Using the "server.store" file provided by the customer i need to create the certificate and the password for the keystore and also i need to know what format does the "server.store" has been provided. PKS or PEM format? how do i check the format from the existing "server.store" file.
assuming that your server.store is a keystore,
did you try with keytool?
You should be able to list the certificates with:
keytool -list -v -keystore server.store
and export with
keytool -export -alias mydomain -file mydomain.crt -keystore server.store
then you can export the certificate and convert it between format following one of the many tutorials on the web.
A couple of useful links:
http://support.citrix.com/article/CTX106631
http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
HTH.
Related
I need to provide a PEM file to Google so that they can re-key the app signing and I can publish updates to the app. They have their key in Google Console, but my private key was corrupted by Xamarin. Google will accept a new PEM file from my new keystore to reconnect them so that I may distribute again.
However, Xamarin has its own proprietary .keystore file format. I've used keytool to extract a PEM from a Java jks.
How can I get the PEM to send to Google from a Xamarin .keystore file?
You should be able to export a PEM like so:
keytool -export -rfc -alias your-alias -file play-store.pem -keystore your.keystore
By default setting up Solr on Https requires storing the certificate password as plain text in "bin\solr.in.cmd" (using windows to host solr)
And the certificate password is exposed in the portal.
How can I configure Solr with a Https certificate keeping the certificate password safe?
I want to use a private certifcate so the client trusts the certificate by default, rather than a self signed one.
I'm connecting via SolrNet from C#, currently without authentiation, but in the future can look at Basic Authentication which is supported in the provider which wraps SolrNet.
Seems like a basic thing which I would have thought should be supported? Can't find any article/documention on this.
Anyone solved this already?
Nearest I've found is:
Setting SOLR SSL properties
http://lucene.472066.n3.nabble.com/Prevent-the-SSL-Keystore-and-Truststore-password-from-showing-up-in-the-Solr-Admin-and-Linux-process-td4257422.html
Some suggestion of using jetty-https.xml and encrypt the configuration there.
Looking for a more complete answer.
update
I've come across the following Solr tickets:
https://issues.apache.org/jira/browse/SOLR-10307
https://issues.apache.org/jira/browse/SOLR-8897
Where support for loading the certificate passwords from environment variables has been added in Solr 7.0 and 6.7 (which hasn't been released yet).
I don't think using environment variables is much better, but some progress.
There is also a link to using Hadoop credential provider, but I'm not using Hadoop, so not applicable for me.
In the comments of the tickets, it mentions that someone tried the Jetty Password Utility, and Solr UI loaded over HTTPS. However the Collection API was erroring not being able to understand the password format.
So I'm still left without a way of configuring a certificate password for Solr, in a way I feel is secure.
For me the certificate password is not stored on the SOLR portal
see my setup
SSL
cd /path/to/solr/server/etc/
The following command will create a keystore file named solr-ssl.keystore.jks in the current directory
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:#ipsolr,IP:127.0.0.1 -dname "CN=localhost, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx"
Convert the certificate and key to PEM format for use with Curl
keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
Next convert the PKCS12 format keystore into PEM format using the openssl
openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
After go to your $JAVA_HOME (into jre/lib/security)
curl --cacert /pah/to/solr/server/etc/solr-ssl.pem https://localhost:8983/solr/
Set Common SSL-Related System Properties
vi /etc/default/solr.in.sh
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=secret
SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=secret
SOLR_SSL_NEED_CLIENT_AUTH=false
SOLR_SSL_WANT_CLIENT_AUTH=false
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS
Restart solr
service solr restart
For authentication
create security.json on SOLR_HOME (/var/solr/data/ for me)
Owner : root
See example of security.json to configure has you hope
After securing, add into solr.in.sh
SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:xxx"
it allows to have an answer on solr status service because with authentication it is not accessible
For me it's work and i don't see the certificate password on solr UI
Unable to go through realm discovery phase. While the samples code works good with IDP SSO circle. Facing issues when updated our securityContext.xml with our Company's Metadata.xml , imported pfx certificate and added to keystore.
Used below command to add to keystore :
keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass PFX_P12_FILE_PASS -srcalias SOURCE_ALIAS -destkeystore samlKeystore.jks -deststoretype jks -deststorepass nalle123 -destalias alias
PFB Exception Trace :
org.opensaml.common.SAMLRuntimeException: Can't obtain SP signing key
at org.springframework.security.saml.key.JKSKeyManager.getCredential(JKSKeyManager.java:193)
at org.springframework.security.saml.metadata.MetadataGenerator.getServerKeyInfo(MetadataGenerator.java:205)
at org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptor(MetadataGenerator.java:329)
at org.springframework.security.saml.metadata.MetadataGenerator.generateMetadata(MetadataGenerator.java:189)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.processMetadataInitialization(MetadataGeneratorFilter.java:127)
at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
and console messages as below :
No default metadata configured, generating with default values, please pre-configure metadata for production use
Unable to retrieve keystore entry for entityID (keystore alias): apollo
Check for invalid keystore entityID/alias entry password
Used the entityBaseURL as the end party url shared with client. Also tried with entity id that appears in metadata.xml.
Any help is truly appreciated.
While using self-signed Keystore using keytool command, key-pair password (specified for keytool option -keypass) and keystore file password must be same.
We can create self-signed Keystore using below command
keytool -genkeypair -alias springsaml -keypass <password> -keystore saml-keystore.jks
when receive message "Enter keystore password" on terminal, enter the same password, which is provided for keytool option "-keypass"
after importing the der file to the key store as follow
keytool -keystore my-release-key.keystore -importcert
-file ~/Downloads/upload_cert.der -alias uploadcert
I get an error when trying to assemble release APK
trusted certificate entries are not password-protected
If I add
-protected
to the import, I geth
keytool error: java.lang.IllegalArgumentException: password can't be null
and if I pass the password after -protected I get usage help message.
not sure how to pass the password.
Any idea if I am on the right path to sign with google upload certificate der file ?
Got the same problem and password can't be null problem may be passed by editing the comment like:
keytool -keystore parkimayaz.keystore -importcert -file
~/Downloads/upload_cert.der -alias uploadcert -keypass "yourpass" -
storepass "yourpass"
Another info I used characters like (',#,^) on the password part which gave me some errors.
also please take a look at oracle keytool docs
Apologies for my lack of understanding of certificates in general. I have a .p12 file (with a non-expired certificate) and a valid password so I can list the contents using:
keytool -list -keystore file.p12 -storepass password -storetype PKCS12 -v
In my Java code I am attempting an HTTPS post but keep getting this error:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching [host.path.com] found
This same post works against one of my other environments which does not have any authentication required and the link is HTTP (vs. HTTPS). How do I make this .p12 file work for it to be recognized in the handshake?
You could use the following command
keytool -v -importkeystore -srckeystore alice.p12 -srcstoretype PKCS12 -destkeystore "c:\Program Files\Java\jre1.8.0_71\lib\security\cacerts" -deststoretype JKS
Default password for your cacerts will be changeit
Where trust store will be your JRE trust store
Please refer here for more information
http://www.webfarmr.eu/2010/04/import-pkcs12-private-keys-into-jks-keystores-using-java-keytool/