a CSS11501. He does not have an SSL module installed.
  He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.
  I've configured the following:-
  service web1
  protocol tcp
  port 443
  keepalive type tcp
  ip address 192.168.200.50
  string web1
  active
  service web2
  rotocol tcp
  port 443
  eepalive type tcp
  ip address 192.168.200.51
  string web2
  active
  content SSL_Web
  add service web1
  add service web2
  rotocol tcp
  port 443
  vip address 1.2.3.4
  application ssl
  advanced-balance sticky-srcip-dstport
  active
  group web_Farm
    add service web1
    add service web2
    vip address 1.2.3.4
    active
  I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.
  Once the customer turns off the second blade, all is ok.
  I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.
  Best Regards Tony

  Tony,
  The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.
  Regards
  Jim

• HTTPS ans SSL with CSS (No SSL Module)

  Hi,
  My customers have two server and need to load balance.
  These servers initiate SSL.
  and VIP address is :
  https://erpappl.erp.mis.blabla.tgc:8005
  My CSS has no ssl module. An dconfiguration is:
  service venice
  ip address 10.200.104.32
  protocol tcp
  port 8005
  keepalive type tcp
  keepalive port 8005
  redundant-index 120
  active
  service calgary
  ip address 10.200.104.33
  protocol tcp
  port 8005
  keepalive type tcp
  keepalive port 8005
  redundant-index 121
  active
  owner ERPAPPL
  content erpapp_test
  add service venice
  add service calgary
  redundant-index 60
  vip address 10.200.104.28
  protocol tcp
  port 8005
  url "/*"
  arrowpoint-cookie expiration 00:00:03:00
  advanced-balance arrowpoint-cookie
  application ssl
  active
  After this configuration I cannot reach the URL shown above.
  Can you help me?

  if this is encrypted traffic [HTTPS] the CSS can't see the content of the packet.
  So the CSS can't see the url [-> so the command url "/*" is incorrtect and should be removed] and the CSS can't see cookies [so the arrowpoint-cookie command is wrong and should be removed].
  If we sell an SSL module, there is a reason :-)
  The only sticky option you can use are :
  - sticky based on srcip
  - sticky on sslid
  The first option [srcip] has a problem with mega proxy [many users being nated with the same ip] and the 2nd option has the problem that it only works with SSLV2 and that some browsers do not use the sslid.
  Gilles.

• CSS with SSL module - how many certs do we need

  Hello,
  currently moving from server-based certs to CSS/SSL based.
  We have two sites, two CSS/SSL on each in ASR mode.
  There are two real servers behind each SSL rule for load balancing.
  The question becomes how many certificates do we need
  for such design ?
  For sure we need one per site, then on each site we have Active/Standby CSS's.
  Do we need separate certificate for each CSS?
  I dont think so, cause only one is active at the time.
  I tested it with same certificate on both CSS's on one site, no problem.
  The question is will it be ok for production ?
  So total number would be 2 cert for such design (one per VIP) if we have one SSL rule per site, and 4 if we have 2 SSL rule per site - is it ok ?
  Thank you,
  Alex

  the certificate is linked to a host name ie: www.mycompany.com.
  So, if you have 4 css, all handling traffic for www.mycompany.com, then they can all share the same certificate.
  Even if you have the 4 CSS split over 2 sites, using different vip, as long as they handle the same hostname, then they can share the certificate.
  Actually, the CSS itself does not care about hostname/certificate mapping.
  The CSS will use whatever certificate you configure it to use.
  However, browsers make a check url <-> certificate and if there is a mismatch, they pop up an error message.
  Regards,
  Gilles.

• CSS 11503 SSL termination and 256 bit support

  Does anyone know if the CSS11503 can support 256 bit SSL termination?

  switch/Admin(config-parammap-ssl)# cipher ?
  RSA_EXPORT1024_WITH_DES_CBC_SHA Accept RSA_EXPORT1024_WITH_DES_CBC_SHA cipher
  RSA_EXPORT1024_WITH_RC4_56_MD5 Accept RSA_EXPORT1024_WITH_RC4_56_MD5 cipher
  RSA_EXPORT1024_WITH_RC4_56_SHA Accept RSA_EXPORT1024_WITH_RC4_56_SHA cipher
  RSA_EXPORT_WITH_DES40_CBC_SHA Accept RSA_EXPORT_WITH_DES40_CBC_SHA cipher
  RSA_EXPORT_WITH_RC4_40_MD5 Accept RSA_EXPORT_WITH_RC4_40_MD5 cipher
  RSA_WITH_3DES_EDE_CBC_SHA Accept RSA_WITH_3DES_EDE_CBC_SHA cipher
  RSA_WITH_AES_128_CBC_SHA Accept RSA_WITH_AES_128_CBC_SHA cipher
  RSA_WITH_AES_256_CBC_SHA Accept RSA_WITH_AES_256_CBC_SHA cipher
  RSA_WITH_DES_CBC_SHA Accept RSA_WITH_DES_CBC_SHA cipher
  RSA_WITH_RC4_128_MD5 Accept RSA_WITH_RC4_128_MD5 cipher
  RSA_WITH_RC4_128_SHA Accept RSA_WITH_RC4_128_SHA cipher
  The following 256 bits cipher is already supported :
  RSA_WITH_AES_256_CBC_SHA
  Gilles.

• CSS with single SSL module.. balance option needed?

  Hi all,
  Quick question. If you have a CSS 11503 with one SSL offload module installed.. is there any point in using the "application ssl" and "advanced-balance ssl" options in the content rule? I can't find any info that tells me for sure but I'm guessing that these options can be used to balance between multiple ssl modules and provide stickiness to the modules etc.. but doesn't have any effect on the traffic distribution and stickiness to the backend server services?
  For example if I have a L5 content rule like the one below and only one SSL module, should i remove the "application ssl" and "advanced-balance ssl" options and just use the port 80 content rule which the ssl proxy lists offloads traffic too and apply the "advanced-balance sticky-srcip-dstport" and "balance leastconn" there ?
    content DEVCOM_TCP443_L5
      vip address x.x.x.x
      application ssl
      advanced-balance ssl
      protocol tcp
      port 443
      url "//dev.subdomain.domain.com/*"
      add service ssl_module1
      active
  I have read various forum postings and i read the CSS SSL config guide but the examples all seem to differ in their implementation.
  Many thanks
  Scott

  You're correct.
  There is no need to specify the application type as ssl and the advanced-balance method when using a single ssl module.
  Gilles.

• Unable to Export certificates as Personal Information Exchange - PKCS #12 (.PFX) file format.

  We are using Windows 2003 Certificate Authorities, and we are unable to Export certificates as .PFX, our only options are, DER encoded binary X.509 (.CER), Base-64 encoded X.509 (.CER), or Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B).  The .PFX option is grayed out in the Certificate Export Wizard on the CA.
  This posses a problem because our Windows 2008 server running IIS 7 wants us to import a certificate as .PFX
  can someone explain what is happening and how to fix it please

  Greg --
  The private key doesn't exist on the CA, but it does exist on the computer on whic you created the request. Here's what happens when you request a certificate.
  If you're generating a request with a new key pair -- which you will in the vast majority of cases -- Windows first generates the public and private key pair. The private key is written to a key store. Where the key store is located will depend on which
  Cryptographic Service Provider (CSP) or Key Storage Provider (KSP) is specified in the template. KSPs were introduced in Windows Server 2008/Vista, and are only available in v3 templates. In the case of most of the default Microsoft CSP/KSPs (with the exception
  of those used with Smart Cards), the key store is located in either the user's profile, or in the case of computer certificates, the All Users profile. It is at this point, by the way, that the properties of that private key are also written to the key store.
  One property of interest to you immediately is whether or not Windows should allow the private key to be exported.
  Once the key pair is generated, the request is then created. The request contains the information that should be in the certificate. This information is generally specified by the template with the exception of the Subject field, which contains the Common
  Name or Distinguished name of whoever is requesting the certificate. In the case of IIS, the Subject will be your site name. The public key is included in the request. Windows then signs the request with the newly created private key.
  Windows also creates a dummy certificate object in the Certificate Enrollment Requests store so that it knows that there is an outstanding request.
  At this point, the request is saved to a file or sent to an online CA depending on how you generated the request. Note that the private key is
  not sent to the CA in most cases. The exception to this rule occurs when you have Key Archival enabled on the CA, and the template specifies that the private key should be archived in the CA database. If this is the case, Windows retrieves
  the CA Exchange certificate from the CA and uses the public key in that certificate to encrypt the newly created private key. This encrypted private key is included in the request.
  Once the CA receives the request, it processes that request to determine if it should issue the certificate or not. In the case of the Enterprise CA, this decision is based on the permissions on the template. One can also specify that certain templates
  require CA manager approval before they can be issued. Assuming that everything is correct in the request, and that the necessary information can be retrieved from Active Directory (perhaps the user's email address, or the computer's DNS host name -- it depends
  on the settings in the template), and that any CA Manager approvals specified in the template have been performed, the CA builds the certificate and signs it with its current private key. The certificate has been created.
  This certificate is stored in the CA database, which is why you can export it in the Certificate Authority snap-in. If the encrypted private key for that certificate has been included in the request to be archived, the CA decrypts it first with its CA Exchange
  private key, and then re-encrypts it using the public key(s) for any Key Recovery Agents configured on the CA. The newly encrypted private key is also stored in the CA database. Note that this encrypted private key can only be retrieved and decrypted
  by a valid KRA.
  The CA then returns the certificate to principal who requested it. If the request was first saved as a file and then submitted to the CA you have to retrieve the certificate manually. It is only returned automatically if you submitted the request via the
  Certificiates MMC, or if the application you use to submit the request retrieves it for you. IIS does this, when you use the certificate request wizard to request a Web Server certificate.
  When the client has received the certificate, it locates the dummy certificate object in the Certificate Enrollment Requests store. From this object, Windows copies the location of the key store for the private key (among other things). This dummy certificate
  object is then deleted, and the new certificate is imported into the Personal store. The private key information is then written to an internal property of the certificate in the store. This is how Windows locates the private key of that certificate in order
  to use it when you invoke the associated certificate.
  When you go to export the certificate and private key, Windows reads the private key locate information from the certificate properties in order to find the key store wherein it is located. Assuming export is allowed, the certificate and private key are written
  to a password protected PFX file.
  That's how a certificate request gets turned into a certificate, and explains why the private key doesn't exist on the CA. If you need to generate a PFX file, then you'll have to export the certificate from the computer on which you generated the request.
  Hope this helps.
  Jonathan Stephens
  Jonathan Stephens

• CSS 115xx and SSL module.

  Good day, I have a general question on the SSL module. Currently we have a pair of CSS's handeling our external site web sites. We are starting to run out of external IP addresses, If we installed the SSL module and terminated the Certificates on the CSS would we be able to read the ssl header and utilize 1 ip for multiple ssl sites?
  thx
  -Rich

  Check the URL: Overview of CSS SSL:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/overview.html
  Examples of CSS SSL Configurations:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html

• CSS - 11506 - Adding New SSL Services on Single SSL Modules

  Hi,
  We are having one pair of CCS 11506 currently SSL services are running on slot4 with single SSL module.Now we are planning to add one more SSL application with different certificates & keys on different VIP.
  Can we use the same slot4 for new application & using different certicates & keys on same SSL modules.Your reponse is appriecated

  Hi Sean,
  Thanks for replying back just want few clarifcations in configuration part.
  1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.
  2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.
  1.# ftp-record ssl_record 192.168.19.21 johndoe "abc123"
  /home/johndoe
  2.# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"
  Connecting
  Completed successfully
  3.# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"
  Connecting
  Completed successfully
  4.Enter configuration mode.
  # config
  (config) #
  4. To use RSA public key exchange and authentication:
  a. Associate the imported RSA certificate with a file.
  (config) # ssl associate cert myrsacert1 rsacert.pem
  b. Associate the imported RSA key pair with a file.
  (config) # ssl associate rsakey myrsakey1 rsakey.pem
  5. Compare the public key in the associated certificate with the public key
  stored with the associated private key and verify that they are identical.
  (config) # ssl verify myrsacert1 myrsakey1
  Certificate mycert1 matches key mykey1
  ssl associate rsakey NEWKEY newkey.pem
  ssl associate cert NEWCERT newcert.pem
  !************************* INTERFACE *************************
  interface 3/3
  description "****WEB SIDE****"
  bridge vlan _ID_X.X.X.X
  bridge port-fast enable
  interface 3/4
  bridge vlan_ID_Y.Y.Y.Y
  bridge port-fast enable
  description "****PIX SIDE****"
  !************************** CIRCUIT **************************
  circuit VLAN_ID_X
  ip address A.A.A.A B.B.B.0
  ip virtual-router 2 priority 101 preempt
  ip redundant-interface 3 C.C.C.C
  ip critical-service 3 chk-con-pix_Y.Y.Y.Y
  ip critical-service 3 chk-con-web_X.X.X.X
  circuit VLAN_ID_Y
  ip address D.D.D.D E.E.E.0
  ip virtual-router 4 priority 101 preempt
  ip redundant-vip 4 F.F.F.F
  ip critical-service 4 chk-con-pix_Y.Y.Y.Y
  ip critical-service 4 chk-con-web_X.X.X.X
  !*********************** SSL PROXY LIST ***********************
  ssl-proxy-list NEW
  ssl-server 20
  ssl-server 20 vip address F.F.F.F
  ssl-server 20 cipher rsa-with-rc4-128-sha F.F.F.F 81
  ssl-server 20 cipher rsa-with-rc4-128-md5 F.F.F.F 81
  ssl-server 20 rsacert NEWCERT
  ssl-server 20 rsakey NEWKEY
  active
  !************************** SERVICE **************************
  service FRONT_SSL
  type ssl-accel
  slot 4
  keepalive type none
  add ssl-proxy-list NEW
  active
  service WEBSERVER-03
  ip address G.G.G.G
  redundant-index 3
  protocol tcp
  port 80
  active
  service WEBSERVER-04
  ip address H.H.H.H
  redundant-index 4
  protocol tcp
  port 80
  active
  service chk-con-pix_Y.Y.Y.Y
  keepalive type script ap-kal-pinglist "N.N.N.N"
  ip address J.J.J.J
  keepalive frequency 2
  keepalive maxfailure 2
  keepalive retryperiod 2
  active
  service chk-con-web_X
  ip address K.K.K.K
  keepalive type script ap-kal-pinglist "P.P.P.P"
  keepalive frequency 2
  keepalive maxfailure 2
  keepalive retryperiod 2
  active
  !*************************** OWNER ***************************
  owner NEW
  content BACKNEW_HTTP
  vip address F.F.F.F
  add service WEBSERVER-03
  add service WEBSERVER-04
  protocol tcp
  port 81
  url "/*"
  redundant-index 5
  no persistent
  active
  content FRONTENDNEW_SSL
  vip address F.F.F.F
  protocol tcp
  port 443
  application ssl
  add service FRONT_SSL
  active
  content NEW
  url "//www.ABC.com/*"
  vip address F.F.F.F
  protocol tcp
  port 80
  redundant-index 4
  redirect "https://ABC.com"
  active
  your reply on this would be highly appericated.

• Installing an SSL certificate for a CSS 11503

  I'm having the hardest time searching for clear instructions on how to request and install an SSL certificate for a CSS 11503 Content Switch. Can anyone help or point me in the right direction?
  I'm also looking for instructions on how to replace an SSL certificate once it's been installed. Thanks!

  Allen,
  The portion of the configuration guide related to SSL certificates and keys can be found here:
  http://cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801eea82.html#1422544
  To replace an SSL certificate, you'll need to remove the current certificate and re-import/create the new one.
  ~Zach

• CSS 11150 and SSL module function

  Hi, Pro:
  There is any way I could find what ssl module could be used on CSS11150?
  Thanks,

  there is none.
  The css111xx and css110xx are not modular so you can't add or remove anything from it.
  You will need a CSS115xx.
  Regards,
  Gilles.

• Global Cerificate on CSS 11503

  Hi
  I am planning to enable https for few web servers behind a CSS 11503. I have tested the functionality with the trial cert every thing works as desired.
  Now I need to buy a certificate from Verisign to make it work in production.
  At verisign they offer two different certs (Secure Site --40 bits encryption) and (Secure Site Pro -- 128 bit encryption).
  1. Is this 128 bit cert a "global cert"? and I need to concatenate the "intermediate cert" and "server cert" to make it work?
  2. If all my users are in USA then does it make sense to buy this 128 bit certificate?
  3. Verisign website also asks for "server Platform" and cisco is not mentioned as an option (I can see other LB as F5 in the list). What should I select for the server Platform when I am requesting it for CSS 11503 (I have generated the CSR on CSS 11503).
  Thanks in advance
  Glenn

  1.The guy who picked the phone at verisign had no clue.Verisign website says the following
  Secure Site Certificate (40bit minimum)- SSL Certificates without SGC
  To install your SSL Certificate, go to the instructions below for your server software. If your server is not listed or you need additional information, refer to your server documentation or contact your server vendor
  Secure Site Pro Certificate(128bit minimum) - SSL Certificates with SGC
  If you are installing an SSL Certificate with SGC, you need to copy an Intermediate CA Certificate before proceeding to the installation instructions for your server software.
  2.My understanding was that 40 bit is minimum encryption level and only old browsers (exported ones) will us 40/56 bit ciphers. Other wise even with 40 bit certificate the new browsers will establish a 128 bit session.
  Verisign says about their 40 bit certificate
  "40-Bit to 256-Bit SSL Encryption Non-SGC SSL Certificates provide a minimum of 40-bit and up to 256-bit SSL encryption. Site visitors using certain older browsers and many Windows 2000 users will only receive 40- or 56-bit encryption unless they’re connecting to an SGC-enabled SSL Certificate"
  I found a document on net in favor of buying 40 bit certs.
  http://www.whichssl.com/myths_about_sgc.html
  Gilles I am a bit confused here.Need HELP :)

• Commit_redundancy script and SSL modules

  I have a number of redundant pairs of 11500s with SSL modules in. When trying to sync the config using the commit_redundancy script it fails at the verification stage. Manually comparing the two running configs it appears that all the config is being replicated except that relating to the SSL config.
  Is this a known 'problem' and is there a quicker solution than manually copying the config? - it's a rather laborious task :(

  I have problems with the commit redundancy script as well, so I do it by hand. I'm currently working on compressing the script to be totally automatic and simple....but need to play with the replace_text function.
  For the most part, here is my procedure
  ftp the config to workstation
  modify the config
  ftp the config back to primary css
  now the next 2 commands I borrowed from the commit script
  @rcmd ${backupIp} "rcmd ${MASTER_IP} 'show script tmp.cfg' 20 newconfig" 20
  @rcmd ${backupIp} "arc scr newconfig startup-config;arc start old-config;rest startup-config start" 20
  issuing these 2 commands from the primary css will copy the file tmp.cfg in the script directory to startup-config on the backup css
  you can then choose to reload the backup, copy startup to runn, etc....on the backup to make the new config active
  Hope this helps

• Help : How to import .pfx file to keystore

  Hi,
  I need to generate digital signature for some data string. I got the pfx file with password blank.
  it shows the following detailsusing keytool.
  keytool -list -keystore rating/ebs/scripts/MPay_certificate_11072003.p12 -storetype pkcs12
  unknown attr1.3.6.1.4.1.311.17.1
  Enter keystore password:
  unknown attr1.3.6.1.4.1.311.17.1
  ***************** WARNING WARNING WARNING *****************
  * The integrity of the information stored in your keystore *
  * has NOT been verified! In order to verify its integrity, *
  * you must provide your keystore password. *
  ***************** WARNING WARNING WARNING *****************
  Keystore type: pkcs12
  Keystore provider: SunJSSE
  Your keystore contains 1 entry
  c1e673ff559b00e86a399a1b21e4aed2_6ee3fa08-8ba8-4ff1-a8fd-01031842a3a3, Aug 18, 2003, keyEntry,
  How can I generate the keystore file and know the private key alias so that i can generate the sign using sign().
  thanks in advance.
  Ranjan

  It is possible to import a .p12 file into a keystore with a small Java program...
  I found a sample to do this about a year ago, the source page is no longer valid. I have made some slight modifications to the original program, but left credit to the original author in the top (to the best of my knowledge).
  Sample execution being:
  $ java KeyStoreMove PKCS12 ~/igo.p12 p12-pas JKS ~/.keystore key-pas
  Source alias: lester igo id #2
  Rename alias to [<return> to keep original alias]: my-cert
  New alias: my-cert
  importing key lester igo id #2
  keystore copy successful
  * This code has been downloaded from the internet and contained no license.
  * The Source for this was: http://home.istar.ca/~neutron/Thawte/KeystoreMove.txt
  * The Page referencing it was: http://home.istar.ca/~neutron/Thawte/index.html
  * The author appears to be:
  * Michel I. Gallant
  * [email protected]
  import java.io.*;
  import java.security.*;
  import java.util.*;
  public class KeyStoreMove {
  public static void main(String args[]) throws Throwable {
  java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  if (args.length<6) {
  System.out.println(
  "\nKeyStoreMove Usage: \njava KeyStoreMove <source> <destination> where\n" +
  " <source> and <destination> are " +
  "<storetype> <keystore> <password>\n");
  System.out.println(" - Requires jsse for PKCS12 keystore support \n" +
  " - source storetype can be JKS or PKCS12\n" +
  " - destination storetype must be JKS type (PKCS12 write not supported)\n") ;
  System.exit(0);
  FileInputStream in;
  // -------- Load source keystore to memory ---------
  in = new FileInputStream(args[1]);
  KeyStore ksin = KeyStore.getInstance(args[0]);
  char[] pwin = args[2].toCharArray();
  if (pwin.length==0) { pwin = null; }
  ksin.load(in,pwin);
  in.close();
  // -------- Load destination keystore initial contents to memory ---------
  in = new FileInputStream(args[4]);
  KeyStore ksout = KeyStore.getInstance(args[3]);
  char[] pwout = args[5].toCharArray();
  if (pwout.length==0) { pwout = null; }
  ksout.load(in,pwout);
  in.close();
  //--------- Main Loop to get keys/certs from source keystore ------------
  BufferedReader stdin = new BufferedReader(new InputStreamReader(System.in));
  Enumeration en = ksin.aliases();
  while (en.hasMoreElements()) {
  String alias = (String) en.nextElement();
  if (ksout.containsAlias(alias)) {
  System.out.println(args[4] + " already contains " + alias + " Key will not be copied.");
  continue;
  // ------- Ask user if alias of source key/cert should be renamed -----------
  System.out.println("Source alias: " + alias);
  System.out.print("Rename alias to [<return> to keep original alias]: ") ;
  String newuseralias = stdin.readLine().trim() ;
  if (newuseralias.equals("")){
  newuseralias=alias;
  System.out.println("Original alias used") ;
  else {
  System.out.println("New alias: " + newuseralias) ;
  if (ksin.isCertificateEntry(alias)) {
  System.out.println("importing certificate " + alias);
  ksout.setCertificateEntry(newuseralias, ksin.getCertificate(alias));
  if (ksin.isKeyEntry(alias)) {
  System.out.println("importing key " + alias);
  ksout.setKeyEntry(newuseralias, ksin.getKey(alias,pwin), pwout,ksin.getCertificateChain(alias));
  //--------- End main loop ----------------------
  //--------- Overwrite the destination keystore with new keys/certs --------------
  FileOutputStream out = new FileOutputStream(args[4]);
  ksout.store(out,pwout);
  out.close();
  System.out.println("keystore copy successful\n") ;
  System.exit(0);