Java/keystore

From Omnia
Jump to navigation Jump to search

Notes

READ: Dealing with java keystores - http://www.startux.de/index.php/java/44-dealing-with-java-keystoresyvComment44


keytool - Key and Certificate Management Tool [1]

The cacerts Certificates File

A certificates file named "cacerts" resides in the security properties directory, java.home\lib\security, where java.home is the runtime environment's directory (the jre directory in the SDK or the top-level directory of the Java 2 Runtime Environment).

The "cacerts" file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying "jks" as the keystore type. The "cacerts" keystore file ships with several root CA certificates with the following aliases and X.500 owner distinguished names

The initial password of the "cacerts" keystore file is "changeit". System administrators should change that password and the default access permission of that file upon installing the SDK.

# to create a custom keystore
keytool -import -file MYCERT.cer -keystore /etc/keystore

# to use the custom keystore
-Djavax.net.ssl.trustStore=/etc/keystore
# Update default keystore
cp /usr/java/jdk1.5.0_14/jre/lib/security/cacerts /usr/java/jdk1.5.0_14/jre/lib/security/cacerts.original
keytool -import -file /root/tomcat.oeey.com.der.crt -keystore /usr/java/jdk1.5.0_14/jre/lib/security/cacerts

Verisign’s New Intermediate CA and You [2]

Import the CA Certificate into cacerts

keytool -import -keystore <JAVA_HOME>jre\lib\security\cacerts -file NewVerisignIntermediateCA.cer

The default cacerts password is “changeit”.

Import the Signed Certificate into the Keystore

keytool -import -keystore <keystore> -alias <alias> -file cert.cer -trustcacerts

Other References:

Java's Keytool and Client Digital Certificates [3]

Quick Import

To import key to custom keystore (use any password):

$ keytool -import -keystore /keystore -alias localhost -trustcacerts -file localhost.der.crt

To view that the key was imported to keystore (use password entered when creating keystore):

$ keytool -list -keystore /keystore

To use custom keystore, append this to application startup parameters:

-Djavax.net.ssl.trustStore=/keystore

Default Keystore

"Obtaining a copy of the certificate in X.509 format requires Microsoft’s Internet Explorer. By placing the https URL into the browser window, a dialog will pop up requesting permission to accept the certificate. Click the View Certificate button and then the Details tab. In this tab, click the Copy to File button, then click Next and select the Base-64 encoded X.509 (.CER) option. After that, click Next to save the resulting file." [4]

The default keystore is located:

.../jre/lib/sercurity/cacerts
password: changeit

To import a certificate into the default keystore:

cd .../jre/lib/security/
keytool.exe -import -storepass changeit -file mycert.cer -keystore cacerts -alias mycert

Keytool

View certificates

$ keytool -list -keystore <keystore>
$ keytool -list -v -keystore <keystore>

Conversion from Apache PEM to Java Keytool

Converting the certificate is easy. Converting the private key is less so.

The .crt files provided by the CA do not need conversion, as they are in a standard format.

Convert openssl to keytool using Jetty:

# convert to pkcs12
openssl pkcs12 -export -in [domain].crt -inkey [domain].key -out keystore.pkcs12
# convert to java keystore (jks)
# wget ftp://ftp.mortbay.org/pub/jetty-6.1.x/jetty-6.1.3.zip
wget http://dist.codehaus.org/jetty/jetty-6.1.x/jetty-6.1.3.zip
unzip jetty-6.1.3.zip
java -classpath jetty-6.1.3/lib/jetty-6.1.3.jar org.mortbay.jetty.security.PKCS12Import keystore.pkcs12 keystore.jks
# verify
keytool -list -v -keystore keystore.jks
# rename default alias of '1' to something else like 'tomcat'
keytool -keyclone -keystore keystore.jks -alias 1 -dest tomcat
keytool -delete -keystore keystore.jks -alias 1

Godaddy Converion (for mail and jira server with intermediate chain) [8]:

keytool -import -keystore keystore.jks -alias godaddy -trustcacerts -file [godaddy].crt
cp keystore.jks ~/.keystore
wget https://certs.godaddy.com/repository/gd_bundle.crt
openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in <name of your certificate> \
  -inkey <name of your certificate private key file> -out keystore.tomcat -name tomcat -passout pass:changeit

# Add the following directives to the Connector tag:
  keystoreFile=<path to>/keystore.tomcat
  keystorePass="changeit"
  keystoreType="PKCS12"

If you only need to import a certificate (not private key), this is easy: [9]

keytool -import -alias [alias] -keystore cacerts -file [cert.pem]

Makefile:

all:
        cat TrustedSecureCertificateAuthorityDV.crt USERTrustRSAAddTrustCA.crt AddTrustExternalCARoot.crt > bundle.crt
        rm tomcat.keystore
        openssl pkcs12 -export -chain -CAfile bundle.crt -in ssl.oeey.com.crt -inkey ssl.oeey.com.key -out tomcat.keystore
-name tomcat -passout pass:PASSWORD
        cp tomcat.keystore /etc

Conversion from Java Keytool to Apache PEM

encryption - Converting a Java Keystore into PEM Format. - Stack Overflow

http://www.google.com/#sclient=psy&q=convert+java+keystore+to+pem

keytool -keystore foo.jks -genkeypair -alias foo \
       -dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU'
keytool -keystore foo.jks -exportcert -alias foo | \
      openssl x509 -inform der -text
keytool -importkeystore -srckeystore foo.jks \
      -destkeystore foo.p12 \
      -srcstoretype jks \
      -deststoretype pkcs12
openssl pkcs12 -in foo.p12 -out foo.pem
openssl x509 -text -in foo.pem
openssl dsa -text -in foo.pem


Command summary - to create JKS keystore:

keytool -keystore foo.jks -genkeypair -alias foo \
   -dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU'

Command summary - to convert JKS keystore into PKCS#12 keystore, then into PEM file:

keytool -importkeystore -srckeystore foo.jks \
  -destkeystore foo.p12 \
  -srcstoretype jks \
  -deststoretype pkcs12
openssl pkcs12 -in foo.p12 -out foo.pem

if you have more than one certificate in your JKS keystore, and you want to only export the certificate and key associated with one of the aliases, you can use the following variation:

keytool -importkeystore -srckeystore foo.jks \
  -destkeystore foo.p12 \
  -srcalias foo \
  -srcstoretype jks \
  -deststoretype pkcs12
openssl pkcs12 -in foo.p12 -out foo.pem

Command summary - to compare JKS keystore to PEM file:

keytool -keystore foo.jks -exportcert -alias foo | \
  openssl x509 -inform der -text
openssl x509 -text -in foo.pem
openssl dsa -text -in foo.pem


Well, OpenSSL should do it handily from a #12 file:

openssl pkcs12 -in pkcs-12-certificate-file -out pem-certificate-file
openssl pkcs12 -in pkcs-12-certificate-and-key-file -out pem-certificate-and-key-file

References

Sample of PKIX error

How to Import a Certificate into your Java Keystore

How to Import a Certificate into your Java Keystore
Author: Kenneth Burgener
Created: 2007.06.28

Summary

When you attempt to access a website protected by SSL (HTTPS) that is not trusted, the browser is kind enough to present you with a warning message, and give you the opportunity to accept the certificate. Java, by default, is not as nice. The default behavior for the Java connector attempting to access an untrusted certificate is to throw an exception. This exception generally looks like this:

Caused by: javax.net.ssl.SSLHandshakeException :
  sun.security.validator.ValidatorException: PKIX path building failed:
  sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

To resolve this issue, there are two options. You can either override the Java connector behavior (requires modifying code), or you can import the untrusted certificate into a keystore and implicitly trust the certificate.

Override Java Connector Behavior

Since this is probably not the preferred method I will simply provide some references here. One example of why you may want to change the default behavior would be if you would like to provide a prompt to the user asking if they wish to accept the certificate, much as any Internet browser would.

References

Customizing SSL in HttpClient
http://jakarta.apache.org/commons/httpclient/sslguide.html

SSL and Self Signed Certs
http://weblogs.java.net/blog/rbair/archive/2006/10/ssl_and_self_si_1.html

How to make JVM to accept self-sign certificate from server
http://forum.java.sun.com/thread.jspa?threadID=735919&messageID=4228600

Java Certification Path API Programmer's Guide
http://java.sun.com/j2se/1.4.2/docs/guide/security/certpath/CertPathProgGuide.html

Importing Certificate into a Keystore

A keystore is simply a Java container file which contains certificates and private keys. To import a certificate into a keystore, you will use "keytool". Key management in Java is done with the "keytool" application.

keytool - Key and Certificate Management Tool
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

The first step will be to obtain a copy of the certificate you wish to import. This is done easily with Internet Explorer. Simply visit the site you wish to obtain the certificate from. Since the certificate is untrusted, you will be presented with a warning message. Accept the warning. The next step is to click on the "lock" icon in your browser (bottom right of window in IE6, top next to address bar in IE7).

Clicking on the lock will bring up a short message. Click on the "View Certificate" link. The first tab, titled "General" gives you the option to import the certificate into Internet Explorer's trusted list. This would be a good time to do this if you wish to be able to visit the site in the future without warnings. The second tab titled "Details" has a "Copy to File" button. Click on the "Copy to File" button to begin the certificate export wizard. Click next to be presented with the "Export File Format" options. Select "Base-64 encoded X.509 (.CER)" option and click next. Give the file a name and a location (ie. C:\mycert.cer) and click next. Click the finish button and the file will be exported. Now that we have a certificate we can import it into a keystore.

There are two keystore options for storing a certificate. We can import the certificate into a keystore that we create, and tell our application where to find the keystore in the startup parameters. The second option is to import the certificate into the JRE's default keystore.

Import Certificate to Custom Keystore

To create a custom keystore we will use the keytool application as such:

keytool -import -keystore c:\keystore -file c:\mycert.cer -alias mycert

The location of the keystore file is arbitrary. The alias simply needs to be a unique name in the keystore. This alias is what will be used to reference the certificate in the future.

To use the keystore with your Java application, simply append the following parameter:

-Djavax.net.ssl.trustStore=c:\keystore

If your application needs to modify the keystore, you will probably need to append the keystore password paremeter as well:

-Djavax.net.ssl.trustStorePassword=XXX

Now your application should work without SSL warning issues.

Import Certificate to Default Keystore

The Java JVM contains a default keystore which contains many root level CAs (Certificate Authorities), such as Verisign and Thawte. Certificates that are signed by these CAs are implicitly trusted by Java. We can add our self signed certificate to this keystore, which will then allow our certificate to be trusted by any Java application that uses this JVM. This keystore is located here:

$JVM_PATH/lib/security/cacerts

This could be something like one of the following, or it could be within your application's folder if a JVM was installed with the application:

C:\Program Files\Java\jdk1.5.0_08\jre\lib\security\cacerts
C:\Program Files\Java\jre1.6.0_01\lib\security\cacerts

To import a certificate to the default keystore we will use the keytool application as such:

keytool -import -keystore C:\Program Files\Java\jdk1.5.0_08\jre\lib\security\cacerts
    -file c:\mycert.cer -alias mycert -storepass changeit

The cacerts keystore contains a default password of "changeit". The location of the cacerts keystore file is dependent on the location of your JVM. The alias simply needs to be a unique name in the keystore. This alias is what will be used to reference the certificate in the future.

Now your application should work without SSL warning issues.

Other References

Testing with untrusted Https
http://www.testearly.com/2006/04/05/testing-with-untrusted-https/

See Also

SSL Certificates openssl keytool Java Keystore

keywords