Using keytool to import a certificate

Similar Messages

• Can we automate importing certificate using keytool

  Hi,
  One of my application's requirement is to have a digital certificate at client side.
  Client performs the following tasks during the deployment of the application.
  1.Takes certificate from authorized CA
  2. Exports digital certificate as a cer file. (CER encoded binary X.509 Certificate)
  3.Use keytool (supplied with JRE) to import the certificate into keystore with an alias.
  Then only my application can load the certificate from keystore.
  Can we automate both step 1 and Step 2. ..?
  Or atleast step 2 (because it requires the novice user to type some commands and needs little knowledge about commands as well).
  Thanks in advance.

  Thanks for your quick reply.
  Its really useful for my requirement.
  I've a small doubt.
  As it said, before a keystore can be accessed, it should be loaded.
  There is a method called "setCertificateEntry" for creating setting / creating certificate in Keystore
  I've a certificate issed by CA and imported it to a file(.cer file) through certificate manager
  How do I create Certificate from a .cer file.
  Thanks in advance

• Cannot import certificate using keytool

  Hi,
  I used the below command to generate the key pairs and CSR:
  keytool -genkey -alias myalias -keyalg RSA -keystore .keystore
  keytool -certreq -keystore .keystore -alias myalias -file jetco.csr
  Then I copied the CSR and signed by the CA. The CA issued the certificate and I import the certificate (filename: DownloadCert) with the following command:
  (the certificate from the CA is in V3 X.509 base64 encoded)
  keytool -import -alias myalias -file DownloadCert -keypass ****** -keystore .keystore -storepass ******
  Then I got the error : keytool error: java.security.cert.CertificateException: IOException: Sequence tag error.
  Does anyone know how to fix the above problem?
  Thank you very much! It is very urgent.... PLEASE!!!!
  VL

  u might not have saved the attachment properly. if u r
  using windows, can u c the certificate clearly by
  clicking on the file. the filename must end with a
  .cer extension so that u can double click on it.After I modified the content of the file from CA. Now I can import the certificate in a keystore file.
  Thank you for your help.

• Using keytool to generate self signed cert. for Microsft Certificate Mrg.

  Hi All,
  I want to be able to generate a self signed certificate that I can Import into
  Microsoft's Certificate Manager, to enable an HTTPS Listener for
  Microsoft's WinRM and WinRS.
  The certificate would only be for internal use, not used externally.
  Here's the problem. I can create a certificate using this (path obscured):
  "C:\Program Files\.....\jre\bin\keytool" -genkey -al
  ias dMobX -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=your-f5c57803
  53" -keypass changeit -validity 90 -storetype pkcs12 -keystore "C:\Program Files
  \......\jre\lib\keystore\.keystore" -storepass changeit
  "C:\Program Files\......\jre\bin\keytool" -export -alias dMob
  X -file "C:\Program Files\......\jre\lib\keystore\dMobX.cer" -stor
  etype pkcs12 -keystore "C:\Program Files\.......\jre\lib\keystore\.
  keystore" -storepass changeit -v
  Microsoft's Certificate Manager will accept it, the .cer, using "Import", into
  Trusted Root Certification Authorities, but when I run the command to create the HTTPS Listener, I get this error message:
  The WS-Management service cannot find the certificate that was requested.
  If I use another tool, like selfssl, I can generate a self signed certificate using:
  selfssl /N:CN=your-f5c5780353 /K:1024 /V:90 /P:443 /T
  This will populate a certificate in Trusted Root Certification Authorities,
  and when I run the command to create the HTTPS Listener, it succeeds with
  no problem.
  So my question is, am I doing something wrong with keytool, or are there
  extra steps that I need to take, or is it even capable of generating a "self signed
  certificate" that will work in the above case?
  There are some concepts involved, certificate wise, that I'm not sure about.
  Do I need to create a CSR and use a tool like openssl, as a CA, and
  use the resulting certificate?
  I just want to be able to programmatically create the needed certificate using keytool, or
  using an API.
  Thanks,

  Download the latest JDK on http://download.java.net/jdk7/binaries/.
  Run "keytool -genkeypair -ext KU=? -ext EKU=? ...". Substitute the "?" with the usages you see in the other cert (for example, "digitalSignature" or "codeSigning". If there are multiple ones, separate with comma).

• Problem in installation of free SSL certificate on Weblogic using keytool

  We tried to install SSL certificate on weblogic certificate using Keystore ..but it is giving error in console at startup and server shutdowns automatically...
  Steps followed:-
  1) To generate keystore and private key and digital cerficate:-
  keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword
  2) To generate CSR
  keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword
  3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem)
  4) Same certificate is put into same keystore using following command
  keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem
  5) Before step 4), we have also installed root /intermediate certificate to include chain using following command.
  (intermediateCa.cer file is downloaded from verisign site)
  keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer
  6) After this configuration we used weblogic admin module to configure Keystore and SSL.
  7) For KeyStore tab in weblogic admin module, we have select option “Custom Identity And Custom Trust” provided following details under Identity and Trust columns:-
  Private key alias: mykey2
  PassKeyphrase: webconkeystorepassword
  Location of keystore: location of webconkeystore.jks file on server
  8) For SSL tab in weblogic admin module, we have select option “KeyStores” for “Identity and Trust locations”.
  Error on console:
  <Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore.jks under alias mykey2 on server AdminServer.>
  <Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090087> <Server failed to bind to the configured Admin port. The port may already be used by another process.>
  <Nov 3, 2009 3:00:17 PM IST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: Server failed to bind to any usable port. See preceeding log message for details.>
  <Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Nov 3, 2009 3:00:17 PM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  If anyone knows the solution ,please help us out.Thanx in advance.
  I was really happy to get reply yesterday from "mv".I was not expecting such instant response.

  Thanx all guys for your interest and support.
  I have solved this issue.
  We have weblogic 9 on unix env.
  Following steps which I followed:
  #generate private key
  keytool -genkey -v -alias uinbrdcsap01_apac_nsroot_net -keyalg RSA -keysize 1024 -dname "CN=linuxbox042, OU=ASIA, O=Citigroup, L=CALC, S=MH, C=IN" -validity 1068 -keypass "webconkeystorepassword" -keystore "cwebconkeystore"
  #generate csr
  keytool -certreq -v -alias uinbrdcsap01_apac_nsroot_net -file linuxbox042.csr -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass webconkeystorepassword
  Then we uploaded this csr on verisigns free ssl certificate to generate and receive certificate text.
  We copied that text file in "ert4nov2009.crt" rt file used below.
  Apart from that , mail which we received from verisign also contains links to download root ca certificate and intermediate ca certificate.We downloaded them.
  roo ca in "root4nov2009.cer" file.
  intermediate ca in "intermediateca4nov2009.cer"
  both these files used in
  #import root certificate
  keytool -import -alias rootca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "root4nov2009.cer"
  #import intermediate ca certificate
  keytool -import -alias intermediateca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "intermediateca4nov2009.cer"
  #install free ssl certifiate
  keytool -import -alias uinbrdcsap01_apac_nsroot_net -file "cert4nov2009.crt" -trustcacerts -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass "webconkeystorepassword"
  #after this admin configuration
  In weblogic admin console module, we did following settings:-
  1. under Configuration tab
  a. Under KeyStore tab
  For keystore , we selected "Custom identity and Custom Trust"
  Under Identity,
  Custom Identity Keystore:location of keystore "webconkeystore" on weblogic server
  Custom Identity Keystore Type: JKS
  Custom Identity Keystore Passphrase:password for keystore mentioend above.In our case, webconkeystorepassword
  Same we copied Under "Trust", as we have not created separate keystore for trust.
  Save setting.
  b. Under SSL tab
  Identity and Trust Locations: select "Keystores"
  Private Key Alias: alias used while creating private keyi.e. in our case "uinbrdcsap01_apac_nsroot_net"
  Save setting.
  c. Under General tab
  Check checkbox "SSL Listen Port Enabled"
  and mention ssl port "SSL Listen Port"
  Save setting.
  After this activate changes.You might see error on admin module.
  Using command prompt, stop the server and again restart and then try to access using https and port ...
  you will definately get output...
  in our case issue might be due to key size..we used 1024 key size ..it solve problem.
  for your further reference plz find link below..it is also helpful.
  http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674

• How to use "keytool" generated certificates in B2B

  Hi,
  I have generated few certificate stores(files containing private key and trust certificate) in ".jks" format and exported client certificate from them in ".der" format using "keytool" commands in java. Now I want to use them for SSL authentication.
  Is there any possible way of doing this ?
  I tried to open these keystores in Wallet Manager but it did not accept those keystores. Even I tried to create a keystore with name "ewallet.pk12" (in PKCS12 format) but wallet manager did not accept it's password.
  Please provide a solution if it exists.
  Thanks in advance.
  Regards,
  Anuj Dwivedi

  Hi,
  If you are generating key/certficates may be you could make the "keytool" to generate the keystore in PKCS12 format. This format can be opened using Oracle Wallet Manager. Here's the command,
  keytool -genkey -keyalg "RSA" -keystore ewallet.p12 -storepass welcome1 -storetype PKCS12
  The above command would create a wallet in the current directory and the same can be opened in the "Oracle wallet manager".
  Other Approach:
  If you want to export just certificates alone from "JKS" format keystore and add it to the ewallet.p12 as an trusted entry, you can very well do that.
  One thing note here, make sure keys are generated using algorithm "RSA". Sample commands below,
  1. keytool -genkey -keyalg RSA -keystore test.jks
  2. keytool -export -file test.crt -keystore test.jks
  3. You could import the certifcate "test.crt" created in the previous step to ewallet.p12 using "Oracle wallet manager".
  Regards,
  Sinkar
  [From Ramesh Team]

• Trying to create a certificate file using keytool -help!

  Hi, I've followed a series of instructions using Terminal to create a certificate. Terminal produced a file and when i open it using Text Edit its about 20 lines long worth of code. I was hoping it would provide a certificate I could use. Maybe it has, I just don't know what I'm looking for!
  Im working in Viewer Builder and I'm in the Provisioning tab trying to enter the "Application ID"
  I'm totally stuck here. Please help!

  I'm using DPS pro. My app is for Android but won't be going as far as Google Play or Amazon. It's for internal use so I want to create an APK file to distribute via email. These are the set of instructions I'm following. I'm struggling to get this to work. What should I see when this has worked? Also what do I need to enter for the Application ID?
  Thanks or your help
  (Mac OS) Create a certificate file using Keytool
  Open Terminal, which is located in the Applications > Utilities folder.
  Type (or paste) the following line (replace “myname.key.p12” with the actual name of your certificate):
  1
  keytool -genkey -v -keystore myname.key.p12 -alias alias_name -keyalg RSA -keysize 2048 -storetype pkcs12 -validity 10000
  Specifying “10000” sets the expiration date after 22 October 2033.
  Enter and reenter a password. Until the Viewer Builder supports the creation of custom Android apps, it's necessary to share this password with Adobe. Create a password that you can share.
  Follow the prompts to specify the certificate information.
  When prompted to confirm choices, enter yes, and then press Return to use the same password.
  A certificate is created in your prompt location, such as your user name folder. Copy this certificate file to a known location. Write down the password as well.

• How to create a certificate using keytool / terminal?

  I have problems with creating certificates using the terminal. I use the instructions below and typed in all the required information. When it asks me to type "yes" and confirm, the whole process just starts from the beginning over and over and I have to type in the same things. What do I do wrong? How do I confirm the information I typed in?
  I am trying to create a certificate to sign apps for GooglePlay and Amazon. I am using DPS Professional.
  Thanks for help!
  Instructions:
  (Mac OS) Create a certificate file using Keytool
  Open Terminal, which is located in the Applications > Utilities folder.
  Type (or paste) the following line (replace “myname.key.p12” with the actual name of your certificate):
  1
  keytool -genkey -v -keystore myname.key.p12 -alias alias_name -keyalg RSA -keysize 2048 -storetype pkcs12 -validity 10000
  Specifying “10000” sets the expiration date after 22 October 2033.
  Enter and reenter a password. Until the Viewer Builder supports the creation of custom Android apps, it's necessary to share this password with Adobe. Create a password that you can share.
  Follow the prompts to specify the certificate information.
  When prompted to confirm choices, enter yes, and then press Return to use the same password.
  A certificate is created in your prompt location, such as your user name folder. Copy this certificate file to a known location. Write down the password as well.

  It could be access/rights issue. Enable root user and try again.

• How do we create certificate with .pem extension using keytool

  Hai all,
  please tell me the procedure to create certificates using keytool with .pem extension.

  I dont think keytool can do this, try OpenSSL:
  openssl pkcs12 -in test.p12 -out test.pem
  David

• How to add a certificate to keystore using keytool?

  Hi all,
  I am trying to connect a server from my application which requires a certificate for secure connection.
  I am using Jdeveloper. Should I use command prompt and use keytool command after going to jdk home of jdeveloper and add the certificate?
  What password should I use?
  Sam

  Consult for example:
  http://www.thatsjava.com/java-tech/38248/
  http://www.oracle.com/technology/sample_code/tech/java/codesnippet/ejb/applettoejb/HowTo_Applet_talks_to_Session_bean.html
  http://oraforms.blogspot.com/2009/02/setting-up-jdeveloper-for-httpsssl.html
  NA
  http://nickaiva.blogspot.com

• Is using the keytool to create a certificate safe?

  Hi,
  I am creating a client server app, and I want to use SSL throughout the whole connection. I am not worried about people not using the client application connecting to the server. So I was wondering if it was sufficient to just use the keytool to create my certificate. I.e. what is below:
  > java -Djavax.net.ssl.keyStore=mySrvKeystore -Djavax.net.ssl.keyStorePassword=123456 MyServer
      > keytool -keystore mySrvKeystore -keypasswd 123456 -genkey -keyalg RSA -alias mycert However, everywhere I see the keytool mentioned, they say, just use this for testing purposes. I am not suring if they are strictly referring to html type apps, or standalone apps as well (which is what I am developing).
  My goal is to ensure that my entire connection, and all transmissions are secure.
  thanks!

  It is not possible to do this, but this will solve your problem:
  Wireless-G Linksys Access Point
  Add High-Speed Wireless Access To Your existing Wired Network!
  This is not a router, so you are probably allowed to use this. This will bridge your ethernet signal to a wireless signal.
  Hopefully this is helpfull or solved your problem.
  (please see the "helpfull" and "solved" button's above this message)

• Can we fulfil our internal CA requirement using keytool?

  Hi
  Thank you for reading my post.
  is it possible for us to fulfil all of our requirement to test SSL stuff using keytool?
  for now what i can do is:
  create a key
  import/export it into cert / csr (pem)
  Why we need to provide the csr to a CA to sign it for us?
  Does it really required to send a CSR to a CA to sign it for us?
  1-Cant we create a CA certification usin keytool, import it into our trust_store?
  if we can do 1 then we can simply sign our CSR ourself and it make our life easier.
  Is there any tool that can help us do this?
  Thanks.

  If you want to trust a server, its certificate or that of one of its signers needs to be in your truststore. Conversely, if you want the server to trust you, your cert or that of one of its signers needs to be in the server's truststore. As you are talking about a self-signed certificate that means the cert itself must be in the server's truststore. If it's a Java server it can be put there with keytool -import, after you've exported it from your keystore with keytool -export.

• Can not import Verisign certificate

  Dear all,
  I am trying to import a Verisign certificate in my ABAP BW 3.5
  Production system.This is a certificate renewal as I had a certificate there for a year that is to expire on the 12th of June. However, because of the fact that we had to change the SSL
  PSE so that it contains field SP, it is more like installing a new
  certificate.
  What I did: I deleted the old PSE that didn't have any information about the "State" field and created a new one.
  I then created the CSR request to Verisign. I received
  the response from Verisign, which I pasted in a text file together with the Verisign Intermediate and Verisign Root certificate which I used last year as well when I installed a Verisign certificate in this server for the first time.
  When I apply the response, by pasting the contents of the text
  file created above, I get the message:
  "CA Certificate missing in database"
  I have already looked at notes 508307, 518185, 510007, 1074447, 511919
  I am sure that the Verisign root and Intermediate certificates are ok because I have used them successfully in the past in the same server and recently to create the certificate chain for other system certificates of my EP 6.0 landscape.
  I am also sure that the Verisign CA root certificate exists in the
  database, I checked table STRUSTCERT and it is there. Also, if it didn't exist, I wouldn't have been able to import the Verisign certificate last year
  I haven't restarted ICM so the previous certificate still works. After the 12th of June though it will expire and all funtionality based on HTTPS in BW will not work.
  Many thanks in advance for your help
  Regards
  Andreas

  Just created a new SSL PSE and imported the certificate chain again and this time it worked...

• While importing a certificate I'm getting an error. What to do?

  I am trying to import a certificate, but after filling in my password I am getting the following error:
  PKCS #12-processing failed, reason unknown.
  (I translated this from Dutch, so it may not literally be the same...)
  Hope someone out there knows what to do...

  You can contact the iTunes Store Customer Service department at no charge using the form on their Support page (select the category and subcategory closest to the issue you're reporting and you'll find an "Email Us" button) and explain your problem to them.
  Copied from Varjak Paw in :https://discussions.apple.com/thread/2598671

• Help needed in importing SSL Certificate

  Hi All,
  The SSL certificate in our application server has expired. We have created a new certificate and imported it through oracle wallet manger. But the application server is not recognizing the new certificate. Still shows certificate error when we try to access the application via https.
  We are using oracle application server 10.1.2.0.2
  I don’t have much knowledge on application server.
  Please help me on this.
  Thanks in Advance,
  Jey

  Hi Jeykrishnan,
  The installation consists of three main parts:
  a) Importing the Primary Root CA
  b) Import the Intermediate Certificate and Cross Certificate
  c) Installing your SSL123 certificate
  a) Importing the Primary Root CA
  1. Launch Oracle Wallet Manager.
  2. Click Operations and select Import Trust Certificates from the menu
  3. When the Import Trusted Certificate window appears, click Paste the Certificate and click OK.
  4. When the message "Please provide a base64 format certificate and paste it below" appears, paste the entire contents of Primary Root CA text into the box and click OK.
  5. A message should appear that the import was successful and you will see the Root Certificate at the bottom of the Trusted Certificates tree.
  b) Importing the Intermediate and Cross certificates
  1. Launch the Oracle Wallet Manager.
  2. Click Operations > Import Trust Certificates from the menu.
  3. When the Import Trusted Certificate window appears, click Paste the Certificate and click OK.
  4. When the message "Please provide a base64 format certificate and paste it below" appears, paste the entire contents of the Intermediate Certificate text into the box and click OK.
  5. A message should appear that the import was successful and you will see the Intermediate Certificate at the bottom of the Trusted Certificates tree.
  6. Repeat the same steps for the Cross certificate
  c) Importing your SSL123 certificate
  1. Click Operations > Import User Certificate from the menu bar.
  2. The Import Certificate dialog appears.
  3. Select the Paste the Certificate radio button, and click OK.
  4. The Import Certificate dialog appears.
  5. Paste the entire contents of your SSL123 Certificate file and click OK.
  6. A message should show that the certificate was imported successfully.
  7. When you return to the main window, wallet status should show "Ready."
  Regards
  FAbian