Keytool generated certificate
I have just configured SSL on tomcat and I am wondering if the certificate generated by the keytool command (the one that ships with the j2sdk1.4.2_X) is as good as a certificate from Verisign.
I am willing to accept the fact that users must add the certificate to their list of trusted certificates - but I am curious about the following:
1) Is the connection to the server (are the packets that are transfering from client to web server) just as secure as if the certificate were signed by Verisign.
2) Is there any real difference between the two certificates other than the fact that user must add the certificate to the list of trusted certificates since it's not signed by verisign?
Thanks,
Jim
Keytool can generate a certificate that can be similar in terms of security as a verisign certificate. Thus the answers for your questions are yes and no respectively.
Both deal with X.509 certificates. A little bit of research on X.509 and what verisign uses (for example the pvt key size, X.509 version number and relevant certificate fields) can yield helpful.
GS
Similar Messages
-
How to use "keytool" generated certificates in B2B
Hi,
I have generated few certificate stores(files containing private key and trust certificate) in ".jks" format and exported client certificate from them in ".der" format using "keytool" commands in java. Now I want to use them for SSL authentication.
Is there any possible way of doing this ?
I tried to open these keystores in Wallet Manager but it did not accept those keystores. Even I tried to create a keystore with name "ewallet.pk12" (in PKCS12 format) but wallet manager did not accept it's password.
Please provide a solution if it exists.
Thanks in advance.
Regards,
Anuj DwivediHi,
If you are generating key/certficates may be you could make the "keytool" to generate the keystore in PKCS12 format. This format can be opened using Oracle Wallet Manager. Here's the command,
keytool -genkey -keyalg "RSA" -keystore ewallet.p12 -storepass welcome1 -storetype PKCS12
The above command would create a wallet in the current directory and the same can be opened in the "Oracle wallet manager".
Other Approach:
If you want to export just certificates alone from "JKS" format keystore and add it to the ewallet.p12 as an trusted entry, you can very well do that.
One thing note here, make sure keys are generated using algorithm "RSA". Sample commands below,
1. keytool -genkey -keyalg RSA -keystore test.jks
2. keytool -export -file test.crt -keystore test.jks
3. You could import the certifcate "test.crt" created in the previous step to ewallet.p12 using "Oracle wallet manager".
Regards,
Sinkar
[From Ramesh Team] -
Can i generate certificates using java api
can i generate certificates signed by my private key using java API.
I found cetificatFactory must generate a certificate from a file,
but how can i generate this file?
Thanksvisit :
http://java.sun.com/j2se/1.3/docs/tooldocs/win32/jarsigner.html
http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
u can create ur own certificate
Edward -
Generating certificate with predefined certificate SerialNumber field
Hi!
I need to generate certificate (programmatically or using keytool), which should contain predefined serial number in. F.e.:, after generating certificate we see:
Owner: CN=SomeBody, O=SomeBody.com, L=A, C=B
Issuer: CN=SomeBody, O=SomeBody.com, L=A, C=B
Serial number: 25fca39d
Valid from: Fri Feb 13 12:15:09 EET 2004 until: Sat Feb 12 12:15:09 EET 2005
Certificate fingerprints:
MD5: 87:41:93:58:71:7C:DC:59:50:F2:79:92:86:CC:0A:8C
SHA1: 24:2B:27:6B:17:AB:9B:6D:1D:6D:4F:A0:D9:CA:42:AC:51:5D:6A:54Field "Serial number" should be predefined. Am I able to do this?
Thanks.keytool doesn't seem to do it, and Java doesn't really offer much help in programmatically creating certificates at all.
However, at least glancing at the documentation, the bouncycastle (http://www.bouncycastle.org ) provider seems to have this capability. See for example the classes
org.bouncycastle.x509.X509V1CertificateGenerator and org.bouncycastle.x509.X509V3CertificateGenerator -
Self Generated certificate validity issue in ACS 4.0 for Windows
Hi,
Is there any solution to extend the validity time of self generated certificate on ACS, by default the validity is set for one year.
As the server certificate on one of the ACS which is CA has expired and need to renew it.
Is it possible only one certificate from third party can be used both as a server certificate and certificate from CA for other ACS servers.
Thanks in Advance
Regards,
AhmedOther solution would be to create an in house(Microsoft probably) CA, and get a certificate for your ACS server. Go through the installation steps of Microsoft CA before, as the validity date for Server Certificate(i guess) is configured during initial install of CA.
Regards,
Prem -
Hello everyone
today I am working on a mounted on a Red Hat Enterprise PKI
Linux Server release 5.5 (Tikanga) is Easycert 5.2.2.15. We need to know what are the necessary data that we have to go to the PKI so it can generate certificates of users in Active Directory for use with a USB Token (ACOS5-64 CHIP CRYPTO) functioning as Smart
Card to make the login of users on computers.
On the other hand also we need to know the necessary settings between the third party pki and the domains controllers (Windows 2012).
Greetings and I hope for you response.
TechCach> It is for Windows 2012.
nothing changed since Windows Server 2003. Here is a KB article:
http://support2.microsoft.com/kb/281245
> Is
the
scenario
supported
by
microsoft?
yes, of course. See KB article above.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool. -
Install self generated certificates
Hi all,
Can anyone advise on how to install a self generated certificates as a trusted server/client server?
Regards
KenHi Ken,
Which version of WebServer are you using?
The following docs for WebServer 6.1 sp5 gives all of the information that you should need about installing certificates:
http://docs.sun.com/source/819-0130/agcert.html#wp1004981
Hope this helps -
Generating certificates *without* keytool
I'm trying to replace some Java code based on Baltimore KeyTools so that it uses only what ships in the JCE. In particular, I'd like to be able to create a self-signed certificate given a DN and some other bits of information, then generate and process certificate requests, without forking a subshell, running 'keytool', etc. I've gone through everything I can find on-line, and through Weiss's "Java Cryptography Extensions" book, but have drawn a blank. I'd be buy-you-a-beer grateful to anyone who could point me in the right direction.
Thanks,
Greg Wilson
p.s. I've looked at Bouncy Castle, and understand that I could add it to my application to do these things. However, I'd still like to know if this can be done using just the JCE...Simply put:
Creating a certificate (X.509), a certificate request (PKCS#10), and other cryptographic formats (like PKCS#7 or CMS), requires ASN.1 encoding and decoding routines. They are not difficult to write, but they need to be correctly written. You'll need to add a third-party library to encode/decode ASN.1.
Then you'll need to create and test a lot of code just to prepare a PKCS#10 request.
Imagine the maintenance issues (finding someone that can understand RFCs and deal with ASN.1 definitions correctly etc.)
Stick to BouncyCastle instead. (Using BouncyCastle also requires some ASN.1 and RFC knowledge, but you're simply an user, not a builder. It's fairly easier being just an user.)
There is some code in rt.jar that you "could" try to use, like sun.misc.....PKCS7, but I strongly recommend not to use such Sun classes directly. (Imagine using your code in a non-Sun JDK like IBM's (in Websphere environments) or BEA's (in Weblogic environments). -
Keytool exporting certificate chain
I went through the steps of generating a key pair with keytool and created a certificate signing request.
Using openSSL I signed the certificate and imported it back into the keystore.
When I run:
keytool -list -v -keystore myKS.jks -alias my_site
I see the certificate and it indicates its in a chain of two certificates. So far so good.
However, when I export the certificate, only the site certificate is exported and not the full chain.
How do I export the chain into a single file?
If I can't, is there a way I can glue the root certificate and the site certificate into a single file?check this out
http://www-106.ibm.com/developerworks/java/library/j-certgen/?ca=dgr-jw17j-certgen
i hope it will help you. -
Java (JSSE), keytool and certificates
Hello,
I have a few basic problems with Certificates and JSSE.
I need to code a client-server program for company internal use. For this program I need a secure way of communication over TCP. Thus I thought SSL is the thing I need. Now I have a few basic problems with the 'SSL-Idea'.
What I know (or what I think to know):
The server have access to a private key which I previously generated with
keytool -genkey -dname "cn=Programm Name, ou=something, o=company name, c=country-code" -alias myalias -keypass keypass -keystore /some/where/keystore -storepass storepass -validity 180well... the server have access to this keystore to decrypt any incoming data encrypted with the public key of this private key. I am correct?
What I further (tink to) know is, that the client get the signed public key after opening the socket to this server. After verifying the reliability of this public key, the client can now decrypt all outgoing data to the server with its public key. I think, that the client now itself send a key for further decryption to the server. Correct? The further encryption should now be a symmetric one.
My problem is now: Where the is the public key? And how can I sign it?
What I already did:
keytool -certreq -alias myalias -file cert-request.csr -keystore /some/where/keystoreI think this is the request which I should send to some CA and get back the signed public key? If yes, is there a way to do it myself, because it's for internal use anyway?
And another thing: I read (and tried to understand) the JSSE Reference Guid and the contained examples (SSLSocketClientWithClientAuth and ClassFileServer). For these examples the server AND the client need access to the keystore which I though this keystore containing the private key. But this couldn't be the truth, because the private key should only be accessable by the server.
which files are now needed on which side? And where to get these needed files?
Well, I need some kind of explanation help here and appreciative any help :)
Regards,
MartinThe server have access to a private key which I
previously generated with
keytool -genkey -dname "cn=Programm Name,
ou=something, o=company name, c=country-code" -alias
myalias -keypass keypass -keystore
/some/where/keystore -storepass storepass -validity
180well... the server have access to this keystore to
decrypt any incoming data encrypted with the public
key of this private key. I am correct?Yes.
>
What I further (tink to) know is, that the client get
the signed public key after opening the socket
to this server. After verifying the reliability of
this public key, the client can now decrypt all
outgoing data to the server with its public key. I
think, that the client now itself send a key for
further decryption to the server. Correct? The
further encryption should now be a symmetric one.More or less.
>
My problem is now: Where the is the public
key? And how can I sign it?The public key is in the keystore, and it was signed at the same time it and the private key were created.
What I already did:
keytool -certreq -alias myalias -filecert-request.csr -keystore
/some/where/keystoreI think this is the request which I should send to
some CA and get back the signed public key? If yes,
is there a way to do it myself, because it's for
internal use anyway?
And another thing: I read (and tried to understand)
the JSSE Reference Guid and the contained examples
(SSLSocketClientWithClientAuth and ClassFileServer).
For these examples the server AND the client need
access to the keystore which I though this keystore
containing the private key. But this couldn't be the
truth, because the private key should only be
accessable by the server.
which files are now needed on which side? And where
to get these needed files?
Well, I need some kind of explanation help here and
appreciative any help :)
Regards,
Martin
I think you are really asking several questions here, but I'll try to answer them.
When you use keytool -genkey, a keypair is created. A keypair consists of a private key and a public key. keytool stores the public key in a self-signed certificate. You can immediately use this self-signed certificate to make SSL connections, provided the peer has been configured to trust it. Most peers, e.g. IE and mozilla, are configured to trust certificates signed by set of well known CAs and will complain when they receive your certificate. If you would like to avoid these complaints, you can get your certificate signed by one of these CAs. To do so, you would create a CSR using keytool -certreq,, and send the CSR to CA (along with $$$). The CA will do what they need to verify you and when satisfied they'll send you a certificate or certificate chain. You can then import this with keytool -import. This will replace the self-signed certificate that was there originally.
This describes what happens at the server side. You may optionally configure SSL to require client-side authentication. If you do, you must repeat the above process for each client. The clients do not share keystores with the server. -
Keytool generated keys portable to other platforms?
I generated asymmetric keys using Java Keytool on Windows NT. Are the keys portable to Unix ? Also, can programs like Perl, ASP read these keys? Thank you.
This is not completely correct. Key tool does not allow export of
private keys. It is a real drag for developers.You no need to export anything. BTW, PKCS#12 keystore could be created by using keytool with appropriate JCE provider with PKCS#12 support. Then you can open it on other platform, that supports PKCS#12 (i.e. mozilla or msie web browsers can do it). For more detail on PKCS#12 refer to OpenSSL PKCS#12 FAQ. http://www.drh-consultancy.demon.co.uk/pkcs12faq.html -
Use BC to generate certificate
Hello, everyone,
I am trying to generate my own certificate instead of asking it from a CA such as verisign.com. And I know that the provider from Sun can not do that. So, I turned to BC provider. But, I really have no idea about how to generate my certificate programmablely. Is there any tutorial or sample code talking about how to do that using BC? Or, is there any other method to learn how to do that?
Your help is highly appreciated!
RegardsX509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); // key pair algorithm
keyPairGenerator.initialize(1024); // key size
KeyPair keyPair = keyPairGenerator.generateKeyPair(); // generate keys
int usage = X509KeyUsage.digitalSignature | X509KeyUsage.dataEncipherment; // set key usage, it's optional
X509KeyUsage keyUsage = new X509KeyUsage(usage);
certificateGenerator.addExtension("2.5.29.15", false, keyUsage);
certificateGenerator.setSerialNumber(BigInteger.ONE); // set serial number
String x509Name = "CN=SomeName";
certificateGenerator.setIssuerDN(new X509Name(x509Name));
certificateGenerator.setSubjectDN(new X509Name(x509Name));
Calendar nextYearDate = Calendar.getInstance();
nextYearDate.add(Calendar.YEAR, 1); // Valid for 1 year
certificateGenerator.setNotAfter(nextYearDate.getTime());
certificateGenerator.setNotBefore(Calendar.getInstance().getTime());
certificateGenerator.setSignatureAlgorithm("SHA1withRSA");
certificateGenerator.setPublicKey(keyPair.getPublic());
String alias = Long.toHexString(SecureRandom.getInstance("SHA1PRNG").nextLong());
X509Certificate certificate = certificateGenerator.generateX509Certificate(keyPair.getPrivate()); -
Generating certificates pem file
Hi,
I am new to configuring client side ssl, I understand
the client (which will actually run inside WLS 8.1) needs to specify programatically or by a system property a .pem file containing trusted servers certificates. So if I understand correctly, I might have a couple of certificates, each from a different server I will be communicating with, so how should I "merge" them into one .pem file? Shouldn't there be some command line tool available? Or should they simply be inserted manually into the same file with the
"-----BEGIN CERTIFICATE-----"
"-----END CERTIFICATE-----"
header/footer to seperate them?
Any help would be apreciated,
Thanks,
Uri.That's also what I thought.
I am actually using BEA's JRockit but I suppose they have a keytool similar to the one sun provides.
I know how to import a CA certificate to a truststore,
The thing is I need to invoke a web service via ssl, and as I was reading through the docs I encountered this section, regarding the configuration of ssl client in WebLogic:
<i>To configure basic SSL support for your client application, follow these steps:
Set the filename of the file containing trusted Certificate Authority (CA) certificates. Do this by either:
Setting the System property weblogic.webservice.client.ssl.trustedcertfile to the name of the file that contains a collection of PEM-encoded certificates.
Executing the BaseWLSSLAdapter.setTrustedCertificatesFile(String ca_filename) method in your client application.</i>
(http://e-docs.bea.com/wls/docs81/webserv/security.html#1053203)
Maybe I missunderstood the text and PEM is simply the default encoding? that is, the encoding used for any JKS? -
Generate Certificates for WLC and clients
Hi Guys
I've been working acording the following document to integrate my WLC 5508 with LDAP for internal users:
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
However when I try to generate the device certificate on Windows Server 2012, I see the steps are different, for example when I reach the step 4 (of Generate a Device Certificate for the WLC section), the CA ask me for a Certificate Signing Request instead of Create and submit request to this CA option, as appears in the document.
How do I get this?
Thanks in advance for your support!
MarceloHi,
If you are trying to get a device certificate for WLC, then you may need to use 3rd party software like openSSL for this.
Below post may help you to see how you can do this
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
HTH
Rasika
*** Pls rate all useful responses **** -
Error generating certificate request in JES DSEE 6.0
If I try to generate a CA signed certificate request through the DSCC interface, I get an error message that the given subject "CN=...,O=..." is improperly formatted.
I get the same error while performing this operation through command line.
Any kind of help on what could be the reason for the same, is highly appreciated.
Thanks
PrabhjeetWell the fact that both tools are issuing the same error is an indication that there is really an improper format in the Subject DN. Without the complete value, it is hard to explain the reason.
Do the CN and O values only contain Ascii characters or UTF-8 encoded characters ?
Regards,
Ludovic.
Maybe you are looking for
-
I own an iMac 2011. I am unable to reinstall and launch premiere pro cc. We I attempt to run the program I get a error message saying that the adobe application manager is missing or need to be updated. I reinstalled the manager but I am still unable
-
Column header in two language not shown correctly
Hi Gurus, I have a requirement to create a template with column headers in two language(english-arabic). i created the template in xmlpublisher desktop and get the translation from google translate and paste it under the english word. The correct tra
-
Hi, I'm trying to use the Flash debugger but when I put breakpoints in nothing happens except I see the swf. I can't run through the code or see any variables?! I'm coding in AS3 and I'm using CS4 professional on Windows XP professional platform. T
-
Diff(s) between variables of type "Element" and "MessageType"?
When I create a variable (global or scope) then I can choose between the type "Element" and "MessageType". What are the differences ? Ok, I read that MessageType are intended for external PL calls. But what means that in detail? Do MessageType based
-
Slow rendering and sluggish performance...
just built a new machine for cs3 prod studio. quad core 6850, 4 gig ram, xp sp2, 150 raptor boot, 2 500 wd re2 in raid 0 for data...get the picture, all good stuff. however I'm noticing very long rendering times as well as a slight sluggishness overa