How to restore certificate in Android? - google-play

I have uploaded an app on Google Play, unfortunately I have lost certificate of the uploaded app but I have password of the app. Now I want to upload new version of the app but I have no certificate, is there any way to recover the certificate of the app and upload the newer version of the app. Please help me in this respect, your help would be cordially appreciated. Thanks in advance.

1)Generate new certificate:
keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias
2) Convert to .pem:
keytool -export -rfc -alias my-alias -file upload_certificate.pem -keystore my-release-key.jks
3) Send .pem to Contact Form:
General issues - Play Console Help
it takes 2 busines days to answer but this is the way if you dont want to re publish your app ;)
then you can sign your apk as you do before
(for me)
zipalign -v 4 android-release-unsigned.apk HelloWorld.apk
ReadMore
Manage your app signing keys

Now it is possible with Google Play App Signing
A short description
Users are installing apk with own google signing when you have uploaded previously with custom sign to google play
And if you didn't enable this feature there is an opportunity to take it now but with the help of google support team

You cannot recover the certificate if you lost it.
That's the point of the certificate, it behaves like a (private) key in real life. If you lose the key and its copies, then you have to change the lock.

Related

Extracting PEM from Xamarin Keystore File

I need to provide a PEM file to Google so that they can re-key the app signing and I can publish updates to the app. They have their key in Google Console, but my private key was corrupted by Xamarin. Google will accept a new PEM file from my new keystore to reconnect them so that I may distribute again.
However, Xamarin has its own proprietary .keystore file format. I've used keytool to extract a PEM from a Java jks.
How can I get the PEM to send to Google from a Xamarin .keystore file?
You should be able to export a PEM like so:
keytool -export -rfc -alias your-alias -file play-store.pem -keystore your.keystore

Apple MFi - Homekit Software Authentication

So, we were trying to setup communication with the apple MFi server for staging.
Have followed the steps as per the documentation which state that the license server should be trusted (DigiCert certificate used for the same) and that the client certificate must be provided to apple in order to establish a secure tunnel.
The client certificates (.pem files) we are trying with were generated a few months back but are still valid. The .pem doesn't seem to authorize a machine but rather a company account, correct me if I'm wrong here. (So it should work if the csr for the pem files was not generated from the licensee server?)
Also, while trying to create a new certificate get a MAX_REQUEST error. Got conflicting information about whether there can be more than to certificates active for the staging profile for an account.
Tried through Postman as well as .NET
var handler = new HttpClientHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
handler.ClientCertificates.Add(new X509Certificate("Certificate.pem"));
var httpClient = new HttpClient(handler)
// Tried with and without the user name
httpClient.DefaultRequestHeaders.TryAddWithoutValidation("User-Agent",
"Company Name/Client Name/Client Version");
var result = httpClient.GetAsync(StagingURL).Result;
Always get a 401, Unauthorized Access error from the Apple Server. Wanted to know what the cause might be.
Thanks in advance!
Apparently, indeed only two staging certificates can be active at one time.
As for the certificate issue, .pem parsing might have been an issue but did not work with a .cer file either. The .pem only had the public key in it, needed to create a .p12 with the .pem and the private key that was used for generating the .csr.
If you are on a mac you should get it right away, on Windows, I had .jks file and had to create a .key file out of it:
keytool -importkeystore -srckeystore mykey.jks -destkeystore keystore.p12 -deststoretype PKCS12
openssl pkcs12 -in keystore.p12 -nocerts -nodes -out mykey.key
And then wrap the two in a .p12
openssl pkcs12 -export -in mycert.pem -inkey mykey.key -out myp12.p12

Solr Https Secure Certificate Password

By default setting up Solr on Https requires storing the certificate password as plain text in "bin\solr.in.cmd" (using windows to host solr)
And the certificate password is exposed in the portal.
How can I configure Solr with a Https certificate keeping the certificate password safe?
I want to use a private certifcate so the client trusts the certificate by default, rather than a self signed one.
I'm connecting via SolrNet from C#, currently without authentiation, but in the future can look at Basic Authentication which is supported in the provider which wraps SolrNet.
Seems like a basic thing which I would have thought should be supported? Can't find any article/documention on this.
Anyone solved this already?
Nearest I've found is:
Setting SOLR SSL properties
http://lucene.472066.n3.nabble.com/Prevent-the-SSL-Keystore-and-Truststore-password-from-showing-up-in-the-Solr-Admin-and-Linux-process-td4257422.html
Some suggestion of using jetty-https.xml and encrypt the configuration there.
Looking for a more complete answer.
update
I've come across the following Solr tickets:
https://issues.apache.org/jira/browse/SOLR-10307
https://issues.apache.org/jira/browse/SOLR-8897
Where support for loading the certificate passwords from environment variables has been added in Solr 7.0 and 6.7 (which hasn't been released yet).
I don't think using environment variables is much better, but some progress.
There is also a link to using Hadoop credential provider, but I'm not using Hadoop, so not applicable for me.
In the comments of the tickets, it mentions that someone tried the Jetty Password Utility, and Solr UI loaded over HTTPS. However the Collection API was erroring not being able to understand the password format.
So I'm still left without a way of configuring a certificate password for Solr, in a way I feel is secure.
For me the certificate password is not stored on the SOLR portal
see my setup
SSL
cd /path/to/solr/server/etc/
The following command will create a keystore file named solr-ssl.keystore.jks in the current directory
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:#ipsolr,IP:127.0.0.1 -dname "CN=localhost, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx"
Convert the certificate and key to PEM format for use with Curl
keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
Next convert the PKCS12 format keystore into PEM format using the openssl
openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
After go to your $JAVA_HOME (into jre/lib/security)
curl --cacert /pah/to/solr/server/etc/solr-ssl.pem https://localhost:8983/solr/
Set Common SSL-Related System Properties
vi /etc/default/solr.in.sh
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=secret
SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=secret
SOLR_SSL_NEED_CLIENT_AUTH=false
SOLR_SSL_WANT_CLIENT_AUTH=false
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS
Restart solr
service solr restart
For authentication
create security.json on SOLR_HOME (/var/solr/data/ for me)
Owner : root
See example of security.json to configure has you hope
After securing, add into solr.in.sh
SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:xxx"
it allows to have an answer on solr status service because with authentication it is not accessible
For me it's work and i don't see the certificate password on solr UI

Questions about Android Keystore?

Have few questions about Android/java Keystore...
How the key file is created? i mean it depends on what?
When I use keytool on 2 different machines... why the resulted key file, is NOT the same size?
for example, I used the same exact info (city / country...etc), as well as the password & validity...etc.. on 2 machine, and the key.store file is not having the same size.
If i lose the key file... how can recreate another one (that may sign
the same app APK)? is it linked to the machine on which it was
generated?
or I can recreate it again if I know the password and the information i wrote there...etc?
To issue an update for an APK... should i use the same keystore on
the same machine? or I can just re-use the keystore on a different
machine?
Is there is anything that I can/should do... to keep the private key
secured? obviosuly other than using a hard password, and securing the
file itself?
This code signing thing is a bit confusing to me, as all what I do is to run the command
keytool -genkey -v -keystore C:\key.keystore -alias key_alias.keystore -keyalg RSA -keysize 2048 -validity 10000
but I wanted to really understand how it's done? and how it will affect my app in future?
Thanks.

How can I set up Jenkins CI to use https on Windows?

We've recently set up a Jenkins CI server on Windows. Now in order to use Active Directory authentication I'd like to require https (SSL/TLS) for access. Given this setup, what is the recommended way to do this?
Go to your %JENKINS_HOME% and modify the jenkins.xml. Where you see --httpPort=8080 change it to --httpPort=-1 --httpsPort=8080 you can make the ports anything you want of course, but in my testing (a while ago, it may have changed) if you don't keep --httpPort=<something> then Jenkins will always use 8080. So if you simply change --httpPort=8080 to --httpsPort=8080, port 8080 will still use http.
Also, if you want to use your own certificate, there are some instructions at the bottom of this page.
http://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins
Run:
keytool -genkey -keyalg RSA -keystore Jenkins.jks -alias [Name of website] -keysize 2048
Answer the questions remembering that First and last name is the website URL and should be lowercase. Example:
build.jenkins-ci.org
State or province cannot be abbreviated.
Run:
keytool -certreq -Keystore jenkins.jks -alias [Name of website] -file jenkins.csr -keysize 2048
Send Jenkins.csr to your cert provider and request a PKCS#7 cert which has a .p7b extension and starts with:
-----BEGIN PKCS #7 SIGNED DATA-----
Note: Trial certs are not normally available in .p7b format but you may be able to combine the .cer files using this tool which reported success but didn't work for me. (https://www.sslshopper.com/ssl-converter.html)
Run:
keytool -import -trustcacerts -file jenkins.p7b -keystore jenkins.jks -alias [Name of website]
Change the arguments node in Jenkins.xml to the following prespectivly.
<arguments>-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=-1 --httpsPort=443 --httpsKeyStore="%BASE%\Cert\Jenkins.jks" --httpsKeyStorePassword=[Cert password from step 1]</arguments>
Troubleshooting:
If Jenkins doesn't start read the last lines from Jenkins.err.log.
If Jenkins didn't start because of an issue with Jenkins.xml, replace the – (weird Windows hyphen) characters with an actual - (ASCII hyphen).
If Jenkins starts but the cert still reads as bad, make sure the [Name of website] is the actual URL without the https: example: https://build.jenkins-ci.org would be build.jenkins-ci.org.
If that isn't the issue inspect the .jks file using KeyStore Explorer. The "Certificate Hierarchy" should show that each cert is nested in another; This is to illustrate the cert chain. If it shows the certs next to each other then it's not correct.
If it won't start on a specific port, 443 for example, then verify IIS or another app isn't currently using the port.
If you can see the site on the PC it's hosted on, but not another PC, then verify you aren't getting blocked by a firewall.
Step1: Create both public and private Certificate on your jenkin name (convert them into keysore file if its not)
Step2: Import the public certificate into your browser certificate mananger (import into all tabs)
Step3: Host your jenkin using JKS file which contain both public and private key.
For steps refer "Enable HTTPS in jenkins?"

Resources