(newbie) Importing certificate with keytool..?

Similar Messages

• Is there a way to make a self-signed client certificate with keytool...

  Is there a way to make a self-signed client certificate with keytool
  that will install successfully into the personal store in IE?

  hi,
  It is possible to make a self-signed client certificate with keytool and i am successfully using in my dummy application.
  The first thing you need to do is create a keystore and generate the key pair. You could use a command such as the following:
  keytool -genkey -dname "cn=Mark Jones, ou=JavaSoft, o=Sun, c=US"
  -alias business -keypass kpi135 -keystore C:\working\mykeystore
  -storepass ab987c -validity 180
  (Please note: This must be typed as a single line. Multiple lines are used in the examples just for legibility purposes.)
  This command creates the keystore named "mykeystore" in the "working" directory on the C drive (assuming it doesn't already exist), and assigns it the password "ab987c". It generates a public/private key pair for the entity whose "distinguished name" has a common name of "Mark Jones", organizational unit of "JavaSoft", organization of "Sun" and two-letter country code of "US". It uses the default "DSA" key generation algorithm to create the keys, both 1024 bits long.
  It creates a self-signed certificate (using the default "SHA1withDSA" signature algorithm) that includes the public key and the distinguished name information. This certificate will be valid for 180 days, and is associated with the private key in a keystore entry referred to by the alias "business". The private key is assigned the password "kpi135".
  Also please go through the http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
  This would help u better.
  bye,
  Arun

• Can we automate importing certificate using keytool

  Hi,
  One of my application's requirement is to have a digital certificate at client side.
  Client performs the following tasks during the deployment of the application.
  1.Takes certificate from authorized CA
  2. Exports digital certificate as a cer file. (CER encoded binary X.509 Certificate)
  3.Use keytool (supplied with JRE) to import the certificate into keystore with an alias.
  Then only my application can load the certificate from keystore.
  Can we automate both step 1 and Step 2. ..?
  Or atleast step 2 (because it requires the novice user to type some commands and needs little knowledge about commands as well).
  Thanks in advance.

  Thanks for your quick reply.
  Its really useful for my requirement.
  I've a small doubt.
  As it said, before a keystore can be accessed, it should be loaded.
  There is a method called "setCertificateEntry" for creating setting / creating certificate in Keystore
  I've a certificate issed by CA and imported it to a file(.cer file) through certificate manager
  How do I create Certificate from a .cer file.
  Thanks in advance

• Cannot import certificate using keytool

  Hi,
  I used the below command to generate the key pairs and CSR:
  keytool -genkey -alias myalias -keyalg RSA -keystore .keystore
  keytool -certreq -keystore .keystore -alias myalias -file jetco.csr
  Then I copied the CSR and signed by the CA. The CA issued the certificate and I import the certificate (filename: DownloadCert) with the following command:
  (the certificate from the CA is in V3 X.509 base64 encoded)
  keytool -import -alias myalias -file DownloadCert -keypass ****** -keystore .keystore -storepass ******
  Then I got the error : keytool error: java.security.cert.CertificateException: IOException: Sequence tag error.
  Does anyone know how to fix the above problem?
  Thank you very much! It is very urgent.... PLEASE!!!!
  VL

  u might not have saved the attachment properly. if u r
  using windows, can u c the certificate clearly by
  clicking on the file. the filename must end with a
  .cer extension so that u can double click on it.After I modified the content of the file from CA. Now I can import the certificate in a keystore file.
  Thank you for your help.

• Newbie import problems with Canopus ADVC300 - solid pink screen

  Plugged in the brand-new Canopus ADVC300 and connected up a Sony CCD-tr700 analog camcorder. Did all the recommended steps and pushed the start VTR button. Preview on both the Canopus Picture Controller software and the iMovie screen has good audio, but the video is a solid, non-moving screen of pepto-bismol pink.
  There's nothing in the very limited manual about what to do if the video doesn't appear after the four simple step instructions.
  Any suggestions from knowledgeable users will be GREATLY appreciated.
  jimmy
  PowerPC Dual G4   Mac OS X (10.4.6)  

  Just an initial suggestion: did you remember to switch the Canopus to analogue input? It has a tendency to default to digital.

• Root certificate issue with keytool (Tomcat)

  I have:
  - Created a certificate request
  - Sent the request to a CA (Verisign affiliate)
  - Received the certificate
  - Installed the certificate
  When I surf to the page that utilizes the certificate, I receive an error message:
  "This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authoritues store"
  I use the certificate with Apache Tomcat. The root certificate is imported into the cacerts file. I use the following commands to prepare and install the certificate:
  keytool -genkey -dname "cn=somesite.com, ou=IT, o=SomeCompany, l=Stockholm, s=Sweden, c=SE" -keyalg "rsa" -alias SomeAlias -keystore D:\ssl\SomeFolder\keystore.jks -storepass SomePassword -validity 360
  keytool -certreq -alias SomeAlias -file D:\ssl\SomeFolder\MyCSR.csr -keystore D:\ssl\SomeFolder\keystore.jks -storepass SomePassword
  keytool -import -trustcacerts -alias SomeAlias -file D:\ssl\SomeFolder\MyCert.cer
  I don't see why I am having this problem. Please help me. I've spend several hours with different problems regaring the keytool utility, and the current certificate is valid for only three more days.
  Thanks in advance!
  Best regards,
  Bj�rn

  I am guessing that your ks file is not visible by the default config for Tomcat
  Check in your tomcat/conf/server.xml
  the config for the SSL Coyote Connector config block... you must specify the keystoreFile, maybe keystorePass... see http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html under Edit the Tomcat Configuration File
  -Jay

• How do we create certificate with .pem extension using keytool

  Hai all,
  please tell me the procedure to create certificates using keytool with .pem extension.

  I dont think keytool can do this, try OpenSSL:
  openssl pkcs12 -in test.p12 -out test.pem
  David

• Setting "Friendly name" with keytool

  Hi. I run Java 1.4.1 and Tomcat 4.1. Using keytool, I would like to generate a keystore which generates certificates that have a friendly name that I specify. For example, in Internet Explorer, after installing a certificate as a Trusted Root Authority, I would like to go to Tools->Contents tab->Certificates->Trusted Root Certification Authorities tab, and see under the "Friendly name" column the friendly name that I chose for a certificate. I don't see a -genkey option to specify a friendly name in the keytool help. If there's no way to directly change the certificate's friendly name with keytool, I can change the certificate's friendly name in IE. How may I then import the modified certificate into the keystore and have the webserver reference the keystore to return the modified certificate?
  Thank you.
  Raj

  Friendly Name is an attribute of the certificate defined in PKCS#9:
  5.5.1 Friendly name
  The friendlyName attribute type specifies a user-friendly name of the
  object it belongs to. It is referenced in [17].
  friendlyName ATTRIBUTE ::= {
  WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
  EQUALITY MATCHING RULE caseIgnoreMatch
  SINGLE VALUE TRUE
  ID pkcs-9-at-friendlyName
  where
  pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
                                   rsadsi(113549) pkcs(1) 9}
  pkcs-9-at-friendlyName OBJECT IDENTIFIER ::= {pkcs-9 20}
  See RFC2985.
  If you add/change an attribute to an existing certificate its thumbprint (SHA-1 hash) will be changed.
  Apparently keytool can't change such attribute, but see its source at the SCSL J2SDK Source code.

• E-Sourcing importing Certificate to the Keystore

  Hi gurus
  We are currently stuck while we try to implement LDAP integration. We are trying to import the secure SSL certificate into the keystore under java home on our server and it is not recognising the imported certificate.
  Syntax we are using is:
  C:\j2sdk1.4.2_14\jre\bin>keytool -import -trustcacerts -alias us01.apmn.org -file D:\eso\keystore\agi76_ssl_response.crt -keystore C:\j2sdk1.4.2_14\jre\lib\security\cacerts
  It says successfully imported. However we are not able to Synchronize our Microsoft AD on 636 port.
  Our certificates are issued by a Certificate Server not an AD Domain controller. Does this matter?
  PLEASE HELP
  Thanks
  JS
  Edited by: JS on Jul 30, 2009 9:34 PM
  Edited by: JS on Jul 30, 2009 9:35 PM

  I finally succeeded in importing an image with a file location. The problem is the DataLocationID you had to provide. This is a GroupNode and it´s a hierarchical structure. You had to split the filename into the path components and create nodes in the tree for every component.

• Replacing SHA-1 certificate with SHA-2

  We have a certificate that needs to be replaced. It is currently SHA-1, and we wish to replace it with SHA-2. We created a new certificate request and have received the replacement. The Root certificate remains the same; we now have two intermediates, instead
  of the one for SHA-1; and we have a new certificate with the same CN. Server is running Windows Server 2008 R2 and IIS 7.5.
  Should I remove the existing intermediate and server certificates before adding the new ones?
  Can the two intermediate certs be imported in a single file, or do I need to import them individually?
  Thanks,
    John

  Thanks for the quick response.
  Our security group gets the certificates, we put in a ticket with the csr text. That team is far more conversant with the LAMPS infrastructure, not so much with IIS. What comes back is the CA Root, CA Intermediate (in this case 2, with SHA-1 it was a single
  file) and the CA Server cert. I was advised to generate a new csr, rather than a renewal, since we would be changing to SHA-2.
  Since the root certificate has not changed (I can only assume that it is still sha-1 2048), and the server cert is issued for the same name, I was concerned that the current intermediate certificate might munge up the chain somehow. I was planning to remove
  the old server cert and intermediate and then load the new ones. It seems the most prudent course of action.
  With regard to loading the two intermediate files as one file, that is how they recommend doing it with keytool, when loading the keystore for Apache, Tomcat, or Jetty.
  So I saw the link to your article on SHA-1 deprecation policy AFTER having gotten the new certificates...
  If I ran certutil and set it to use SHA256 as the default, am I to understand that a renewal request would have generated a SHA-2 request? Would it replace all the CAs from the root down?
  Cheers.

• How to use Self Signed certificate with SSLServerSocket?

  Hello to all.
  I'm trying to build a simple client/server system wich uses SSLSocket to exchange data. (JavaSE 6)
  The server must have it's own certificate, clients don't need one.
  I started with this
  http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
  To generate key for the server and a self signed certificate.
  To sum it up:
       Create a new keystore and self-signed certificate with corresponding public/private keys.
  keytool -genkeypair -alias mytest -keyalg RSA -validity 7 -keystore /scratch/stores/server.jks
       Export and examine the self-signed certificate.
  keytool -export -alias mytest -keystore /scratch/stores/server.jks -rfc -file server.cer
       Import the certificate into a new truststore.
  keytool -import -alias mytest -file server.cer -keystore /scratch/stores/client.jksThen in my server code I do
  System.setProperty("javax.net.ssl.keyStore", "/scratch/stores/server.jks");
  System.setProperty("javax.net.ssl.keyStorePassword", "123456");
  SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
  SSLServerSocket sslServerSocket = (SSLServerSocket)sf.createServerSocket( port );
  Socket s = sslServerSocket.accept();I am basically missing some point because I get a "javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled." when I try to run the server.
  Can it be a problem with the certificate? When using -validity <days> in keytool the certificate gets self-signed, so it should work if I'm not wrong.
  I have also tried this solution
  serverKeyStore = KeyStore.getInstance( "JKS" );
  serverKeyStore.load( new FileInputStream("/scratch/stores/server.jks" ),
       "123456".toCharArray() );
  tmf = TrustManagerFactory.getInstance( "SunX509" );
  tmf.init( serverKeyStore );
  sslContext = SSLContext.getInstance( "TLS" );
  sslContext.init( null, tmf.getTrustManagers(),secureRandom );
  SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
  SSLServerSocket ss = (SSLServerSocket)sf.createServerSocket( port );and still it doesn't work.
  So what am I missing?

  You were right. I corrected the mistakes in the server code, now it's
       private SSLServerSocket setupSSLServerSocket(){
            try {
                 SSLContext sslContext = SSLContext.getInstance( "TLS" );
                 KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
                 KeyStore ks = KeyStore.getInstance("JKS");
                 ks.load(new FileInputStream(_KEYSTORE), _KEYSTORE_PASSWORD.toCharArray());
                 km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
                  * Da usare con un truststore se serve autenticazione dei client
                  * TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
                 tm.init(ks);*/
                 sslContext.init(km.getKeyManagers(), null, null);
                 SSLServerSocketFactory f = sslContext.getServerSocketFactory();
                 SSLServerSocket ss = (SSLServerSocket) f.createServerSocket(_PORT);
                 return ss;
            } catch (UnrecoverableKeyException e) {
                 e.printStackTrace();
            } catch (KeyManagementException e) {
                 e.printStackTrace();
            } catch (NoSuchAlgorithmException e) {
                 e.printStackTrace();
            } catch (KeyStoreException e) {
                 e.printStackTrace();
            } catch (CertificateException e) {
                 e.printStackTrace();
            } catch (FileNotFoundException e) {
                 e.printStackTrace();
            } catch (IOException e) {
                 e.printStackTrace();
            return null;
       }and on the client code
  private SSLSocket setupSSLClientSocket(){
       try {
            SSLContext sslContext = SSLContext.getInstance( "TLS" );
            /* SERVER
            KeyManagerFactory km = KeyManagerFactory.getInstance("SunX509");
            km.init(ks, _KEYSTORE_PASSWORD.toCharArray());
            KeyStore clientks = KeyStore.getInstance("JKS");
            clientks.load(new FileInputStream(_TRUSTSTORE), _TRUSTSTORE_PASS.toCharArray());
            TrustManagerFactory tm = TrustManagerFactory.getInstance("SunX509");
            tm.init(clientks);
            sslContext.init(null, tm.getTrustManagers(), null);
            SSLSocketFactory f = sslContext.getSocketFactory();
            SSLSocket sslSocket = (SSLSocket) f.createSocket("localhost", _PORT);
            return sslSocket;
       } catch (KeyManagementException e) {
            e.printStackTrace();
       } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
       } catch (KeyStoreException e) {
            e.printStackTrace();
       } catch (CertificateException e) {
            e.printStackTrace();
       } catch (FileNotFoundException e) {
            e.printStackTrace();
       } catch (IOException e) {
            e.printStackTrace();
       return null;
  }and added a System.out.println(sslSocket); after every incoming message (server side) and SSL is now fully working!
  So my mistakes were:
  [] Incorrect setup done by code
  [] Incorrect and insufficient println() of socket status
  Now that everything works, I've deleted all this manual setup and just use the system properties. (They MUST be set before getting the Factory)
  SERVER SIDE:
  System.setProperty("javax.net.ssl.keyStore", _KEYSTORE);
  System.setProperty("javax.net.ssl.keyStorePassword", KEYSTOREPASSWORD);
  SSLServerSocketFactory f = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
  SSLServerSocket sslServerSocket = (SSLServerSocket) f.createServerSocket(_PORT);
  CLIENT SIDE:
  System.setProperty("javax.net.ssl.trustStore", "/scratch/stores/client.jks");
  System.setProperty("javax.net.ssl.trustStorePassword", "client");
  SSLSocketFactory f = (SSLSocketFactory) SSLSocketFactory.getDefault();
  SSLSocket sslSocket = (SSLSocket) f.createSocket(_HOST, _PORT);
  And everything is working as expected. Thank you!
  I hope my code will help someone else in the future.

• How to create a certificate using keytool / terminal?

  I have problems with creating certificates using the terminal. I use the instructions below and typed in all the required information. When it asks me to type "yes" and confirm, the whole process just starts from the beginning over and over and I have to type in the same things. What do I do wrong? How do I confirm the information I typed in?
  I am trying to create a certificate to sign apps for GooglePlay and Amazon. I am using DPS Professional.
  Thanks for help!
  Instructions:
  (Mac OS) Create a certificate file using Keytool
  Open Terminal, which is located in the Applications > Utilities folder.
  Type (or paste) the following line (replace “myname.key.p12” with the actual name of your certificate):
  1
  keytool -genkey -v -keystore myname.key.p12 -alias alias_name -keyalg RSA -keysize 2048 -storetype pkcs12 -validity 10000
  Specifying “10000” sets the expiration date after 22 October 2033.
  Enter and reenter a password. Until the Viewer Builder supports the creation of custom Android apps, it's necessary to share this password with Adobe. Create a password that you can share.
  Follow the prompts to specify the certificate information.
  When prompted to confirm choices, enter yes, and then press Return to use the same password.
  A certificate is created in your prompt location, such as your user name folder. Copy this certificate file to a known location. Write down the password as well.

  It could be access/rights issue. Enable root user and try again.

• How can i automate importing certificates?

  My company is using zScaler for web filtering and we are trying to figure out how we can import certificate into firefox. I have tried copying the cert.db from one machine to another but the problem is that the page only loads with text, which implies the certificate is half working. if we remove the cert and manually import the cert it works fine. we are trying to find a way to automate the deployment of this certificate to 100+ machines. Please advise if this is possible.

  I have not done this before, however there is posted information about with how to attempt this, for example: [http://community.spiceworks.com/how_to/show/15158-firefox-trust-a-local-certificate-authority-for-all-users-and-computers]
  There is also the ESR community that does this alot. Check out their lists for community questions [https://www.mozilla.org/en-US/firefox/organizations/]

• HPDM 4.6 - _Enroll Certificate with SCEP Task Template missing

  I recently upgraded our HP DM to v 4.6 as I was searching for a better way to deploy CA certificates to our t510 thin clients, and this version supports SCEP.
  I also downloaded the Client Kit ThinPro-4.4-SCEP-0.0.3 software (via the Template > Import > HP FTP Software Component Browser) and this is visible in the list of Task Templates.
  The problem I have is that the HP DM User Guide for this version outlines Enrolling Certificates using SCEP by double clicking on the _Enroll Certificate with SCEP task template, which I don't seem to have?
  How do I obtain this particular task template?

  I have already downloaded that add-on. It extracts to a .xar file, which I placed in the HP Smart Client Service\auto-update path. This is the add-on that gets pushed out to the clients at power-on.
  What I need is the _Enroll Certificate with SCEP Task Template for HPDM. I've tried the template import function but I don't seem to have the necessary .jar file?
  Am I missing something? I'm a bit of a noob with the HPDM software...

• Can't import certificate after eDir 8.8.2 upgrade

  Folks,
  I've trawled through most of the posts where this has been in issue,
  but I can't seem to get Tomcat to import the updated LDAP keystore
  certificate.
  Over the weekend I upgraded my NetWare 6.5 servers to eDirectory
  8.8sp2. The upgrade went smooth, and generally, everything is working
  fine *except* Tomcat. I get the following errors when my GroupWise
  server boots:
  192.168.0.4LDAP connectivity not found on ldap://localhost:636
  LDAP connectivity not found on ldap://192.168.0.4:636
  Please load NLDAP and then manually execute command:
  sys:/tomcat/4/bin/startup
  Please load NLDAP and then manually execute command:
  sys:/tomcat/4/bin/startup
  -config sys:/adminsrv/conf/admin_tomcat.xml java: Class
  com.novell.application.tomcat.util.tccheck.LDAPVer ifier exited succe
  ssfully java: Class
  com.novell.application.tomcat.util.tccheck.LDAPVer ifier exited
  successfully
  OK, so I try to run TCKEYGEN, the certificate will export, but Tomcat
  can't seem to import it:
  Error importing certificate to keystore: sys:\adminsrv\conf\.keystore
  com.novell.ecb.CommandException: Connection refused at
  com.novell.ecb.security.RetrieveHostCertificates.r etrieveHostCertific
  ates(Unknown Source) at
  com.novell.ecb.security.RetrieveHostCertificates.e xecute(Unknown Sour
  ce) at
  com.novell.application.tomcat.util.EDirectoryInteg rator.retrieveAllHo
  stCertificates(EDirectoryIntegrator.java:698) at
  com.novell.application.tomcat.util.EDirectoryInteg rator.performKeysto
  reWork(EDirectoryIntegrator.java:649) at
  com.novell.application.tomcat.util.EDirectoryInteg rator.integrate(EDi
  rectoryIntegrator.java:386) at
  com.novell.application.tomcat.util.EDirectoryInteg rator.main(EDirecto
  ryIntegrator.java:117) java: Class
  com.novell.application.tomcat.util.EDirectoryInteg rator exited
  successfully -----------------
  I've run PKIDIAG, exported a new copy of the trusted root certificate,
  place the IP address of the server into TCKEYGEN.NCF and
  sys:\tomcat\4\conf\server.xml to replace 'localhost', bounced the
  server several times, and just can't get the certificate to update.
  Anyone have a suggestion? Thanks!
  Bill Valaski
  Director of IT
  CDS Associates, Inc.
  Cincinnati, OH USA
  www.cds-assoc.com

  Hmmm, looks like an error with the LDAP Group not performing a dynamic
  update .....
  07:05:21 9ED6E1C0 LDAP: Dynamically upgrading LDAP Group object...
  07:05:21 9ED6E1C0 LDAP: LDAP Group attribute 'LDAP Allow Clear Text
  Password' not found, installing new default
  07:05:21 9ED6E1C0 LDAP: LDAP Group attribute 'ldapAttributeList' not
  found, creating default attribute map
  07:05:21 9ED6E1C0 LDAP: Failed to clear attribute 'ldapAttributeList'
  in UpdateMapList, ignoring non-fatal err = no such value (-602)
  07:05:21 9ED6E1C0 LDAP: Failed to create map list with 73 values in
  UpdateMapList, err = no such value (-602)
  07:05:21 9ED6E1C0 LDAP: Failed to create attribute map in
  UpgradeExistingLDAPGroup, err = no such value (-602)
  07:05:21 9ED6E1C0 LDAP: UpgradeExistingLDAPGroup failed in
  UpgradeLDAPGroupObject, err = no such value (-602)
  07:05:21 9ED6E1C0 LDAP: Could not complete dynamic upgrade, err = no
  such value (-602)
  07:05:21 9ED6E1C0 LDAP: Could not validate Group in ReadConfigFromDS,
  err = no such value (-602)
  07:05:21 9ED6E1C0 LDAP: Could not update server configuration, err =
  no such value (-602)
  OK, this gives me a little more to try and trace through the TIDs.
  Thanks!
  Bill
  On Tue, 29 Jul 2008 21:19:45 GMT, "Marcel Cox"
  <[email protected]> wrote:
  >Bill Valaski wrote:
  >
  >>192.168.0.4LDAP connectivity not found on ldap://localhost:636
  >
  >Your problem is not that tomcat doesn't have the right certificate but
  >rather that NLDAP is not even listing on the secure LDAP port.
  >To debug this, you might try the following:
  >
  >unload nldap
  >set dstrace=on
  >set dstrace=-all
  >set dstrace=+ldap
  >load nldap
  >
  >Now switch to the dstrce screen and see if you have any errors.