Java Key Store: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
 
(20 intermediate revisions by the same user not shown)
Line 5: Line 5:
  -storepass storepasswd\
  -storepass storepasswd\
  -keypass  storepasswd
  -keypass  storepasswd
</source>
<source lang="bash">
keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
-dname    "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
-storetype pkcs12 -keystore  clients.jks -alias academia\
-storepass storepasswd\
-keypass  storepasswd
</source>
==Java Code==
<source lang="java">
public class JavaKeyStoreTest {
    private static final Logger LOG = LoggerFactory.getLogger(JavaKeyStoreTest.class);
    private static final char[] STORE_PASSWORD = "storepasswd".toCharArray();
    private static final String STORE_TYPE = KeyStore.getDefaultType();
    private static final String KEY_ALIAS = "academia";
    private KeyStore keyStore;
    @BeforeEach
    public void setUp() throws Exception {
        keyStore = KeyStore.getInstance(STORE_TYPE);
        Resource resource = new ClassPathResource("/META-INF/keystore/server.jks");
        keyStore.load(resource.getInputStream(), STORE_PASSWORD);
    }
    @Test
    public void testKey() throws  Exception {
        Key key = keyStore.getKey(KEY_ALIAS, STORE_PASSWORD);
        if (key instanceof PrivateKey){
            Certificate cert = keyStore.getCertificate(KEY_ALIAS);
            PublicKey publicKey = cert.getPublicKey();
            PrivateKey privateKey = (PrivateKey) key;
            LOG.info("Public Key:\n{}", Base64.getEncoder().encodeToString(publicKey.getEncoded()));
            KeyPair keyPair = new KeyPair(publicKey, privateKey);
        }
        Assertions.assertTrue(true);
    }
}
</source>
==Spring Boot==
<source lang="properties">
server.ssl.key-store: ${user.dir}/keystore/chorke.jks
server.ssl.key-store-password: storepasswd
server.ssl.key-password: storepasswd
server.ssl.keyAlias: academia
server.ssl.enabled: false
</source>
</source>


Line 11: Line 62:
keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
  -dname    "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
  -dname    "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
  -keystore  clients.jks -alias academia\
  -storetype pkcs12 -keystore  clients.jks -alias academia\
  -storepass storepasswd
  -storepass storepasswd
</source>
</source>
Line 64: Line 115:


==Export==
==Export==
===Keytool===
<source lang="bash">
<source lang="bash">
keytool    -rfc -export\
keytool    -rfc -export\
Line 78: Line 130:
  -alias academia\
  -alias academia\
  -file  academia.pem
  -file  academia.pem
</source>
===OpenSSL===
<source lang="bash">
openssl pkcs12 -nodes -nocerts\
-out private_key.pem\
-in clients.p12
</source>
<source lang="bash">
openssl pkcs12 -nokeys\
-out public_key.pem\
-in clients.p12
</source>
</source>


Line 83: Line 148:
<source lang="bash">
<source lang="bash">
keytool -list -keystore clients.jks -storepass storepasswd
keytool -list -keystore clients.jks -storepass storepasswd
keytool -list -keystore clients.p12 -storepass storepasswd
keytool -list -keystore servers.jks -storepass storepasswd
keytool -list -keystore servers.jks -storepass storepasswd
</source>
</source>
Line 93: Line 159:
-connect $service -CAfile chorke_client.pem
-connect $service -CAfile chorke_client.pem
</source>
</source>
openssl help
openssl help pkcs12
keytool --help -importkeystore
openssl s_client -connect mail.chorke.com:465 -state
openssl s_client -connect mail.chorke.org:465 -state
openssl s_client -connect mail.shahed.biz:465 -state
sudo keytool -import -trustcacerts -alias letsencrypt_r3 -file r3-chain.der -keystore\
  '''/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts'''
sudo keytool -import -trustcacerts -alias letsencrypt_r3 -file r3-chain.der -keystore\
  '''/etc/ssl/certs/java/cacerts'''
Enter keystore password: '''changeit'''


== References ==
== References ==
Line 110: Line 192:
| valign="top" |
| valign="top" |
* [https://stackoverflow.com/questions/49959148/ Generate a key with keytool, in a non-interactive way]
* [https://stackoverflow.com/questions/49959148/ Generate a key with keytool, in a non-interactive way]
* [https://dzone.com/articles/extracting-a-private-key-from-java-keystore-jks Extracting a Private Key From the Java Keystore]
* [https://stackoverflow.com/questions/51547746/ Export public key from JKS using Keytool]
* [https://stackoverflow.com/questions/51547746/ Export public key from JKS using Keytool]
* [https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html Import a public SSL certificate into a JVM]
* [[Raspberry Pi Apache2 Lets Encrypt SSL]]
* [https://docs.oracle.com/cd/E19509-01/820-3503/ggfen/index.html Creating a KeyStore in JKS Format]
* [https://docs.oracle.com/cd/E19509-01/820-3503/ggfen/index.html Creating a KeyStore in JKS Format]
* [https://sslcontext-kickstart.com/client/feign.html Feign » SSL Client Configuration]
* [https://stackoverflow.com/questions/65908364/ Feign » Using SSL Certificate]
* [https://stackoverflow.com/questions/26711731/ Read public key from JKS]
* [[Java Mail API]]
| valign="top" |
* [https://letsencrypt.org/docs/certificates-for-localhost/ ACME » Certificates for localhost]
* [https://medium.com/@charled.breteche/manage-ssl-certificates-for-local-kubernetes-clusters-with-cert-manager-9037ba39c799 Manage Ingress TLS for local K8s]


|}
|}

Latest revision as of 01:32, 8 August 2023

keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
 -dname     "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
 -keystore  clients.jks -alias academia\
 -storepass storepasswd\
 -keypass   storepasswd
keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
 -dname     "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
 -storetype pkcs12 -keystore  clients.jks -alias academia\
 -storepass storepasswd\
 -keypass   storepasswd


Java Code

public class JavaKeyStoreTest {
    private static final Logger LOG = LoggerFactory.getLogger(JavaKeyStoreTest.class);
    private static final char[] STORE_PASSWORD = "storepasswd".toCharArray();
    private static final String STORE_TYPE = KeyStore.getDefaultType();
    private static final String KEY_ALIAS = "academia";

    private KeyStore keyStore;

    @BeforeEach
    public void setUp() throws Exception {
        keyStore = KeyStore.getInstance(STORE_TYPE);
        Resource resource = new ClassPathResource("/META-INF/keystore/server.jks");
        keyStore.load(resource.getInputStream(), STORE_PASSWORD);
    }

    @Test
    public void testKey() throws  Exception {
        Key key = keyStore.getKey(KEY_ALIAS, STORE_PASSWORD);
        if (key instanceof PrivateKey){
            Certificate cert = keyStore.getCertificate(KEY_ALIAS);
            PublicKey publicKey = cert.getPublicKey();
            PrivateKey privateKey = (PrivateKey) key;
            LOG.info("Public Key:\n{}", Base64.getEncoder().encodeToString(publicKey.getEncoded()));
            KeyPair keyPair = new KeyPair(publicKey, privateKey);
        }
        Assertions.assertTrue(true);
    }
}

Spring Boot

server.ssl.key-store: ${user.dir}/keystore/chorke.jks
server.ssl.key-store-password: storepasswd
server.ssl.key-password: storepasswd
server.ssl.keyAlias: academia
server.ssl.enabled: false

Create

keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
 -dname     "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
 -storetype pkcs12 -keystore  clients.jks -alias academia\
 -storepass storepasswd

Import

keytool -importkeystore -deststoretype pkcs12\
 -srckeystore   clients.jks\
 -destkeystore  servers.jks\
 -srcstorepass  storepasswd\
 -deststorepass storepasswd\
 -srcalias      academia\
 -destalias     academia
keytool -importkeystore -deststoretype pkcs12\
 -srckeystore   clients.jks\
 -destkeystore  clients.p12\
 -srcstorepass  storepasswd\
 -deststorepass storepasswd\
 -srcalias      academia\
 -destalias     academia

Root CA Cert

keytool -importcert -trustcacerts\
 -storepass storepasswd\
 -keystore  clients.jks\
 -file  rootca.cer\
 -alias rootca

Sub CA Cert

keytool -importcert -trustcacerts\
 -storepass storepasswd\
 -keystore  clients.jks\
 -file  subca.cer\
 -alias subca

Certificate

keytool     -importcert\
 -storepass storepasswd\
 -keystore  clients.jks\
 -file  software.crt\
 -alias software

Export

Keytool

keytool    -rfc -export\
 -storepass storepasswd\
 -keystore  clients.jks\
 -alias academia\
 -file  academia.pem
keytool         -export\
 -storepass storepasswd\
 -keystore  clients.jks\
 -alias academia\
 -file  academia.pem

OpenSSL

openssl pkcs12 -nodes -nocerts\
 -out private_key.pem\
 -in clients.p12
 openssl pkcs12 -nokeys\
 -out public_key.pem\
 -in clients.p12

Certificate List

keytool -list -keystore clients.jks -storepass storepasswd
keytool -list -keystore clients.p12 -storepass storepasswd
keytool -list -keystore servers.jks -storepass storepasswd

Knowledge

# debugging certificate handshacking
service='api.chorke.org:5443/soap/services';\
echo -e "GET / HTTP/1.0\r\n" | openssl s_client \
-connect $service -CAfile chorke_client.pem
openssl help
openssl help pkcs12
keytool --help -importkeystore
openssl s_client -connect mail.chorke.com:465 -state
openssl s_client -connect mail.chorke.org:465 -state
openssl s_client -connect mail.shahed.biz:465 -state
sudo keytool -import -trustcacerts -alias letsencrypt_r3 -file r3-chain.der -keystore\
 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts

sudo keytool -import -trustcacerts -alias letsencrypt_r3 -file r3-chain.der -keystore\
 /etc/ssl/certs/java/cacerts

Enter keystore password: changeit

References