I'm trying to create an installation script, that reads data out of an .ini file and writes it into several configuration files. One step is to create an SSL key via keytool and to request it's certification (create a csr-file). I now have the problem that keytool asks for the password instead of using the provided one (in the variable $keyStorePassword), although i also have activated -noprompt. I would be glad if anyone could help.
keytool -genkey -noprompt -keyalg RSA -keysize 2048 \
-dname "CN=${HOSTNAME}-${microserviceName}-${environment}, O=${organizationName}, L=${localityName}, S=${stateName}, C=${country}" \
-validity ${validity} -keypass ${keyStorePassword} -keystore ${keyStorePath} -alias ${microserventerviceName}-ssl
keytool -certreq -keyalg RSA -file ${microserviceName}.csr -keystore ${keyStorePath} -alias ${microserviceName}-ssl
I've already searched the web but the problem doesn't seem to be common.
There are two parameters for passwords:
-keypass: The password for the key.
-storepass: The password for the keystore.
Each key entry in a Java keystore has its individual password, so you have to provide both the keystore password and the key password when generating a new key or accessing a key.
Related
Trying to use https for my springboot application and followed the below steps:
Created the keystore for the certificate and generated Private Key:
keytool -genkey -keysize 2048 -keyalg RSA -alias tomcat -keystore keystore.jks
Generated the CSR with above keytool and private key
keytool -certreq -alias tomcat -file your.csr -keystore keystore.jks
Recived and install certificate on server succesfully
keytool -import -trustcacerts -alias tomcat -file certificate.p7b -keystore keystore.jks -storepass ******
Configured the application with the below:
server.port=8443
server.ssl.key-store-type=JKS
server.ssl.key-store=/path/certificate.p7b
server.ssl.key-store-password=******
server.ssl.key-alias=tomcat
server.ssl.enabled=true
However I keep getting java.io.IOException: Invalid keystore format when I try to run the application.
Am I using the wrong store key type?
Do I have to use PKCS12 insted of JKS as keystore type?
Currently I am adding ca filepath into my mqtt server. To consume or publish I need to add this certificate into nifi processor, but I could not find any option for adding certicate in nifi.
So I tried to add one certificate property, but throwing error.
#Chintamani You should import your certs into keystore or truststore for your SSL Context Service.
For Example:
/usr/jdk64/jdk1.8.0_112/bin/keytool -import -file certificate.cer -alias nifi -keystore truststore.jks
/usr/jdk64/jdk1.8.0_112/bin/keytool -import -trustcacerts -alias nifi -file certificate.cer -keystore keystore.jks
I usually put the files in /etc/nifi/ssl/ and be sure to chown them to nifi:nifi. Then in your controller service, put the path to the files, the type (JKS), the password.
https://nifi.apache.org/docs/nifi-docs/components/org.apache.nifi/nifi-ssl-context-service-nar/1.5.0/org.apache.nifi.ssl.StandardRestrictedSSLContextService/index.html
You can't provide the certificate file to Nifi directly. You'll need to create a keystore or truststore that contains your certificate or a certificate higher in the certification path. For instance, if certificate A signed certificate B and certificate B signed your certificate, you could add certificate A or B or your certificate to a truststore. Let's say you used LetsEncrypt.org to sign your certificate. You could browse to LetsEncrypt.org and download their certificate and add that to your truststore. Once you have the certificate file, you can add it to an existing truststore or create a new one in one command using the Java Keytool (available with a JDK or JRE):
keytool -import -alias YOUR_ALIAS -file CERTIFICATE_FILE -storetype TYPE -keystore MY_TRUST_STORE_FILE
For Example:
keytool -import -alias Chintamani_Alias -file Chintamani.cer -storetype JKS -keystore Chintamani.truststore
This command will create Chintamani.truststore with the password you provide if the file doesn't already exist. Then you provide the path to the truststore, the truststore password and set the truststore type (JKS in the example above).
And make sure:
Your MQTT processor is using ssl:// in the Broker Uri
Your StandardSSLContextService or StandardRestrictedSSLContextService is enabled
Your MQTT processor is configured to use your SSL Context Service
or you might see errors like:
o.a.nifi.processors.mqtt.ConsumeMQTT ConsumeMQTT[id=<GUID>] Connection to <YOUR URL>:8883 lost (or was never connected) and connection failed. Yielding processor: java.net.SocketException: Connection reset
? causes: Connection lost (32109) - java.net.SocketException: Connection reset
org.eclipse.paho.client.mqttv3.MqttException: Connection lost
at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:190)
I created a self-signed certificate using these commands
sudo keytool -genkeypair -alias <MyAlias> -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore <MyCert>.p12 -validity 3650
sudo keytool -genkeypair -alias <MyAlias> -keyalg RSA -keysize 2048 -keystore <MyCert>.jks -validity 3650
sudo keytool -importkeystore -srckeystore <MyCert>.jks -destkeystore <MyCert>.p12 -deststoretype pkcs12
which created a P12 file and a jks file.
If I log in to my server remotely, the connection is blocked and an error is shown that indicates your connection is not private, because the certificate is not trusted.
How can I fix this issue?
Maybe I should chain the certificate to another certificate? (example: using Let's Encrypt)?
Create a Certificate Authority
You can create a Certificate Authority certificate and then sign a certificate with your own CA and then add your CA to the system keychain.
More on that at https://gist.github.com/Soarez/9688998
Use a Let's Encrypt client
... however, it's probably much easier to use a Let's Encrypt client.
I'm the author so you can take my opinion for a grain of salt, but Greenlock is about the easiest suite of Let's Encrypt / ACME tools available.
Browser-based client
https://greenlock.domains
If you use the DNS challenge you can easily get certs for private domains with internal IP addresses as well.
CLI Clients
If you want it automatic you could use something like Greenlock CLI or Greenlock Express (for node.js)
There's also certbot, but it can be more difficult to install due to it's size, various dependencies, and RAM usage. Greenlock is only about 100kb and has no external dependencies, so it works fine on home servers and memory constrained IoT devices (which is exactly the problem I had when I first wrote it).
I've a web server running on an ec2-instance which internally calls a REST server that is built using Spring Boot. Now, I am trying to get this REST server running under SSL. Here's what I've done so far:
1) Created a CSR & a key file using this command
openssl req -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr
2) Copied 'csr' to get SSL certificate from GoDaddy.
3) Successfully installed the certificate under Nginx on my ec2-instance.
4) When I hit the home page under https, it works. I no longer get 'Not secure' message from the browser.
5) Login fails because it makes a REST call but REST server is not running under SSL so I am trying to get it running under SSL.
6) Ran following commands:
keytool -import -alias mydomain -keystore tomcat.keystore -trustcacerts -file mydomain.com.chained.crt
keytool -import -alias mydomain-key -keystore tomcat.keystore -trustcacerts -file mydomain.key
The previous command gives me an error message:
"keytool error: java.lang.Exception: Input not an X.509 certificate"
But this was the one created in step 1 above & the same file works under Nginx. What am I missing (other than the fact that I know very little about setting up SSLs!)? I need the second command to specify the value of 'server.ssl.keyAlias' in application.properties, I believe.
Not really an answer but overflowed comment.
You don't need to 'generate' an X.509 cert; you already got that from GoDaddy. If (and only if) the SpringBoot server is accessed by the same name(s) as (external) nginx -- which is unclear to me -- you need to convert the pair of private key AND certificate CHAIN from PEM format to a format Java uses. See:
How to import an existing x509 certificate and private key in Java keystore to use in SSL?
How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?
How to use .key and .crt file in java that generated by openssl?
Importing the private-key/public-certificate pair in the Java KeyStore
maybe Import key and SSL Certificate into java keystore
Thanks #Dave_thompson_085. Following 2 commands did the trick!
openssl pkcs12 -export -in mydomain.com.chained.crt -inkey mydomain.key -out keystore.p12 -name my-alias -caname root
keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias my-alias
and then in the application.properties I specified following properties:
server.port=8443
server.ssl.enabled=true
security.require-ssl=true
server.ssl.key-store=/etc/nginx/ssl/keystore.jks
server.ssl.key-store-password=mypassword
server.ssl.keyStoreType=JKS
server.ssl.keyAlias=my-alias
I have a ssl certicate provided by globalsign. I want to import the certificate to use it with tomcat.
I am doing the following operation
Importing chain certificate
keytool -import -alias root11 -keystore server11.p12 -trustcacerts -file chain.pem -keyalg RSA -keysize 2048 -storetype PKCS12
Importing certificate
keytool -import -alias tomcatroot11 -keystore server11.p12 -trustcacerts -file file.cert -keyalg RSA -keysize 2048 -storetype PKCS12
In application.properties
server.ssl.key-store= /Users/Desktop/certificate/server11.p12
server.ssl.key-store-password= password
server.ssl.keyStoreType= PKCS12
server.ssl.keyAlias= tomcatroot11
I am getting the following error on start up of tomcat
java.lang.IllegalArgumentException: java.io.IOException: Alias name [hcmroot11] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) ~[tomcat-embed-core-8.5.16.jar:8.5.16]
What am i doing wrong?
You have imported only the certificates, not any privatekey. SSL/TLS server needs a privatekey AND certficate or usually cert chain. See dupe Java SSLHandshakeException: no cipher suites in common (which has additional links) or crossdupe https://serverfault.com/questions/858102/jboss-https-configuration-with-cer-p7b-certificate-fails (the webserver component of Jboss is a fork of Tomcat).
-keyalg and -keysize are used only for -genkeypair, if you choose the approach of generating the key and (then) CSR in Java with keytool. They are useless and ignored on -importcert because it is impossible to modify any attribute(s) of an already-certified key.