Java/keystore

Quick Import
To import key to custom keystore (use any password): $ keytool -import -keystore /keystore -alias localhost -trustcacerts -file localhost.der.crt

To view that the key was imported to keystore (use password entered when creating keystore): $ keytool -list -keystore /keystore

To use custom keystore, append this to application startup parameters: -Djavax.net.ssl.trustStore=/keystore

Default Keystore
"'Obtaining a copy of the certificate in X.509 format requires Microsoft’s Internet Explorer. By placing the https URL into the browser window, a dialog will pop up requesting permission to accept the certificate. Click the View Certificate button and then the Details tab. In this tab, click the Copy to File button, then click Next and select the Base-64 encoded X.509 (.CER) option. After that, click Next to save the resulting file.'"

The default keystore is located: .../jre/lib/sercurity/cacerts password: changeit

To import a certificate into the default keystore: cd .../jre/lib/security/ keytool.exe -import -storepass changeit -file mycert.cer -keystore cacerts -alias mycert

Keytool
View certificates $ keytool -list -keystore $ keytool -list -v -keystore

Conversion from Apache PEM to Java Keytool
Converting the certificate is easy. Converting the private key is less so.


 * OpenSSL to Keytool Conversion tips
 * OpenSSL to Keytool Conversion tips
 * Keytool to OpenSSL Conversion tips
 * Conflicts OpenSSL versus KeyTool
 * Using OpenSSL to set up your own CA

The .crt files provided by the CA do not need conversion, as they are in a standard format.

Convert openssl to keytool using Jetty: openssl pkcs12 -export -in [domain].crt -inkey [domain].key -out keystore.pkcs12
 * 1) convert to pkcs12

wget http://dist.codehaus.org/jetty/jetty-6.1.x/jetty-6.1.3.zip unzip jetty-6.1.3.zip java -classpath jetty-6.1.3/lib/jetty-6.1.3.jar org.mortbay.jetty.security.PKCS12Import keystore.pkcs12 keystore.jks
 * 1) convert to java keystore (jks)
 * 2) wget ftp://ftp.mortbay.org/pub/jetty-6.1.x/jetty-6.1.3.zip

keytool -list -v -keystore keystore.jks
 * 1) verify

keytool -keyclone -keystore keystore.jks -alias 1 -dest tomcat keytool -delete -keystore keystore.jks -alias 1
 * 1) rename default alias of '1' to something else like 'tomcat'

Godaddy Converion (for mail and jira server with intermediate chain) : keytool -import -keystore keystore.jks -alias godaddy -trustcacerts -file [godaddy].crt cp keystore.jks ~/.keystore

wget https://certs.godaddy.com/repository/gd_bundle.crt openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in \ -inkey  -out keystore.tomcat -name tomcat -passout pass:changeit keystoreFile= /keystore.tomcat keystorePass="changeit" keystoreType="PKCS12"
 * 1) Add the following directives to the Connector tag:

If you only need to import a certificate (not private key), this is easy: keytool -import -alias [alias] -keystore cacerts -file [cert.pem]

Makefile: all: cat TrustedSecureCertificateAuthorityDV.crt USERTrustRSAAddTrustCA.crt AddTrustExternalCARoot.crt > bundle.crt rm tomcat.keystore openssl pkcs12 -export -chain -CAfile bundle.crt -in ssl.oeey.com.crt -inkey ssl.oeey.com.key -out tomcat.keystore -name tomcat -passout pass:PASSWORD cp tomcat.keystore /etc

Conversion from Java Keytool to Apache PEM
[http://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format encryption - Converting a Java Keystore into PEM Format. - Stack Overflow]

http://www.google.com/#sclient=psy&q=convert+java+keystore+to+pem

keytool -keystore foo.jks -genkeypair -alias foo \ -dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU'

keytool -keystore foo.jks -exportcert -alias foo | \ openssl x509 -inform der -text

keytool -importkeystore -srckeystore foo.jks \ -destkeystore foo.p12 \ -srcstoretype jks \ -deststoretype pkcs12

openssl pkcs12 -in foo.p12 -out foo.pem

openssl x509 -text -in foo.pem

openssl dsa -text -in foo.pem

Command summary - to create JKS keystore:

keytool -keystore foo.jks -genkeypair -alias foo \ -dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU'

Command summary - to convert JKS keystore into PKCS#12 keystore, then into PEM file:

keytool -importkeystore -srckeystore foo.jks \ -destkeystore foo.p12 \ -srcstoretype jks \ -deststoretype pkcs12

openssl pkcs12 -in foo.p12 -out foo.pem

if you have more than one certificate in your JKS keystore, and you want to only export the certificate and key associated with one of the aliases, you can use the following variation:

keytool -importkeystore -srckeystore foo.jks \ -destkeystore foo.p12 \ -srcalias foo \ -srcstoretype jks \ -deststoretype pkcs12

openssl pkcs12 -in foo.p12 -out foo.pem

Command summary - to compare JKS keystore to PEM file:

keytool -keystore foo.jks -exportcert -alias foo | \ openssl x509 -inform der -text

openssl x509 -text -in foo.pem

openssl dsa -text -in foo.pem

Well, OpenSSL should do it handily from a #12 file: openssl pkcs12 -in pkcs-12-certificate-file -out pem-certificate-file openssl pkcs12 -in pkcs-12-certificate-and-key-file -out pem-certificate-and-key-file

How to Import a Certificate into your Java Keystore
How to Import a Certificate into your Java Keystore Author: Kenneth Burgener Created: 2007.06.28

Summary
When you attempt to access a website protected by SSL (HTTPS) that is not trusted, the browser is kind enough to present you with a warning message, and give you the opportunity to accept the certificate. Java, by default, is not as nice. The default behavior for the Java connector attempting to access an untrusted certificate is to throw an exception. This exception generally looks like this:

Caused by: javax.net.ssl.SSLHandshakeException : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

To resolve this issue, there are two options. You can either override the Java connector behavior (requires modifying code), or you can import the untrusted certificate into a keystore and implicitly trust the certificate.

Override Java Connector Behavior
Since this is probably not the preferred method I will simply provide some references here. One example of why you may want to change the default behavior would be if you would like to provide a prompt to the user asking if they wish to accept the certificate, much as any Internet browser would.

Importing Certificate into a Keystore
A keystore is simply a Java container file which contains certificates and private keys. To import a certificate into a keystore, you will use "keytool". Key management in Java is done with the "keytool" application.

keytool - Key and Certificate Management Tool http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

The first step will be to obtain a copy of the certificate you wish to import. This is done easily with Internet Explorer. Simply visit the site you wish to obtain the certificate from. Since the certificate is untrusted, you will be presented with a warning message. Accept the warning. The next step is to click on the "lock" icon in your browser (bottom right of window in IE6, top next to address bar in IE7).

Clicking on the lock will bring up a short message. Click on the "View Certificate" link. The first tab, titled "General" gives you the option to import the certificate into Internet Explorer's trusted list. This would be a good time to do this if you wish to be able to visit the site in the future without warnings. The second tab titled "Details" has a "Copy to File" button. Click on the "Copy to File" button to begin the certificate export wizard. Click next to be presented with the "Export File Format" options. Select "Base-64 encoded X.509 (.CER)" option and click next. Give the file a name and a location (ie. C:\mycert.cer) and click next. Click the finish button and the file will be exported. Now that we have a certificate we can import it into a keystore.

There are two keystore options for storing a certificate. We can import the certificate into a keystore that we create, and tell our application where to find the keystore in the startup parameters. The second option is to import the certificate into the JRE's default keystore.

Import Certificate to Custom Keystore
To create a custom keystore we will use the keytool application as such: keytool -import -keystore c:\keystore -file c:\mycert.cer -alias mycert

The location of the keystore file is arbitrary. The alias simply needs to be a unique name in the keystore. This alias is what will be used to reference the certificate in the future.

To use the keystore with your Java application, simply append the following parameter: -Djavax.net.ssl.trustStore=c:\keystore

If your application needs to modify the keystore, you will probably need to append the keystore password paremeter as well: -Djavax.net.ssl.trustStorePassword=XXX

Now your application should work without SSL warning issues.

Import Certificate to Default Keystore
The Java JVM contains a default keystore which contains many root level CAs (Certificate Authorities), such as Verisign and Thawte. Certificates that are signed by these CAs are implicitly trusted by Java. We can add our self signed certificate to this keystore, which will then allow our certificate to be trusted by any Java application that uses this JVM. This keystore is located here: $JVM_PATH/lib/security/cacerts

This could be something like one of the following, or it could be within your application's folder if a JVM was installed with the application: C:\Program Files\Java\jdk1.5.0_08\jre\lib\security\cacerts C:\Program Files\Java\jre1.6.0_01\lib\security\cacerts

To import a certificate to the default keystore we will use the keytool application as such: keytool -import -keystore C:\Program Files\Java\jdk1.5.0_08\jre\lib\security\cacerts -file c:\mycert.cer -alias mycert -storepass changeit

The cacerts keystore contains a default password of "changeit". The location of the cacerts keystore file is dependent on the location of your JVM. The alias simply needs to be a unique name in the keystore. This alias is what will be used to reference the certificate in the future.

Now your application should work without SSL warning issues.

Other References
Testing with untrusted Https http://www.testearly.com/2006/04/05/testing-with-untrusted-https/