Keytool self-signed certificate.

Using Keyman on hp-unix. Wanted to create self-signed certificate.
When I tried to create, it asked to create keys. I created them. Then I could select self-signed and create it. This is listed under private certificates. Now what to do? For somebody to trust this certificate, do I have to take it to another database on another box?
Say, I created a private certificate pc1 at Box1. For Box2 to trust Box1, I guess I need to take this certificate and put it on Box2. (exporting from box1 and importing to box2). Is this what I am supposed to do? Or am I understanding something different? If I am correct, it(keyman) is not giving me option to export the certificate.
Please help.

Using ikeyman, Not keytool

Similar Messages

  • Keytool, Self-Signed Certificates, InvalidKeyException .. Help

    I'm going out of my mind here... can someone please help me. Keep in mind that I'm a newbie to all of this security stuff ..
    I've generated a certificate using the keytool, as follows
    keytool -genkey -alias victor
    This creates the keystore, etc. I then export the certificate to a file, victorcertificate.cer and drop that into my client location.
    Now the client opens up the Certificate, using a CertificateFactory.getInstance("X.509")
    Here's the problem .. I cannot initialize a Cipher!!
    Here is the code below:
         public static void main(String[] args) {
              try {
                   if(args[1].equals("0")) {
                        String home = System.getProperty("user.home");
                        System.out.println("Home Directory: "+home);
                        CertificateFactory cf = CertificateFactory.getInstance("X.509");
                        FileInputStream fis = new FileInputStream(home+File.separator+args[0]);
                        Certificate c = cf.generateCertificate(fis);
                        Cipher cipher = Cipher.getInstance(args[2]);
                        cipher.init(Cipher.ENCRYPT_MODE, c);
                        OutputStream ous = new CipherOutputStream(new FileOutputStream("data.file"), cipher);
                        ous.write("This is encrypted data".getBytes());
                        ous.close();
                   } else {
                        System.out.println("Decrypting .. ");
              } catch(Throwable e) {
                   System.out.println("Exception: "+e.getMessage());
                   e.printStackTrace();
    The command line is as follows: java Main victorcertificate.cer 0 <Algorithm>
    When I input DES as the algorithm I get the following exception.
    Exception: null
    java.security.InvalidKeyException
    at com.sun.crypto.provider.DESCipher.engineGetKeySize(DashoA6275)
    at javax.crypto.Cipher.init(DashoA6275)
    at javax.crypto.Cipher.init(DashoA6275)
    at Main.main(Main.java:36)
    I don't understand any of this. I even trying setting the algorithm to RSA (don't ask me why) and I get a NoSuchAlgorithmException..
    My regional settings on my Win2000 box are fine. All of the jar files are in my classpath, and I'm using 1.4.
    Any help would be well appreciated.
    Thanks,
    Victor

    I'm not sure I understand this .. I've created a default certificate using keytool. The default is SHA1withDSA as the signing algorithm on the certificate.
    So, now I'm trying to get a Cipher instance and initialize it with this certificate. Are you saying I should do something as follows:
    Cipher.getInstance(Cipher.ENCRYPT_MODE, "PK");
    If this is the case, do I just need to register the Cryptix library or something?
    Thanks

  • Steps to create your own self signed certificate with java plugin working

    You need two tools that comes with your jdk which are keytool and jarsigner.
    Steps explain below in detail. Don't use netscape signtool, it will NEVER work!
    * keytool -genkey -keyalg rsa -alias tstkey -keypass 2br2h2m -dname "cn=Test Object Signing Certificate, o=AI Khalil, ou=Java Products, c=AU"
    cn = Certificate name
    o = organistation
    ou = organistation unit
    c = country (first two letters)
    If don't put the -dname, you can fill it line by line.
    The -keypass has to be verify at the end, and you have to wait for it to create the rsa signing keys.
    On NT by default it will put the alias information at D:\WINNT\Profiles\Administrator (if log in as administrator) with the default file called ".keystore". Windows 98 etc, don't know, search for .keystore
    file. When you update it, check for the timestamp change and you know if you at the right spot.
    You can store your alias information via the -storepass option to your current directory you work on, if you don't want to update the default .keystore file?
    The .keystore contains a list of alias so you don't have to do this process again and again.
    Another tip if you want your certificate encryption validity to be more than the default one month is simply
    add the -validity <valDays>, after the -genkey option, to make your certificate usage for encryption to last much longer.
    Note: You MUST use the -keyalg rsa because for starters the rsa encyption alogorthim is supported on ALL browsers instead of the default DSA and the other one SHA. Java plugins must work with the RSA algorthim when signing applets, else you will get all sorts of weird errors :)
    Do not use signtool because thats a browser dependant solution!! Java plugin is supposed to work via running it owns jre instead of the browser JVM. So if you going to use netscape signtool, it starts to become a mess! ie certificate will install, but applet won't start and give you funny security exception errors :)
    * keytool -export -alias tstkey -file MyTestCert.crt
    It will read the alias information in the .keystore information picking up the rsa private/public keys info and
    create your self sign certificate. You can double click this certificate to install it? But don't think this step is needed but maybe for IE? Someone else can check that part.
    If you make a mistake with the alias, simply keytool -delete -v -alias <your alias key>
    If not in default .keystore file, then simply keytool -delete -v -alias <your alias key> -keystore <your keystore filename>
    * Put your classes in your jar file, my example is tst.jar.
    * jarsigner tst.jar tstkey
    Sign your testing jar file with your alias key that supports the RSA encryption alogorthim.
    * jarsigner -verify -verbose -certs tst.jar
    Check that its been verified.
    The last step is the most tricky one. Its to do with having your own CA (Certified Authority) so you don't
    have to fork out money straight away to buy a Verisign or Twarte certificate. The CA listing as you see in
    netscape browsers under security/signers, is NOT where the plugin looks at. The plugin looks at a file called
    CACERTS. Another confusion is that the cacerts file is stored in your jre/lib/security AND also at your
    JavaSoft/Jre/<Java version>/lib/security. When you install the Java plugin for the first time in uses your
    JavaSoft folder and its the cacerts file that has to be updated you add your own CA, because thats where
    the plugin look at, NOT THE BROWSER. Everything about plugin is never to do with the browser!! :)
    * keytool -import -file MyTestCert.crt -alias tstkey -keystore "D:\Program Files\JavaSoft\JRE\1.3.1\lib\security/cacerts"
    Off course point to your own cacerts file destination.
    Password to change it, is "changeit"
    Before you do this step make a copy of it in its own directory in case you do something silly.
    This example will add a CA with alias of my key called "tstkey" and store to my example destination.
    * keytool -list -v -keystore "E:/jdk/jdk1.3/jre/lib/security/cacerts"
    List to see if another CA is added with your alias key.
    Your html, using Netscape embed and Internet explorer object tags to point to the java plugin,
    your own self sign applet certificate should work
    Cheers
    Abraham Khalil

    I follow Signed Applet in Plugin, and it's working on
    my computer. Thanks
    But When I open my applet from another computer on
    network, why it does not work ..?
    How to make this applet working at another computer
    without change the policy file ..?
    thanks in advance,
    AnomYou must install the certificate on that computers plugin. Can this be done from the web? can anyone suggest a batch file or otherwise that could do this for end users?
    I want a way for end users to accept my cert as Root or at least trust my cert so I dont have to buy one. I am not worried about my users refusing to accept my cert. just how do I make it easy for them? IE you can just click the cert from a link, but that installs for IE, and not the plugin where it needs to be.

  • Problem with placing self-signed certificate in trust store on WLS 10.3

    I have had some problems setting up two-way SSL on WLS 10.3.2.
    1. I have not been able to use the java properties listed on
    http://weblogic-wonders.com/weblogic/2010/11/09/enforce-weblogic-to-use-sun-ssl-implementation-rather-than-certicom/
    to use the native Java SSL implementation rather than the certicom. Has anyone else had success using these?
    -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
    -Dssl.SocketFactory.provider=com.sun.net.ssl.internal.SSLSocketFactoryImpl
    -DUseSunHttpHandler=true
    -Dweblogic.wsee.client.ssl.usejdk=true (for webservice clients)
    2. When I use the ValidateCertChain to validate my keystore with the self-signed certificate I get the message
    CA cert not marked with critical BasicConstraint indicating it is a CA
    Certificate chain is invalid
    which I read was a problem with certificates generated by keytool, yet I find I was not able to circumvent this
    by setting the property weblogic.security.SSL.enforceConstraints to off in the WLS server environment.
    Has anyone else noticed this?
    3. The error I get is
    ####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server
    <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1297793541204> <BEA-000000> <Exception during hands
    hake, stack trace follows
    java.lang.NullPointerException
    at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
    at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
    at com.certicom.tls.interfaceimpl.CertificateSupport.findInTrusted_Validity(Unknown Source)
    ####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tunin
    g)'> <<WLS Kernel>> <> <> <1297793541207> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
    java.lang.Exception: New alert stack
    at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
    at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
    Are there other conditions besides the issue about the missing Basic Constraint field that can raise an
    alert with type 40?
    4. Steps I used to generate jks keystore for inclusion in trust keystore (actual values substituted):
    ** keytool -genkey -alias mykey -keystore mykeystore -validity 35600 \
    -dname "cn=Common Name, ou=Common Name, o=Org, l=location, s=state, c=US" \
    -storepass mypass -keypass mypass
    ** exported a DER format head certificate of mykey into mykey.cer.der
    ** keytool -import -trustcacerts -keystore DemoTrust.jks -alias mykey -file mykey.cer.der
    Any comments appreciated and thanks for this forum.

    Faisal,
    Certicom has an internal restriction that a Date must be notBefore 1970 and notAfter 2105 inclusive.The Java-generated key is valid until Wed Mar 14 11:03:59 EDT 2108. Your knowledge of this area is
    quite impressive, thank you so much for this!

  • How do we create self-signed certificate using java packages

    Hi All,
    I require some information on creating self-signed certificate using java packages.
    The java.security.cert.* package allows you to read Certificates from an existing store or a file etc. but there is no way to generate one afresh. See CertificateFactory and Certificate classes. Even after loading a certificate you cannot regenerate some of its fields to embed the new public key &#8211; and hence regenerate the fingerprints etc. &#8211; and mention a new DN. Essentially, I see no way from java to self-sign a certificate that embeds a public key that I have already generated.
    I want to do the equivalent of &#8216;keytool &#8211;selfcert&#8217; from java code. Please note that I am not trying to do this by using the keytool command line option &#8211; it is always a bad choice to execute external process from the java code &#8211; but if no other ways are found then I have to fall back on it.
    Regards,
    Chandra

    I require some information on creating self-signed certificate using java packages. Its not possible because JCE/JCA doesn't have implementation of X509Certificate. For that you have to use any other JCE Provider e.g. BouncyCastle, IAIK, Assembla and etc.
    I'm giving you sample code for producing self-signed certificate using IAIK JCE. Note that IAIK JCE is not free. But you can use BouncyCastle its open source and free.
    **Generating and Initialising the Public and Private Keys*/
      public KeyPair generateKeys() throws Exception
          //1 - Key Pair Generated [Public and Private Key]
          m_objkeypairgen = KeyPairGenerator.getInstance("RSA");
          m_objkeypair = m_objkeypairgen.generateKeyPair();
          System.out.println("Key Pair Generated....");
          //Returns Both Keys [Public and Private]*/
          return m_objkeypair;
    /**Generating and Initialising the Self Signed Certificate*/
      public X509Certificate generateSSCert() throws Exception
        //Creates Instance of X509 Certificate
        m_objX509 = new X509Certificate();
        //Creatting Calender Instance
        GregorianCalendar obj_date = new GregorianCalendar();
        Name obj_issuer = new Name();
        obj_issuer.addRDN(ObjectID.country, "CountryName");
        obj_issuer.addRDN(ObjectID.organization ,"CompanyName");
        obj_issuer.addRDN(ObjectID.organizationalUnit ,"Deptt");
        obj_issuer.addRDN(ObjectID.commonName ,"Valid CA Name");
        //Self Signed Certificate
        m_objX509.setIssuerDN(obj_issuer); // Sets Issuer Info:
        m_objX509.setSubjectDN(obj_issuer); // Sets Subjects Info:
        m_objX509.setSerialNumber(BigInteger.valueOf(0x1234L));
        m_objX509.setPublicKey(m_objkeypair.getPublic());// Sets Public Key
        m_objX509.setValidNotBefore(obj_date.getTime()); //Sets Starting Date
        obj_date.add(Calendar.MONTH, 6); //Extending the Date [Cert Validation Period (6-Months)]
        m_objX509.setValidNotAfter(obj_date.getTime()); //Sets Ending Date [Expiration Date]
        //Signing Certificate With SHA-1 and RSA
        m_objX509.sign(AlgorithmID.sha1WithRSAEncryption, m_objkeypair.getPrivate()); // JCE doesn't have that specific implementation so that why we need any //other provider e.g. BouncyCastle, IAIK and etc.
        System.out.println("Start Certificate....................................");
        System.out.println(m_objX509.toString());
        System.out.println("End Certificate......................................");
        //Returns Self Signed Certificate.
        return m_objX509;
      //****************************************************************

  • Is it possible to install a self-signed certificate to a phone?

    I made a self-signed certificate with KeyTool and I use the corresponding private key sign a MIDLet with jarsign tool.
    Now I don't know how to install the certificate to my phone. I also want to is it possible to do this?
    thanks.

    Hi,
    Check out this
    http://www.spindriftpages.net/pebble/dave/2006/06/18/1150641917692.html
    thanks,
    anup

  • How to import the self-signed certificate in runtime

    HI.
    I work to connect between JSSE client and OpenSSL server with self-signed certificate.
    But I met the SSLSocketException during handshaking.
    Many Solutions registered in this page.
    But their are all using keytool.
    My application connect many site support the self-signed certificate.
    So, I want to import the certificate in run time.
    How Can I do??
    Please, answer me..
    Thanks,

    did you figure this out??? I need to know how to accept a self-signed certificate, otherwise it's this exception...
    D:\javatools\apis\jsse1.0.2\samples\urls>java -cp jcert.jar;jnet.jar;jsse.jar;. URLReader
    Exception in thread "main" javax.net.ssl.SSLException: untrusted server cert chain
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write([DashoPro-V1.2-120198])
    at java.io.OutputStream.write(OutputStream.java:61)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-12019
    8])
    at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-120
    198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream([DashoPro-V
    1.2-120198])
    at java.net.URL.openStream(URL.java:798)
    at URLReader.main(URLReader.java:46)

  • Flyspray email notification using self signed certificates

    Hi all, I've been having an issue with flyspray sending notification emails through a SMTP server (running on localhost) which uses submission (port 587) and starttls with a self signed certificate. Whenever a notification would be sent I receive an error like the following:
    Notice: Undefined property: Swift_Transport_StreamBuffer::$_sequence in /usr/share/webapps/flyspray/includes/external/swift-mailer/classes/Swift/Transport/StreamBuffer.php on line 236 Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /usr/share/webapps/flyspray/includes/external/swift-mailer/classes/Swift/Transport/StreamBuffer.php on line 102 Completely unexpected exception: Unable to connect with TLS encryption
    This should never happend, please inform Flyspray Developers
    For the time being I just disabled notification all together. But this is a pretty big problem for me as I would like to avoid having to come to the web to view bugs I'm working on. Eventually I will create my own personal CA and this problem will become a non-issue, but until the time comes I'd love a work around (preferably not too dirty if at all possible).
    Thanks for the help.

    H Jerome,
    The certificate may have been generated incorrectly but I would suggest logging
    a support case.
    Kind Regards,
    Richard Wallace
    Senior Developer Relations Engineer
    BEA Support.
    "Jerome Cahuzac" <[email protected]> wrote:
    >
    >
    >
    I want to enable HTTPS protocol with WebLogic Server 5.1
    I want to use a self signed certificate generated with the JDK keytool.
    I've successfuly generated it and exported a dummy.cer file.
    I've updated the weblogic.properties file with weblogic.security.certificate.server=dummy.cer
    and I've got this exception
    java.lang.NullPointerException:
    at weblogic.security.RSAKey.toString(RSAKey.java:203)
    at java.lang.String.valueOf(String.java, Compiled Code)
    at java.lang.StringBuffer.append(StringBuffer.java, Compiled
    Code)
    at weblogic.security.X509.toString(X509.java:261)
    at java.lang.String.valueOf(String.java, Compiled Code)
    at java.lang.StringBuffer.append(StringBuffer.java, Compiled
    Code)
    at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:206)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java,
    Compiled
    Code)
    at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
    at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
    at java.lang.reflect.Method.invoke(Native Method)
    at weblogic.Server.startServerDynamically(Server.java:99)
    at weblogic.Server.main(Server.java:65)
    at weblogic.Server.main(Server.java:55)
    at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
    at java.lang.Thread.run(Thread.java:479)
    mar. dÚc. 18 12:20:03 GMT+01:00 2001:<E> <SSLListenThread> Security Configuration
    Problem with SSL server certificate file (d:\weblogic\myserver\dummy.cer)
    What's the right way to do this ?

  • How to use self-signed certificate to verify others certificate?

    the self-signed certificate and keys acts as CA like VeriSign
    alias =SelfSignCA
    keystore = SelfSignLib
    certificate = SelfSign.cer
    certificate to be verify
    alias = companyCA
    certificate = companyLib
    csr file = company.csr
    how to use keytool to verify/sign the company certificate?thank you.

    Well, this might not be much help, but for 10g, on AIX, docID 1171558.1 describes how to create a new certificate.
    Not sure how relevant it will be for 11g, sorry :(

  • How to use Self Signed certificate with SSLServerSocket?

    Hello to all.
    I'm trying to build a simple client/server system wich uses SSLSocket to exchange data. (JavaSE 6)
    The server must have it's own certificate, clients don't need one.
    I started with this
    http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
    To generate key for the server and a self signed certificate.
    To sum it up:
         Create a new keystore and self-signed certificate with corresponding public/private keys.
    keytool -genkeypair -alias mytest -keyalg RSA -validity 7 -keystore /scratch/stores/server.jks
         Export and examine the self-signed certificate.
    keytool -export -alias mytest -keystore /scratch/stores/server.jks -rfc -file server.cer
         Import the certificate into a new truststore.
    keytool -import -alias mytest -file server.cer -keystore /scratch/stores/client.jksThen in my server code I do
    System.setProperty("javax.net.ssl.keyStore", "/scratch/stores/server.jks");
    System.setProperty("javax.net.ssl.keyStorePassword", "123456");
    SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
    SSLServerSocket sslServerSocket = (SSLServerSocket)sf.createServerSocket( port );
    Socket s = sslServerSocket.accept();I am basically missing some point because I get a "javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled." when I try to run the server.
    Can it be a problem with the certificate? When using -validity <days> in keytool the certificate gets self-signed, so it should work if I'm not wrong.
    I have also tried this solution
    serverKeyStore = KeyStore.getInstance( "JKS" );
    serverKeyStore.load( new FileInputStream("/scratch/stores/server.jks" ),
         "123456".toCharArray() );
    tmf = TrustManagerFactory.getInstance( "SunX509" );
    tmf.init( serverKeyStore );
    sslContext = SSLContext.getInstance( "TLS" );
    sslContext.init( null, tmf.getTrustManagers(),secureRandom );
    SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
    SSLServerSocket ss = (SSLServerSocket)sf.createServerSocket( port );and still it doesn't work.
    So what am I missing?

    You were right. I corrected the mistakes in the server code, now it's
         private SSLServerSocket setupSSLServerSocket(){
              try {
                   SSLContext sslContext = SSLContext.getInstance( "TLS" );
                   KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
                   KeyStore ks = KeyStore.getInstance("JKS");
                   ks.load(new FileInputStream(_KEYSTORE), _KEYSTORE_PASSWORD.toCharArray());
                   km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
                    * Da usare con un truststore se serve autenticazione dei client
                    * TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
                   tm.init(ks);*/
                   sslContext.init(km.getKeyManagers(), null, null);
                   SSLServerSocketFactory f = sslContext.getServerSocketFactory();
                   SSLServerSocket ss = (SSLServerSocket) f.createServerSocket(_PORT);
                   return ss;
              } catch (UnrecoverableKeyException e) {
                   e.printStackTrace();
              } catch (KeyManagementException e) {
                   e.printStackTrace();
              } catch (NoSuchAlgorithmException e) {
                   e.printStackTrace();
              } catch (KeyStoreException e) {
                   e.printStackTrace();
              } catch (CertificateException e) {
                   e.printStackTrace();
              } catch (FileNotFoundException e) {
                   e.printStackTrace();
              } catch (IOException e) {
                   e.printStackTrace();
              return null;
         }and on the client code
    private SSLSocket setupSSLClientSocket(){
         try {
              SSLContext sslContext = SSLContext.getInstance( "TLS" );
              /* SERVER
              KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
              km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
              KeyStore clientks = KeyStore.getInstance("JKS");
              clientks.load(new FileInputStream(_TRUSTSTORE), _TRUSTSTORE_PASS.toCharArray());
              TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
              tm.init(clientks);
              sslContext.init(null, tm.getTrustManagers(), null);
              SSLSocketFactory f = sslContext.getSocketFactory();
              SSLSocket sslSocket = (SSLSocket) f.createSocket("localhost", _PORT);
              return sslSocket;
         } catch (KeyManagementException e) {
              e.printStackTrace();
         } catch (NoSuchAlgorithmException e) {
              e.printStackTrace();
         } catch (KeyStoreException e) {
              e.printStackTrace();
         } catch (CertificateException e) {
              e.printStackTrace();
         } catch (FileNotFoundException e) {
              e.printStackTrace();
         } catch (IOException e) {
              e.printStackTrace();
         return null;
    }and added a System.out.println(sslSocket); after every incoming message (server side) and SSL is now fully working!
    So my mistakes were:
    [] Incorrect setup done by code
    [] Incorrect and insufficient println() of socket status
    Now that everything works, I've deleted all this manual setup and just use the system properties. (They MUST be set before getting the Factory)
    SERVER SIDE:
    System.setProperty("javax.net.ssl.keyStore", _KEYSTORE);
    System.setProperty("javax.net.ssl.keyStorePassword", KEYSTOREPASSWORD);
    SSLServerSocketFactory f = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
    SSLServerSocket sslServerSocket = (SSLServerSocket) f.createServerSocket(_PORT);
    CLIENT SIDE:
    System.setProperty("javax.net.ssl.trustStore", "/scratch/stores/client.jks");
    System.setProperty("javax.net.ssl.trustStorePassword", "client");
    SSLSocketFactory f = (SSLSocketFactory) SSLSocketFactory.getDefault();
    SSLSocket sslSocket = (SSLSocket) f.createSocket(_HOST, _PORT);
    And everything is working as expected. Thank you!
    I hope my code will help someone else in the future.

  • MTLS using self-signed certificates

    We have a Expressway-C and Expressway-E setup in labs. While setting up a secure (TLS) traversal zone between C and E, can we use self-signed certs instead of trusted CA certs? (Import the C self-signed cert on to E and vice-verse will suffice for  MTLS?)

    H Jerome,
    The certificate may have been generated incorrectly but I would suggest logging
    a support case.
    Kind Regards,
    Richard Wallace
    Senior Developer Relations Engineer
    BEA Support.
    "Jerome Cahuzac" <[email protected]> wrote:
    >
    >
    >
    I want to enable HTTPS protocol with WebLogic Server 5.1
    I want to use a self signed certificate generated with the JDK keytool.
    I've successfuly generated it and exported a dummy.cer file.
    I've updated the weblogic.properties file with weblogic.security.certificate.server=dummy.cer
    and I've got this exception
    java.lang.NullPointerException:
    at weblogic.security.RSAKey.toString(RSAKey.java:203)
    at java.lang.String.valueOf(String.java, Compiled Code)
    at java.lang.StringBuffer.append(StringBuffer.java, Compiled
    Code)
    at weblogic.security.X509.toString(X509.java:261)
    at java.lang.String.valueOf(String.java, Compiled Code)
    at java.lang.StringBuffer.append(StringBuffer.java, Compiled
    Code)
    at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:206)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java,
    Compiled
    Code)
    at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
    at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
    at java.lang.reflect.Method.invoke(Native Method)
    at weblogic.Server.startServerDynamically(Server.java:99)
    at weblogic.Server.main(Server.java:65)
    at weblogic.Server.main(Server.java:55)
    at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
    at java.lang.Thread.run(Thread.java:479)
    mar. dÚc. 18 12:20:03 GMT+01:00 2001:<E> <SSLListenThread> Security Configuration
    Problem with SSL server certificate file (d:\weblogic\myserver\dummy.cer)
    What's the right way to do this ?

  • "Self-Signed" Certificates

    Hello people,
    I was trying to make my own certificate, but I was not successful. I've followed the "ten steps for sign an applet" posted in this forum. Do I have to do something in order avoid of editing the policy file on every client's machine?
    I downloaded the root certificate from thawte, may it be useful?
    Thanks and regards.

    The root certificate from Thawte is no use to you if you are using self signed certificates. It is only of use for certificates that are signed by Thawte.
    Make sure the certificate you are generating is a code signing certificate, not some other type (server or client certifcate). You may need to add your certificate to the CA certificate list in all the clients, for the Microsoft JVM, you can add it into the IE store by generating the right format certificate (I don't recall what that is so you will need to research this) and double clicking it. For the Java plugin, you will probably need to import it into the Java cacerts file using keytool.

  • Problems with Creating a self-signed Certificate

    hi,
    I read the keytool Documentation and wanted to create my own self-signed certificate.
    ok, I followed the steps :
    1) keytool -keyclone -alias origkey -dest my_key
    2) keytool -selfcert -alias my_key -dname "cn=Stefan Gross, ou=Computers, o=notintersting, c=D"
    3) keytool -certreq -alias my_key (output in mycert.cer)
    4)keytool -certreq -alias my_key -sigalg X.509 -file newcert.cer
    .. Password Input...
    Keytool-Error: java.lang.Exception: Alias <my_key> does not exist.
    But it exists, see :
    [usr]$ keytool -list
    Keystore-Typ: jks
    Keystore-Provider: SUN
    new_key, 06.05.2003, keyEntry,
    So it exists, but why do I get the error ?
    So far,
    Stefan Gross

    stefan hi,
    i have tried to produce a certificate my_cert.cer and it went well. as far as i understood you have to create a keystore first. this keystore holds a key pair.
    and then using the keystore you can create as many certificates as possible based on the key pair.
    try following the steps below. it should work, i mean i have followed them and all was fine. you can find the original form of the following from documentation of keytool (sun).
    hope this time it'll work, let me know.
    cem.
    note: the last step is importing the certificate to the keystore which is not necessary if you only want the certificate.
    To set up a digital certificate,
    Generate a key pair.
    The keytool utility enables you to generate the key pair. The keytool utility that ships with the J2SE SDK programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.
    To generate the keystore file, run the keytool utility as follows, replacing <keystore_filename> with the name of your keystore file, for example, server.keystore. If you are using the Tomcat server, the file must either be named .keystore and located in the home directory of the machine on which Tomcat is running, or you will need to tell Tomcat where the kestore file is by adding a keystoreFile attribute to the <Factory> element in the Tomcat configuration file or by specifying the location of the file on the Connector (8443) node of admintool.
    keytool -genkey -keyalg RSA -alias tomcat-server
    -keystore <keystore_filename>
    The keytool utility prompts you for the following information:
    Keystore password--Enter the default password, which is changeit. Refer to the keytool documentation for information on changing the password.
    First and last name--Enter the appropriate value, for example, JWSDP.
    Organizational unit--Enter the appropriate value, for example, Java Web Services.
    Organization--Enter the appropriate value, for example, Sun Microsystems.
    City or locality--Enter the appropriate value, for example, Santa Clara.
    State or province--Enter the unabbreviated name, for example, CA.
    Two-letter country code--For the USA, the two-letter country code is US.
    Review the information you've entered so far, enter Yes if it is correct.
    Key password for the Web server--Do not enter a password. Press Return.
    The next step is generate a signed certificate for this keystore. A self-signed certificate is acceptable for most SSL communication. If you are using a self-signed certificate, continue with Creating a Self-Signed Certificate. If you'd like to have your certificate digitally signed by a CA, continue with Obtaining a Digitally-Signed Certificate.
    Creating a Self-Signed Certificate
    This example assumes that the keystore is named server.keystore, the certificate file is server.cer, and the CA file is cacerts.jks. Run these commands in your <HOME> directory so that they are created there.
    Export the server certificate to a certificate file:
    keytool -keystore server.keystore -export -alias tomcat-server -file server.cer
    Enter the password (changeit).
    Keytool returns the following message:
    Certificate stored in file <server.cer>
    Import the new server certificate into the Certificate Authority file cacerts.jks:
    keytool -import -alias serverCA -keystore <HOME>/cacerts.jks
    -file server.cer
    Enter the password (changeit).
    Keytool returns a message similar to the following:
    Owner: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
    ST=CA, C=US
    Issuer: CN=JWSDP, OU=Java Web Services, O=Sun, L=Santa Clara,
    ST=CA, C=US
    Serial number: 3e39e3e0
    Valid from: Thu Jan 30 18:48:00 PST 2003 until: Wed Apr 30 19:48:00 PDT 2003
    Certificate fingerprints:
    MD5: 44:89:AF:54:FE:79:66:DB:0D:BE:DC:15:A9:B6:09:84
    SHA1:21:09:8A:F6:78:E5:C2:19:D5:FF:CB:DB:AB:78:9B:98:8D:06:8C:71
    Trust this certificate? [no]: yes
    Certificate was added to keystore
    ----------------------------------

  • Using self-signed certificates for HTTPS

    I want to enable HTTPS protocol with WebLogic Server 5.1
    I want to use a self signed certificate generated with the JDK keytool.
    I've successfuly generated it and exported a dummy.cer file.
    I've updated the weblogic.properties file with weblogic.security.certificate.server=dummy.cer
    and I've got this exception
    java.lang.NullPointerException:
    at weblogic.security.RSAKey.toString(RSAKey.java:203)
    at java.lang.String.valueOf(String.java, Compiled Code)
    at java.lang.StringBuffer.append(StringBuffer.java, Compiled Code)
    at weblogic.security.X509.toString(X509.java:261)
    at java.lang.String.valueOf(String.java, Compiled Code)
    at java.lang.StringBuffer.append(StringBuffer.java, Compiled Code)
    at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:206)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java, Compiled
    Code)
    at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
    at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
    at java.lang.reflect.Method.invoke(Native Method)
    at weblogic.Server.startServerDynamically(Server.java:99)
    at weblogic.Server.main(Server.java:65)
    at weblogic.Server.main(Server.java:55)
    at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
    at java.lang.Thread.run(Thread.java:479)
    mar. dÚc. 18 12:20:03 GMT+01:00 2001:<E> <SSLListenThread> Security Configuration
    Problem with SSL server certificate file (d:\weblogic\myserver\dummy.cer)
    What's the right way to do this ?
    [dummy.cer]

    H Jerome,
    The certificate may have been generated incorrectly but I would suggest logging
    a support case.
    Kind Regards,
    Richard Wallace
    Senior Developer Relations Engineer
    BEA Support.
    "Jerome Cahuzac" <[email protected]> wrote:
    >
    >
    >
    I want to enable HTTPS protocol with WebLogic Server 5.1
    I want to use a self signed certificate generated with the JDK keytool.
    I've successfuly generated it and exported a dummy.cer file.
    I've updated the weblogic.properties file with weblogic.security.certificate.server=dummy.cer
    and I've got this exception
    java.lang.NullPointerException:
    at weblogic.security.RSAKey.toString(RSAKey.java:203)
    at java.lang.String.valueOf(String.java, Compiled Code)
    at java.lang.StringBuffer.append(StringBuffer.java, Compiled
    Code)
    at weblogic.security.X509.toString(X509.java:261)
    at java.lang.String.valueOf(String.java, Compiled Code)
    at java.lang.StringBuffer.append(StringBuffer.java, Compiled
    Code)
    at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:206)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java,
    Compiled
    Code)
    at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
    at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
    at java.lang.reflect.Method.invoke(Native Method)
    at weblogic.Server.startServerDynamically(Server.java:99)
    at weblogic.Server.main(Server.java:65)
    at weblogic.Server.main(Server.java:55)
    at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
    at java.lang.Thread.run(Thread.java:479)
    mar. dÚc. 18 12:20:03 GMT+01:00 2001:<E> <SSLListenThread> Security Configuration
    Problem with SSL server certificate file (d:\weblogic\myserver\dummy.cer)
    What's the right way to do this ?

  • Self signed certificate for web service security !!

    i've created self-signed certificate using keytool for web serivce security. But i'm unable to implement from the client side. When i'm giving "dn=localhost" it's working fine. But when i'm giving other than that it's throwing me error as :
    java.io.IOException: HTTPS hostname wrong: should be <192.168.2.36>
    I don't know what's the problem. Could any tell me where i'm wrong. In the CN i've given my ip address. Please help me out.
    Do i need to do something else?

    thanks for your kind help.
    But i follwed the same which are given. Do i need to set something in netbeans? i'm usign netbeans 5.5,tomcat 5.5 and jdk5. Still i'm getting the same error as "https hostname is wrong: it should be <192.168.2.278>", which my ip address. I've created my self signed certificate and given the path to it by mentioning in System.setProperty("javax.net.ssl.trustStore","d:/keystore/auth.keystore"); and for password to. Do i need to do something else?
    Please help me out in this reagard. I'm startup of this technology.
    in advance thanks.

Maybe you are looking for

  • How can I repair Vista system files with only a Toshiba recovery disc??

    I have pretty much come to the conclusion that the reason I can't install Vista service pack 2 is due to some corrupt vista files. I ran the program that checks that system files and it said some are corrupt. There are some things I can't do, like tu

  • Payment block R , not stopping while payment to Vendor

    While making MIRO, invoice has been blocked with 'R', but without releasing block system is accepting payment. What might be the reason.

  • HT1338 i have a mac book pro and, a i cant update my flash player ,why?

    every time iwant to see a video on line ,icant it says ihave update my flash player.but then after iget the sofware that this mac itsnot compatibleor i dont know what that means .can somebody give any advise or input on this pls, i really apprecciate

  • High bitrate on wireless mu

    I purchased the Wireless Music device about a month ago and it has worked flawlessly out of the box for me. I have just run into the first snag, however. I have been ripping all my music as relati'vely high bitrate MP3's with no problem. I wanted as

  • Help! Array of polygons

    I'm trying to figure out a program for my computer science class. In short, I'm trying to use a bunch of values as points for a polygon (which by itself works just fine, it's the array that messes up) and, in a loop, create multiple instances of the