KeyPairGeneraton vs keytool

Hi! I've done a crypt/decrypt application which use a certificate generated with the keytool tool (using RSA). �What is the difference using that kind of certificate vs using the keypair generator? �how it is used the keypair generator? and �for what use/purpose one must use keypair generator)
What I'm doing is crypting a file and send it over the network. Later, download it, decrypt it and read it.
Thanks a lot for your guidance!

Keytool generates and a keypair and also stores the keypair in a KeyStore. This keystore can then be accessed programmatically by any application, such as an SSL application that uses the JSSE. Keytool also has various options designed to create and manage X509 certificates.
Whether keytool is right for you depends on your application and its security features. How do you plan to do authentication, i.e. how do you restrict the decryption software to authorized users only. How many of these users are there, and so on.

Similar Messages

  • Trying to create a certificate file using keytool -help!

    Hi, I've followed a series of instructions using Terminal to create a certificate. Terminal produced a file and when i open it using Text Edit its about 20 lines long worth of code. I was hoping it would provide a certificate I could use. Maybe it has, I just don't know what I'm looking for!
    Im working in Viewer Builder and I'm in the Provisioning tab trying to enter the "Application ID"
    I'm totally stuck here. Please help!

    I'm using DPS pro. My app is for Android but won't be going as far as Google Play or Amazon. It's for internal use so I want to create an APK file to distribute via email. These are the set of instructions I'm following. I'm struggling to get this to work. What should I see when this has worked? Also what do I need to enter for the Application ID?
    Thanks or your help
    (Mac OS) Create a certificate file using Keytool
    Open Terminal, which is located in the Applications > Utilities folder.
    Type (or paste) the following line (replace “myname.key.p12” with the actual name of your certificate):
    1
    keytool -genkey -v -keystore myname.key.p12 -alias alias_name -keyalg RSA -keysize 2048 -storetype pkcs12 -validity 10000
    Specifying “10000” sets the expiration date after 22 October 2033.
    Enter and reenter a password. Until the Viewer Builder supports the creation of custom Android apps, it's necessary to share this password with Adobe. Create a password that you can share.
    Follow the prompts to specify the certificate information.
    When prompted to confirm choices, enter yes, and then press Return to use the same password.
    A certificate is created in your prompt location, such as your user name folder. Copy this certificate file to a known location. Write down the password as well.

  • Using keytool to generate self signed cert. for Microsft Certificate Mrg.

    Hi All,
    I want to be able to generate a self signed certificate that I can Import into
    Microsoft's Certificate Manager, to enable an HTTPS Listener for
    Microsoft's WinRM and WinRS.
    The certificate would only be for internal use, not used externally.
    Here's the problem. I can create a certificate using this (path obscured):
    "C:\Program Files\.....\jre\bin\keytool" -genkey -al
    ias dMobX -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=your-f5c57803
    53" -keypass changeit -validity 90 -storetype pkcs12 -keystore "C:\Program Files
    \......\jre\lib\keystore\.keystore" -storepass changeit
    "C:\Program Files\......\jre\bin\keytool" -export -alias dMob
    X -file "C:\Program Files\......\jre\lib\keystore\dMobX.cer" -stor
    etype pkcs12 -keystore "C:\Program Files\.......\jre\lib\keystore\.
    keystore" -storepass changeit -v
    Microsoft's Certificate Manager will accept it, the .cer, using "Import", into
    Trusted Root Certification Authorities, but when I run the command to create the HTTPS Listener, I get this error message:
    The WS-Management service cannot find the certificate that was requested.
    If I use another tool, like selfssl, I can generate a self signed certificate using:
    selfssl /N:CN=your-f5c5780353 /K:1024 /V:90 /P:443 /T
    This will populate a certificate in Trusted Root Certification Authorities,
    and when I run the command to create the HTTPS Listener, it succeeds with
    no problem.
    So my question is, am I doing something wrong with keytool, or are there
    extra steps that I need to take, or is it even capable of generating a "self signed
    certificate" that will work in the above case?
    There are some concepts involved, certificate wise, that I'm not sure about.
    Do I need to create a CSR and use a tool like openssl, as a CA, and
    use the resulting certificate?
    I just want to be able to programmatically create the needed certificate using keytool, or
    using an API.
    Thanks,

    Download the latest JDK on http://download.java.net/jdk7/binaries/.
    Run "keytool -genkeypair -ext KU=? -ext EKU=? ...". Substitute the "?" with the usages you see in the other cert (for example, "digitalSignature" or "codeSigning". If there are multiple ones, separate with comma).

  • How to create a certificate using keytool / terminal?

    I have problems with creating certificates using the terminal. I use the instructions below and typed in all the required information. When it asks me to type "yes" and confirm, the whole process just starts from the beginning over and over and I have to type in the same things. What do I do wrong? How do I confirm the information I typed in?
    I am trying to create a certificate to sign apps for GooglePlay and Amazon. I am using DPS Professional.
    Thanks for help!
    Instructions:
    (Mac OS) Create a certificate file using Keytool
    Open Terminal, which is located in the Applications > Utilities folder.
    Type (or paste) the following line (replace “myname.key.p12” with the actual name of your certificate):
    1
    keytool -genkey -v -keystore myname.key.p12 -alias alias_name -keyalg RSA -keysize 2048 -storetype pkcs12 -validity 10000
    Specifying “10000” sets the expiration date after 22 October 2033.
    Enter and reenter a password. Until the Viewer Builder supports the creation of custom Android apps, it's necessary to share this password with Adobe. Create a password that you can share.
    Follow the prompts to specify the certificate information.
    When prompted to confirm choices, enter yes, and then press Return to use the same password.
    A certificate is created in your prompt location, such as your user name folder. Copy this certificate file to a known location. Write down the password as well.

    It could be access/rights issue. Enable root user and try again.

  • Minimum length of pwd in keytool

    I'm using keytool (jdk version 1.5.0_14) to alter exisiting keystores and create new files. If I want to check an existing keystore (keytool -list -file ...) with a password length of five characters I get the following error:
    java.io.IOException: Keystore was tampered with, or password was incorrect
    The password I'm using is correct (already tested with openssl).
    Is there a way to alter the minimum length setting - for already existing keystores and new files?
    Thx in advance!

    I don't know how the original keystores are createdI agree. You don't know their passwords either, or at least you can't use them. Somebody has stuffed up here. Folllow it up.
    But it is possible to use an already exisiting keystore (with the defined pwd), delete all certificates and import my new certificateAs long as you know the password. Obviously you don't. Someone seems to have misinformed you. Follow it up.
    (I know there are reasons keytool asks at least for six characters...).Exactly, and those reasons equally apply to whoever created the keystore. So in all probability they couldn't have created them with those short passwords at all. It's irrelevant. You can't use those keystores with those passwords so they have to be sent back where they came from and re-created with useable passwords. Follow it up. There's nothing else to be said.

  • Issue in free SSL cert installation on Weblogic using keytool and Keystore

    Link which we used to follow below mentioned steps:-
    http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/ssl.html#1167001
    http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674
    Steps:
    1) To generate keystore and private key and digital cerficate:-
    keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword
    2) To generate CSR
    keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword
    3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem)
    4) Same certificate is put into same keystore using following command
    keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem
    5) Before step 4), we have also installed root /intermediate certificate to include chain using following command.
    (intermediateCa.cer file is downloaded from verisign site)
    keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer
    6) After this configuration we used weblogic admin module to configure Keystore and SSL.
    7) For KeyStore tab in weblogic admin module, we have select option “Custom Identity And Custom Trust” provided following details under Identity and Trust columns:-
    Private key alias: mykey2
    PassKeyphrase: webconkeystorepassword
    Location of keystore: location of webconkeystore.jks file on server
    8) For SSL tab in weblogic admin module, we have select option “KeyStores” for “Identity and Trust locations”.
    9) After this we have restarted the server, but it is giving following error on console as shown below:
    <Notice> <WebLogicServer> <BEA-000365> <Server state changed to ADMIN>
    <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RESUMING>
    <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias privateKey from the JKS keystore file /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore1.jks.>
    <Alert> <Security> <BEA-090716> <Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore1.jks under alias privateKey on server AdminServer>
    <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore1.jks under alias privateKey on server AdminServer>
    <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore1.jks under alias privateKey on server AdminServer.>
    <Emergency> <Security> <BEA-090087> <Server failed to bind to the configured Admin port. The port may already be used by another process.>
    Please let me know if I am missing anything
    Please help me to checkout and resolve this issue.

    Thankx for ur interest and reply.
    It says meyKey2 is type "keyEntry" not privateKeyEntry..but i hv followed steps which were mentioned.
    To give you details , I have executed listing command and appended its output below:
    Please find output of following command
    keytool -list -v -keystore webconkeystore.jks -storepass webconkeystorepassword >> output.txt
    contents of output.txt is
    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 5 entries
    Alias name: intermediateca
    Creation date: Nov 3, 2009
    Entry type: trustedCertEntry
    Owner: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
    Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
    Serial number: 7e3bb784bbc654abd2b8d677ecc394a8
    Valid from: Wed Apr 01 05:30:00 IST 2009 until: Mon Apr 01 05:29:59 IST 2019
    Certificate fingerprints:
         MD5: 71:13:D9:3A:CD:21:F2:EE:9F:59:17:8D:A6:F9:AE:14
         SHA1: BE:D1:D1:4E:25:A7:94:36:83:9E:4B:A7:CD:84:48:96:B7:0A:7F:B0
    Alias name: rootca
    Creation date: Nov 3, 2009
    Entry type: trustedCertEntry
    Owner: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
    Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
    Serial number: 168164a428ca12dfab12f19fb1b93554
    Valid from: Wed Apr 01 05:30:00 IST 2009 until: Sun Apr 01 05:29:59 IST 2029
    Certificate fingerprints:
         MD5: E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
         SHA1: 51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36
    Alias name: mykey2
    Creation date: Nov 3, 2009
    Entry type: keyEntry
    Certificate chain length: 3
    Certificate[1]:
    Owner: CN=linuxbox04, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=Tech, O=TechProcess, L=Mumbai, ST=Maharashtra, C=IN
    Issuer: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
    Serial number: 232d382baddef6a3734984950d3505dc
    Valid from: Tue Nov 03 05:30:00 IST 2009 until: Wed Nov 18 05:29:59 IST 2009
    Certificate fingerprints:
         MD5: F2:28:41:DB:58:F4:5B:F4:9E:14:A4:D1:C6:9A:54:FB
         SHA1: 39:87:00:98:45:D3:30:C9:58:0D:A5:30:73:9B:10:19:B9:77:D0:F7
    Certificate[2]:
    Owner: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
    Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
    Serial number: 7e3bb784bbc654abd2b8d677ecc394a8
    Valid from: Wed Apr 01 05:30:00 IST 2009 until: Mon Apr 01 05:29:59 IST 2019
    Certificate fingerprints:
         MD5: 71:13:D9:3A:CD:21:F2:EE:9F:59:17:8D:A6:F9:AE:14
         SHA1: BE:D1:D1:4E:25:A7:94:36:83:9E:4B:A7:CD:84:48:96:B7:0A:7F:B0
    Certificate[3]:
    Owner: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
    Issuer: CN=VeriSign Trial Secure Server Root CA - G2, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
    Serial number: 168164a428ca12dfab12f19fb1b93554
    Valid from: Wed Apr 01 05:30:00 IST 2009 until: Sun Apr 01 05:29:59 IST 2029
    Certificate fingerprints:
         MD5: E0:19:F5:FC:C0:9A:13:0E:38:B7:BF:0D:02:40:D3:C2
         SHA1: 51:51:B8:63:8A:4C:1F:15:54:56:ED:37:C9:10:35:CA:D3:01:B9:36
    Alias name: mykey1
    Creation date: Nov 3, 2009
    Entry type: trustedCertEntry
    Owner: CN=linuxbox04, OU=Terms of use at www.verisign.com/cps/testca (c)05, OU=Tech, O=Techprocess, L=Mumbai, ST=MH, C=IN
    Issuer: CN=VeriSign Trial Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/cps/testca (c)09, OU="For Test Purposes Only. No assurances.", O="VeriSign, Inc.", C=US
    Serial number: 353710f6c067ba67988004f2080eb4ac
    Valid from: Tue Nov 03 05:30:00 IST 2009 until: Wed Nov 18 05:29:59 IST 2009
    Certificate fingerprints:
         MD5: 3C:C7:B1:DB:BB:A6:60:34:08:31:88:90:AE:EE:CB:7B
         SHA1: 69:63:20:CB:BC:93:89:88:19:1F:37:C0:A3:EE:E5:50:5A:29:39:DA
    Alias name: mykey
    Creation date: Nov 3, 2009
    Entry type: keyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=linuxbox04, OU=Tech, O=Techprocess, L=Mumbai, ST=MH, C=IN
    Issuer: CN=linuxbox04, OU=Tech, O=Techprocess, L=Mumbai, ST=MH, C=IN
    Serial number: 4aefbcd1
    Valid from: Tue Nov 03 10:47:05 IST 2009 until: Mon Feb 01 10:47:05 IST 2010
    Certificate fingerprints:
         MD5: 51:E7:52:7A:AA:1A:F6:E1:72:3C:BE:EF:D7:BF:92:85
         SHA1: F3:7C:D2:18:2C:75:9D:A5:70:28:1F:3C:90:93:B9:E4:1F:57:3B:DC
    Edited by: user1685139 on Nov 4, 2009 3:55 PM

  • Keytool error: java.lang.Exception: Keystore file does not exist:

    Hi All,
    While listing the keystore using the command keytool -list, I got the error message that
    keytool error: java.lang.Exception: Keystore file does not exist: C:\Documents and Settings\subramanian.arivalag\.keystore
    I noticed there is no file .keystore in the above mentioned directory. What's this .keystore file? Will it be created automatically or should we create manually?
    Already I created a keystore using -genkey command and received CA authority also.
    Kindly provide me more details about .keystore file and how to handle this error.

    If you specified a keystore filename when you created the keystore
    i.e. keytool -genkey -alias jboss-ssl -keyalg RSA -keystore my_name.keystore -validity 3650
    then you need to specify the same keystore when you export the cert
    i.e. keytool -export -alias jboss-ssl -keystore my_name.keystore –file my_name.cer

  • Simple program with Java KeyTool

    Hello!
    I tried to create signature using keytool to send data using ssl. I create private key file by
    keytool -genkey -keystore kkm.kst -storepass passwd -alias kkmcert -keypass passwd -keyalg RSA -keysize 1024 -sigalg MD5WithRSA -validity 365 -dname CN=tester
    and then I tried to signature string "test" by following code:
    public static void getSign(){
                 KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                 String keyStoreFile = "kkm.kst";
                 FileInputStream fis = new FileInputStream(keyStoreFile);
                 String keyStorePassword = "passwd";
                 keyStore.load(fis, keyStorePassword.toCharArray());
                 fis.close();
                 String myKeyAlias = "kkmcert";
                 String myKeyPassword = "passwd";
                   PrivateKey privateKey = (PrivateKey) keyStore.getKey(myKeyAlias, myKeyPassword.toCharArray());
                 if(privateKey == null) throw new Exception("Client key not found");
                 String text = "test";
                  Signature signature = Signature.getInstance("MD5withRSA");
                  signature.initSign(privateKey);
                  byte [] data;
                       data = text.getBytes("UTF-8");
                 signature.update(data);
                 byte [] sign = signature.sign();
                 String signString = new String(sign, "UTF-8");
                 System.out.println(signString);
    }After that I tried to verify that derived signature isn't wrong:
    keytool -import -keystore kkm.kst -storepass passwd -file certfile.cer -alias ep -noprompt
    public static void checkSign(String signString){
                 KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                 String keyStoreFile = "kkm.kst";
                 FileInputStream fis = new FileInputStream(keyStoreFile);
                 String keyStorePassword = "passwd";
                 keyStore.load(fis, keyStorePassword.toCharArray());
                 fis.close();
                 String eportAlias = "ep";
                 Certificate cert = keyStore.getCertificate(eportAlias);
                 if(cert == null) throw new Exception("Server certificate not found");
                 PublicKey publicKey = cert.getPublicKey();
                 String text = "test";
                  byte [] data;
                  try {
                       data = text.getBytes("UTF-8");
                  } catch (UnsupportedEncodingException e) {
                       data = text.getBytes();
                  String subscriptText = signString;
                  byte [] subscript = signString.getBytes();
                  try {
                       Signature signature = Signature.getInstance("MD5withRSA");
                      signature.initVerify(publicKey);
                      signature.update(data);
                      System.out.println(signature.verify(subscript) ? "RIGHT": "WRONG");
                  } catch (Exception e) {
                       System.out.println("Exc : WRONG");
              } catch (Exception e) {
                   System.err.println("Error");
                   e.printStackTrace();
    }And after checking I got message "WRONG" that means that generated signature is wrong signature. =( Can anybody help me to find error?

    hey buddy... i am stucked with one more error.
    when the same code was compiled and during the running of the code it says that
    error : error reading in E:\oracle\ora90\network\admin\listener.ora; java.util.zip.ZipException execption
    i saw environment variable, but still for all i couldn't get rid of this problem ..needed help badly!

  • Is there a way to make a self-signed client certificate with keytool...

    Is there a way to make a self-signed client certificate with keytool
    that will install successfully into the personal store in IE?

    hi,
    It is possible to make a self-signed client certificate with keytool and i am successfully using in my dummy application.
    The first thing you need to do is create a keystore and generate the key pair. You could use a command such as the following:
    keytool -genkey -dname "cn=Mark Jones, ou=JavaSoft, o=Sun, c=US"
    -alias business -keypass kpi135 -keystore C:\working\mykeystore
    -storepass ab987c -validity 180
    (Please note: This must be typed as a single line. Multiple lines are used in the examples just for legibility purposes.)
    This command creates the keystore named "mykeystore" in the "working" directory on the C drive (assuming it doesn't already exist), and assigns it the password "ab987c". It generates a public/private key pair for the entity whose "distinguished name" has a common name of "Mark Jones", organizational unit of "JavaSoft", organization of "Sun" and two-letter country code of "US". It uses the default "DSA" key generation algorithm to create the keys, both 1024 bits long.
    It creates a self-signed certificate (using the default "SHA1withDSA" signature algorithm) that includes the public key and the distinguished name information. This certificate will be valid for 180 days, and is associated with the private key in a keystore entry referred to by the alias "business". The private key is assigned the password "kpi135".
    Also please go through the http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
    This would help u better.
    bye,
    Arun

  • Serious problem. keytool won't work?!

    Hi everyone!
    I have a problem with keytool that I really don't know how to solve.
    When I try to create a new keystore my keytool program hangs. It doesn't consume any cpu or something.
    I don't know what's wrong and I've tried to solve it in many many ways. I have the newest version of the java sdk (1.4.1_02).
    It works if I run the program at my desktopbox (the problem only appears on our server).
    Both the client and server runs on Mandrake Linux 9.0 (installed using same cd:s so it shouldn't be any difference).
    I type the line and then follow the instructions:
    # keytool -genkey -keyalg rsa -alias tomcat
    Enter keystore password: changeit
    What is your first and last name?
    [Unknown]: test.com
    What is the name of your organizational unit?
    [Unknown]: test
    What is the name of your organization?
    [Unknown]: test
    What is the name of your City or Locality?
    [Unknown]: test
    What is the name of your State or Province?
    [Unknown]: test
    What is the two-letter country code for this unit?
    [Unknown]: SE
    Is CN=test.com, OU=test, O=test, L=test, ST=test, C=SE correct?
    [no]: yes
    Generating 1,024 bit RSA key pair and self-signed certificate (MD5WithRSA)
    for: CN=test.com, OU=test, O=test, L=test, ST=test, C=SE
    --- Here the program totally hangs!!!
    What should I do?
    If none of you can help me do you have any suggestions who I should ask?
    Thanks in advance
    Erik

    I am also having this problem.
    I noticed that it only happens on our compaq machines
    They are supposed to be configured the same as all others,
    but these are the only ones that hang.
    Any help?
    Mark

  • Can't import an OpenSSL signed cert  into a JKS using keytool

    Hey everyone,
    *[Update]* When I do a "openssl x509 -in server1.pem -issuer -noout" after I've supposedly signed it with the CA, the issuer is, for some reason, the DN string of server1. If server1 generated the CSR, and it is coming up as issued by server1, doesn't that indicate a self signed cert? How could the CA be producing a cert that has an issuer of another server?
    I hope this is the right place for this, but I'm having some difficulty using the java keytool and OpenSSL tool on a Solaris system. Any help would be greatly appreciated.
    I have a server (CA server) with OpenSSL installed that I would like to use as a Certificate Authority. The second server (server1) is a WebLogic server with JDK 1.6.0_21. I'm trying to configure it to use a certificate that has been signed by server1.
    For some reason it keeps giving me this error when I try to import the signed SSL certificate: keytool error: java.lang.Exception: Public keys in reply and keystore don't match
    Am I doing something wrong in this whole process?
    1) Generate the Private Key for the CA server
    openssl genrsa -out CA.key -des 2048
    2) Generate the CSR on the CA
    openssl req -new -key CA.key -out CA.csr
    3) Sign the new CSR so that it can be used as the root certificate
    openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 730 -req -in CA.csr -out CA.pem -extfile /usr/local/ssl/openssl.cnf
    4) On server1, create Server Private Key KeyStore
    keytool -genkey -alias server1 -keysize 2048 -keyalg RSA -keystore server1.jks -dname "CN=server1.domain.com,OU=Organization,O=Company,L=City,ST=State,C=US"
    5) On server1, create a CSR from the recently created Private Key
    keytool -certreq -alias server1 -sigalg SHA1WithRSA -keystore server1.jks -file server1.csr
    6) Transfer the CSR over to the CA (server1) so that it can be signed
    openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 365 -req -in server1.csr -out server1.pem -extfile /usr/local/ssl/openssl.cnf
    7) Transfer CA Public Cert to server1 and Import into keytool
    keytool -import -trustcacerts -alias CA_Public -file CA.pem -keystore server1.jks
    8) Import recently signed CSR to app server keystore (This is where I receive the error)
    keytool -import -trustcacerts -alias server1 -file server1.pem -keystore server1.jks
    Thanks!
    Edited by: user13378168 on Feb 11, 2011 2:03 PM

    I got it! Here's how I resolved it.
    1) Going back to the CA server I went and looked at the server1.pem that was produced. I tried to validate it against the CA's certificate
    openssl verify -CAFile CA.pem server1.pem
    server1.pem: /C=REDACTED/ST=REDACTED/L=REDACTED/O=REDACTED/OU=REDACTED/CN=server1.domain.com
    error 18 at 0 depth lookup:self signed certificate
    OK
    Seemed to be a clear indication that the certificate was not properly signed by OpenSSL.
    2) I tried signing it using a different command I found here: http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html
    openssl ca -policy policy_match -config openssl.cnf -extensions v3_ca -cert CA.pem -in server1.csr -keyfile CA.key -days 365 -out server1.pem
    I received a much different set of responses from OpenSSL including
    +Sign the certificate? [y/n]+
    +1 out of 1 certificate requests certified, commit? [y/n]+
    3) I tried my validate command again and got a plain "OK"
    4) I now tried to import this new server1.pem using the keytool command and actually got the following error:
    keytool error: java.security.cert.CertificateParsingException: invalid
    DER-encoded certificate data
    5) When I looked at the file it seems that OpenSSL had added quite a bit of extra certificate information to the file. I deleted everything up to (but not including) the -----BEGIN CERTIFICATE----- line and tried the import one more time and it imported successfully!
    Sabre, thanks for helping me look into this one.
    Edited by: user13378168 on Feb 14, 2011 12:50 PM - Added correct signing command

  • Using keytool to import a certificate

    I'm trying to import in the samplecacerts file a seft signed certificate generated for test purposes on my test web server.
    The command I issued was:
    keytool -import -alias mycert -file mycert.cer -keystore samplecacerts -trustcacert -storepass changeitand the answer was:
    keytool error: Signature not availableIf I accept this certificate using my class that implements the interface X509TrustManager and getting data using HttpsURLConnection all works fine.
    I used two methods to export the certificate:
    1. I exported it after accepting it in Ienternet Explorer
    2. I wrote it from the method isServerTrusted as suggested by Aseem in his sample code (http://forum.java.sun.com/thread.jsp?forum=9&thread=14884&start=25&range=1&hilite=false&q=)
    The two generated files are identical.
    Anyone can help me?
    Thank
    Aldo

    I am having the same problem - and I don't understand the one reply you got.
    So here goes. WHY can I easily import a self-signed certificate as a "trusted root" in IE, but I cannot import the same certificate into my cacerts file using keytool.exe? Keytool always gives the error, "Signature not available".
    Can someone please tell me what the heck I am supposed to do? All I want to do is be able to connect to an https URL in my Java code and read the contents. I "trust" the darn server, but the keytool utility doesn't seem to "trust" me....
    BTW, yes I am using JSSE, it's not a code problem it's a keytool problem.

  • Generating a CSR without keytool

    Can anyone point me to a "how-to" on creating a CSR without using the java keytool, but instead using the SDK?
    Thanks!
    --zjs                                                                                                                                                                                                                                                           

    If interested in an appli that helps in signing process, you may download XLRSecTool for
    free at:
    . Windows:
    http://www.xlreader.com/download/stl10ea/InstData/Windows/NoVM/istl10ea.exe
    . Unix and Linux:
    http://www.xlreader.com/download/stl10ea/InstData/Unix/Others/istl10ea.bin
    . Other Java-enabled OS
    http://www.xlreader.com/download/stl10ea/InstData/Java/install.zip
    Requires Java VM 1.3.1
    Screenshot:
    http://www.xlreader.com/images/sshot_s673x548.gif
    -- Robert
    =====
    [email protected]
    XL-Reader Project - Secured online documentation solutions
    www.xlreader.com
    =====

  • Using the certificate created by keytool in IIS

    Hi,
    I have an issue, I need to use the certificate that I created with keytool (JDK 1.4.1) in IIS, is possible ?
    Please help!,
    carlos

    I'm halfway there.
    1. keytool -genkey // etc
    Where I get stuck:
    2. export the key contents
    3. import the cert into IIS

  • Keytool problem

    Hello,
    I have a keystore and its instance is ("JCEKS","SunJCE"). I am creating secret keys and privatekeys and store them inside my keystore.
    When I try to reach this keystore by using "keytool" application, I get the following error:
    java.io.IOException: Invalid keystore format
    So, what instances does keytool support and which tool can I use to reach my keystore?
    regards

    I found the solution. As follows:
    keytool -list -keytool keytoolfile -storetype jceks

Maybe you are looking for

  • Setting Environment variable in windows xp

    Hi all, I am trying to run a java program in textpad, which is installed in windows XP, but i am getting the following error. java.lang.NoSuchMethodError: main Exception in thread "main" Can anybody tell me, how to set the environment variable in the

  • Windows_7 Bootcamp Partition Back Up?

    If i use traditional windows back up software for a bootcamp partition can i restore from same? I'm reluctant to upgrade to Lion without knowing my bootcamp windows 7 partition is safe and that it could be restored if necessary. I use Time Machine bu

  • Bapi problem - again

    Sorry to all of you with probably the same problem but i can't find solution. Anyway i'm trying to write simple WD which will make in target system user. I'm using BAPI_CREATE_USER FM. I did everything like in ohter examples of consuming transaction

  • Wrt54g wont connect to cisco 2100 modem

    my cable company swapped out my modem yesterday from a toshiba to a cisco 2100. prior to this new modem, my router/modem combo worked fine. now my router will not obtain an ip from the modem and ive tried everything to get it to work. my internet wor

  • Can not get photos to print well on a Epson Artisan printer after OS X Yosemite

    I have a Epson Artisan 730 Printer. After upgrading to OS X Yosemite all photos are printing poorly.  Color is very red based and unreadable. I have upgraded the latest printer firmware. I have upgraded Printer drivers (not sure of the version). I ha