This question has been asked several times but none of the solutions work for me. I running the DOS command window as Administrator, but when running the keytool command to install a certificate I get the error above:
C:\Program Files\Java\jdk1.8.0_191\jre\lib\security>keytool -import -file xxx.yyy.zzz.crt -alias xxxx.yyy.zzz.com -keystore cacerts -storepass changeit -noprompt
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: cacerts (Access is denied)
I'm on Windows 10 with JDK 1.8.0_191. Why would access be denied to the Administator?
I have faced the same issue.
Here is the solution what I found:
Copy the cacert file other than Java folder [May be D drive or desktop].
Update the path of cacert file path in your command [Sated in question].
Run your query. [You wont get the io exception].
Then replace the new cacert file in the original location.
"Run as administrator Command prompt" has fixed this issue at Windows.
My problem was that I did not have true admin rights to my Windows 10 laptop. I had enough permissions to install the JDK to the default location (which requires admin rights), but not enough rights to use keytool.
I uninstalled the JDK from the default location and reinstalled it in a directory that was not restricted to admin users. Then keytool worked properly.
Related
I have a keycloak running inside a docker and I want to add a trusted certificate, so I ssh in to the container and copy the cert file and imported the certificate via the keytool
${JAVA_JDK}/jre/bin/keytool \
-import -trustcacerts \
-alias "efactory-nimble_salzburgresearch_at.crt" -file efac.crt \
-keystore ${JAVA_JDK}/jre/lib/security/cacerts \
-storepass changeit \
-noprompt
The response from the key tool was,
Picked up _JAVA_OPTIONS: -Xmx256m -Xms50m
Certificate was added to keystore
After successfully importing the certificate also Im getting this error in keycloak.
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So my question is does the jvm needs to be restarted after adding the certificate inside a docker container & does any one else also came across this issue ?
Yes, the JVM needs restart after adding the certificate to the keystore - look here: Imported certificate to Java keystore, JVM ignores the new cert.
Other than that, you should probably have a more "persistent" way how to update the keystore since it'll be gone after the container is removed.
after importing the der file to the key store as follow
keytool -keystore my-release-key.keystore -importcert
-file ~/Downloads/upload_cert.der -alias uploadcert
I get an error when trying to assemble release APK
trusted certificate entries are not password-protected
If I add
-protected
to the import, I geth
keytool error: java.lang.IllegalArgumentException: password can't be null
and if I pass the password after -protected I get usage help message.
not sure how to pass the password.
Any idea if I am on the right path to sign with google upload certificate der file ?
Got the same problem and password can't be null problem may be passed by editing the comment like:
keytool -keystore parkimayaz.keystore -importcert -file
~/Downloads/upload_cert.der -alias uploadcert -keypass "yourpass" -
storepass "yourpass"
Another info I used characters like (',#,^) on the password part which gave me some errors.
also please take a look at oracle keytool docs
I recently downloaded and installed Jmeter 2.11. afterwards I tried the record functionality of the program, but that resulted in an error message:
“Could not create script recording proxy – see log for detail”.
I have try modifying the “environment variables”, but that does not help.
In the Log from the application the following message was shown.
2014/08/19 10:23:02 WARN - jmeter.protocol.http.proxy.ProxyControl: Could not open/read key store C:\apache-jmeter-2.11\bin\proxyserver.jks (The system cannot find the file specified)
2014/08/19 10:23:02 INFO - jmeter.protocol.http.proxy.ProxyControl: Creating Proxy CA in C:\apache-jmeter-2.11\bin\proxyserver.jks
2014/08/19 10:23:02 ERROR - jmeter.protocol.http.proxy.ProxyControl: Could not initialise key store java.io.IOException: Command :'keytool -genkeypair -alias :root_ca: -dname "CN=_ DO NOT INSTALL unless this is your certificate (JMeter root CA), OU=Username: TATG, C=US" -keyalg RSA -keystore proxyserver.jks -storepass {redacted) -keypass {redacted) -validity 7 -ext bc:c' failed, code: 1
Illegal option: -ext
Try keytool -help
at org.apache.jorphan.exec.KeyToolUtils.genkeypair(KeyToolUtils.java:168)
at org.apache.jorphan.exec.KeyToolUtils.generateProxyCA(KeyToolUtils.java:230)
I notice the proxyserver.jks is missing under the bin directory.
How can I resolve this problem or get a copy of this file(ie. hack the directory)?
Read this, it answers exactly this issue:
https://wiki.apache.org/jmeter/TestRecording210
I have not set java_home and I need to know where the c:\Windows\System32\java.exe file points to.
I have several JDKs and JREs on my system.
The reason is that I am trying to connect via SSL to some server and it works in Netbeans after I export the certificate in the appropriate JRE (which I can see via Netbeans options)
However, when I connect via command-line, I get an SSL error. I tried adding the certificate to all my JREs but I cannot get it to work. I think it is a problem that this Windows shortcut points to some place I overlooked.
Is there an easy way to find out which JRE is the default one?
[EDIT] Or rather I need to find the location of the default keystore in the default JRE.
[EDIT] My problem is elaborated below:
the following two give SSL error:
"c:\Program Files\Java\jre6\bin\java.exe" -cp myjar.jar mypackage.myclass
"c:\Program Files (x86)\Java\jre6\bin\java.exe" -cp myjar.jar mypackage.myclass
The following two work
"c:\Program Files\Java\jdk1.6.0_24\bin\bin\java.exe" -cp myjar.jar mypackage.myclass
"c:\Program Files (x86)\jdk1.6.0_24\bin\jre6\bin\java.exe" -cp myjar.jar mypackage.myclass
I have exported the certificate using all four commands:
"c:\Program Files\Java\jdk1.6.0_24\bin\bin\keytool.exe" -import -alias myalias -file mycertfile
"c:\Program Files (x86)\Java\jdk1.6.0_24\bin\bin\keytool.exe" -import -alias myalias -file mycertfile
"c:\Program Files\Java\jre6\bin\bin\keytool.exe" -import -alias myalias -file mycertfile
"c:\Program Files (x86)\Java\jre6\bin\bin\keytool.exe" -import -alias myalias -file mycertfile
So it seems that the keytool uses a different store than java.exe.
would appreciate some help on this.
I found the solution. Thanks to this link.
It mentioned the location of the keystore. Surprisingly it took a bit of Googling.
The location is jre6\lib\security\cacerts
so I had to use the following command to import the certificate:
keytool.exe -import -alias myalias -file mycertfile -keystore "c:\Program Files\Java\jre6\lib\security\cacerts"
You should look at the "Java Application Runtimes Setting" from the Java tab of the Java Control Panel.
http://download.oracle.com/javase/1.5.0/docs/guide/deployment/deployment-guide/jcp.html
From this tab, you can disable/enable any running version and you can see what is the current system JVM version...
We've recently set up a Jenkins CI server on Windows. Now in order to use Active Directory authentication I'd like to require https (SSL/TLS) for access. Given this setup, what is the recommended way to do this?
Go to your %JENKINS_HOME% and modify the jenkins.xml. Where you see --httpPort=8080 change it to --httpPort=-1 --httpsPort=8080 you can make the ports anything you want of course, but in my testing (a while ago, it may have changed) if you don't keep --httpPort=<something> then Jenkins will always use 8080. So if you simply change --httpPort=8080 to --httpsPort=8080, port 8080 will still use http.
Also, if you want to use your own certificate, there are some instructions at the bottom of this page.
http://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins
Run:
keytool -genkey -keyalg RSA -keystore Jenkins.jks -alias [Name of website] -keysize 2048
Answer the questions remembering that First and last name is the website URL and should be lowercase. Example:
build.jenkins-ci.org
State or province cannot be abbreviated.
Run:
keytool -certreq -Keystore jenkins.jks -alias [Name of website] -file jenkins.csr -keysize 2048
Send Jenkins.csr to your cert provider and request a PKCS#7 cert which has a .p7b extension and starts with:
-----BEGIN PKCS #7 SIGNED DATA-----
Note: Trial certs are not normally available in .p7b format but you may be able to combine the .cer files using this tool which reported success but didn't work for me. (https://www.sslshopper.com/ssl-converter.html)
Run:
keytool -import -trustcacerts -file jenkins.p7b -keystore jenkins.jks -alias [Name of website]
Change the arguments node in Jenkins.xml to the following prespectivly.
<arguments>-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=-1 --httpsPort=443 --httpsKeyStore="%BASE%\Cert\Jenkins.jks" --httpsKeyStorePassword=[Cert password from step 1]</arguments>
Troubleshooting:
If Jenkins doesn't start read the last lines from Jenkins.err.log.
If Jenkins didn't start because of an issue with Jenkins.xml, replace the – (weird Windows hyphen) characters with an actual - (ASCII hyphen).
If Jenkins starts but the cert still reads as bad, make sure the [Name of website] is the actual URL without the https: example: https://build.jenkins-ci.org would be build.jenkins-ci.org.
If that isn't the issue inspect the .jks file using KeyStore Explorer. The "Certificate Hierarchy" should show that each cert is nested in another; This is to illustrate the cert chain. If it shows the certs next to each other then it's not correct.
If it won't start on a specific port, 443 for example, then verify IIS or another app isn't currently using the port.
If you can see the site on the PC it's hosted on, but not another PC, then verify you aren't getting blocked by a firewall.
Step1: Create both public and private Certificate on your jenkin name (convert them into keysore file if its not)
Step2: Import the public certificate into your browser certificate mananger (import into all tabs)
Step3: Host your jenkin using JKS file which contain both public and private key.
For steps refer "Enable HTTPS in jenkins?"