Java Key Store: Difference between revisions
Jump to navigation
Jump to search
(40 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
<source lang="bash"> | |||
< | keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\ | ||
-dname "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\ | |||
-keystore clients.jks -alias academia\ | |||
-storepass storepasswd\ | |||
-keypass storepasswd | |||
</source> | |||
<source lang="bash"> | |||
keytool -keystore | keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\ | ||
-dname "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\ | |||
-storetype pkcs12 -keystore clients.jks -alias academia\ | |||
-storepass storepasswd\ | |||
-keypass storepasswd | |||
</source> | |||
==Java Code== | |||
<source lang="java"> | |||
public class JavaKeyStoreTest { | |||
private static final Logger LOG = LoggerFactory.getLogger(JavaKeyStoreTest.class); | |||
private static final char[] STORE_PASSWORD = "storepasswd".toCharArray(); | |||
private static final String STORE_TYPE = KeyStore.getDefaultType(); | |||
private static final String KEY_ALIAS = "academia"; | |||
private KeyStore keyStore; | |||
< | @BeforeEach | ||
public void setUp() throws Exception { | |||
keyStore = KeyStore.getInstance(STORE_TYPE); | |||
Resource resource = new ClassPathResource("/META-INF/keystore/server.jks"); | |||
keyStore.load(resource.getInputStream(), STORE_PASSWORD); | |||
} | |||
@Test | |||
public void testKey() throws Exception { | |||
Key key = keyStore.getKey(KEY_ALIAS, STORE_PASSWORD); | |||
if (key instanceof PrivateKey){ | |||
Certificate cert = keyStore.getCertificate(KEY_ALIAS); | |||
PublicKey publicKey = cert.getPublicKey(); | |||
PrivateKey privateKey = (PrivateKey) key; | |||
LOG.info("Public Key:\n{}", Base64.getEncoder().encodeToString(publicKey.getEncoded())); | |||
KeyPair keyPair = new KeyPair(publicKey, privateKey); | |||
} | |||
Assertions.assertTrue(true); | |||
} | |||
} | |||
</source> | |||
==Spring Boot== | |||
<source lang="properties"> | |||
server.ssl.key-store: ${user.dir}/keystore/chorke.jks | |||
server.ssl.key-store-password: storepasswd | |||
server.ssl.key-password: storepasswd | |||
server.ssl.keyAlias: academia | |||
server.ssl.enabled: false | |||
</source> | |||
==Create== | |||
<source lang="bash"> | |||
keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\ | |||
-dname "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\ | |||
-storetype pkcs12 -keystore clients.jks -alias academia\ | |||
-storepass storepasswd | |||
</source> | |||
==Import== | |||
<source lang="bash"> | |||
keytool -importkeystore -deststoretype pkcs12\ | |||
-srckeystore clients.jks\ | |||
-destkeystore servers.jks\ | |||
-srcstorepass storepasswd\ | |||
-deststorepass storepasswd\ | |||
-srcalias academia\ | |||
-destalias academia | |||
</source> | |||
<source lang="bash"> | |||
keytool -importkeystore -deststoretype pkcs12\ | |||
-srckeystore clients.jks\ | |||
-destkeystore clients.p12\ | |||
-srcstorepass storepasswd\ | |||
-deststorepass storepasswd\ | |||
-srcalias academia\ | |||
-destalias academia | |||
</source> | |||
===Root CA Cert=== | |||
<source lang="bash"> | |||
keytool -importcert -trustcacerts\ | |||
-storepass storepasswd\ | |||
-keystore clients.jks\ | |||
-file rootca.cer\ | |||
-alias rootca | |||
</source> | |||
===Sub CA Cert=== | |||
<source lang="bash"> | |||
keytool -importcert -trustcacerts\ | |||
-storepass storepasswd\ | |||
-keystore clients.jks\ | |||
-file subca.cer\ | |||
-alias subca | |||
</source> | |||
===Certificate=== | |||
<source lang="bash"> | |||
keytool -importcert\ | |||
-storepass storepasswd\ | |||
-keystore clients.jks\ | |||
-file software.crt\ | |||
-alias software | |||
</source> | |||
==Export== | |||
===Keytool=== | |||
<source lang="bash"> | |||
keytool -rfc -export\ | |||
-storepass storepasswd\ | |||
-keystore clients.jks\ | |||
-alias academia\ | |||
-file academia.pem | |||
</source> | |||
<source lang="bash"> | |||
keytool -export\ | |||
-storepass storepasswd\ | |||
-keystore clients.jks\ | |||
-alias academia\ | |||
-file academia.pem | |||
</source> | |||
===OpenSSL=== | |||
<source lang="bash"> | |||
openssl pkcs12 -nodes -nocerts\ | |||
-out private_key.pem\ | |||
-in clients.p12 | |||
</source> | |||
<source lang="bash"> | |||
openssl pkcs12 -nokeys\ | |||
-out public_key.pem\ | |||
-in clients.p12 | |||
</source> | |||
==Certificate List== | |||
<source lang="bash"> | |||
keytool -list -keystore clients.jks -storepass storepasswd | |||
keytool -list -keystore clients.p12 -storepass storepasswd | |||
keytool -list -keystore servers.jks -storepass storepasswd | |||
</source> | |||
==Knowledge== | |||
<source lang="bash"> | |||
# debugging certificate handshacking | # debugging certificate handshacking | ||
service='api.chorke.org:5443/soap/services';\ | service='api.chorke.org:5443/soap/services';\ | ||
echo -e "GET / HTTP/1.0\r\n" | openssl s_client \ | echo -e "GET / HTTP/1.0\r\n" | openssl s_client \ | ||
-connect $service -CAfile chorke_client.pem | -connect $service -CAfile chorke_client.pem | ||
</ | </source> | ||
openssl help | |||
openssl help pkcs12 | |||
keytool --help -importkeystore | |||
openssl s_client -connect mail.chorke.com:465 -state | |||
openssl s_client -connect mail.chorke.org:465 -state | |||
openssl s_client -connect mail.shahed.biz:465 -state | |||
sudo keytool -import -trustcacerts -alias letsencrypt_r3 -file r3-chain.der -keystore\ | |||
'''/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts''' | |||
sudo keytool -import -trustcacerts -alias letsencrypt_r3 -file r3-chain.der -keystore\ | |||
'''/etc/ssl/certs/java/cacerts''' | |||
Enter keystore password: '''changeit''' | |||
== References == | == References == | ||
{| | |||
| valign="top" | | |||
* [https://stackoverflow.com/questions/49124091 How to create csr, key, crt and import crt, rootca, subca into jks?] | |||
* [https://devcentral.f5.com/questions/difference-between-root-cert-intermediate-cert-and-ssl-cert Difference between Root Cert, Intermediate Cert and SSL Cert] | |||
* [https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#RelsTM_KM Relationships between TrustManagers and KeyManagers] | |||
* [https://blogs.oracle.com/jtc/installing-trusted-certificates-into-a-java-keystore Installing Trusted Certificates into a Java Keystore] | * [https://blogs.oracle.com/jtc/installing-trusted-certificates-into-a-java-keystore Installing Trusted Certificates into a Java Keystore] | ||
* [https://pubs.vmware.com/view-50/index.jsp#com.vmware.view.installation.doc/GUID-671E07A6-5B9A-43F4-BF47-2A59B95056EB.html Use an Existing SSL Certificate and Private Key] | * [https://pubs.vmware.com/view-50/index.jsp#com.vmware.view.installation.doc/GUID-671E07A6-5B9A-43F4-BF47-2A59B95056EB.html Use an Existing SSL Certificate and Private Key] | ||
* [https://pubs.vmware.com/view-50/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-06A2FF09-777C-44F0-B240-497E771379F3.html Convert a PKCS#12 File to JKS Format] | * [https://pubs.vmware.com/view-50/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-06A2FF09-777C-44F0-B240-497E771379F3.html Convert a PKCS#12 File to JKS Format] | ||
* [https://stackoverflow.com/questions/6482484 How to use .key and .crt file in java?] | |||
* [https://pubs.vmware.com/view-50/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-EB22BA1B-4D19-47C1-B608-8E05A3C78EAC.html Creating a New SSL Certificate] | * [https://pubs.vmware.com/view-50/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-EB22BA1B-4D19-47C1-B608-8E05A3C78EAC.html Creating a New SSL Certificate] | ||
* [https://stackoverflow.com/questions/7064087 How to convert .csr to .cer?] | |||
* [http://portecle.sourceforge.net/ Portecle] | |||
| valign="top" | | |||
* [https://stackoverflow.com/questions/49959148/ Generate a key with keytool, in a non-interactive way] | |||
* [https://dzone.com/articles/extracting-a-private-key-from-java-keystore-jks Extracting a Private Key From the Java Keystore] | |||
* [https://stackoverflow.com/questions/51547746/ Export public key from JKS using Keytool] | |||
* [https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html Import a public SSL certificate into a JVM] | |||
* [[Raspberry Pi Apache2 Lets Encrypt SSL]] | |||
* [https://docs.oracle.com/cd/E19509-01/820-3503/ggfen/index.html Creating a KeyStore in JKS Format] | |||
* [https://sslcontext-kickstart.com/client/feign.html Feign » SSL Client Configuration] | |||
* [https://stackoverflow.com/questions/65908364/ Feign » Using SSL Certificate] | |||
* [https://stackoverflow.com/questions/26711731/ Read public key from JKS] | |||
* [[Java Mail API]] | |||
| valign="top" | | |||
* [https://letsencrypt.org/docs/certificates-for-localhost/ ACME » Certificates for localhost] | |||
* [https://medium.com/@charled.breteche/manage-ssl-certificates-for-local-kubernetes-clusters-with-cert-manager-9037ba39c799 Manage Ingress TLS for local K8s] | |||
|} |
Latest revision as of 01:32, 8 August 2023
keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
-dname "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
-keystore clients.jks -alias academia\
-storepass storepasswd\
-keypass storepasswd
keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
-dname "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
-storetype pkcs12 -keystore clients.jks -alias academia\
-storepass storepasswd\
-keypass storepasswd
Java Code
public class JavaKeyStoreTest {
private static final Logger LOG = LoggerFactory.getLogger(JavaKeyStoreTest.class);
private static final char[] STORE_PASSWORD = "storepasswd".toCharArray();
private static final String STORE_TYPE = KeyStore.getDefaultType();
private static final String KEY_ALIAS = "academia";
private KeyStore keyStore;
@BeforeEach
public void setUp() throws Exception {
keyStore = KeyStore.getInstance(STORE_TYPE);
Resource resource = new ClassPathResource("/META-INF/keystore/server.jks");
keyStore.load(resource.getInputStream(), STORE_PASSWORD);
}
@Test
public void testKey() throws Exception {
Key key = keyStore.getKey(KEY_ALIAS, STORE_PASSWORD);
if (key instanceof PrivateKey){
Certificate cert = keyStore.getCertificate(KEY_ALIAS);
PublicKey publicKey = cert.getPublicKey();
PrivateKey privateKey = (PrivateKey) key;
LOG.info("Public Key:\n{}", Base64.getEncoder().encodeToString(publicKey.getEncoded()));
KeyPair keyPair = new KeyPair(publicKey, privateKey);
}
Assertions.assertTrue(true);
}
}
Spring Boot
server.ssl.key-store: ${user.dir}/keystore/chorke.jks
server.ssl.key-store-password: storepasswd
server.ssl.key-password: storepasswd
server.ssl.keyAlias: academia
server.ssl.enabled: false
Create
keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
-dname "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
-storetype pkcs12 -keystore clients.jks -alias academia\
-storepass storepasswd
Import
keytool -importkeystore -deststoretype pkcs12\
-srckeystore clients.jks\
-destkeystore servers.jks\
-srcstorepass storepasswd\
-deststorepass storepasswd\
-srcalias academia\
-destalias academia
keytool -importkeystore -deststoretype pkcs12\
-srckeystore clients.jks\
-destkeystore clients.p12\
-srcstorepass storepasswd\
-deststorepass storepasswd\
-srcalias academia\
-destalias academia
Root CA Cert
keytool -importcert -trustcacerts\
-storepass storepasswd\
-keystore clients.jks\
-file rootca.cer\
-alias rootca
Sub CA Cert
keytool -importcert -trustcacerts\
-storepass storepasswd\
-keystore clients.jks\
-file subca.cer\
-alias subca
Certificate
keytool -importcert\
-storepass storepasswd\
-keystore clients.jks\
-file software.crt\
-alias software
Export
Keytool
keytool -rfc -export\
-storepass storepasswd\
-keystore clients.jks\
-alias academia\
-file academia.pem
keytool -export\
-storepass storepasswd\
-keystore clients.jks\
-alias academia\
-file academia.pem
OpenSSL
openssl pkcs12 -nodes -nocerts\
-out private_key.pem\
-in clients.p12
openssl pkcs12 -nokeys\
-out public_key.pem\
-in clients.p12
Certificate List
keytool -list -keystore clients.jks -storepass storepasswd
keytool -list -keystore clients.p12 -storepass storepasswd
keytool -list -keystore servers.jks -storepass storepasswd
Knowledge
# debugging certificate handshacking
service='api.chorke.org:5443/soap/services';\
echo -e "GET / HTTP/1.0\r\n" | openssl s_client \
-connect $service -CAfile chorke_client.pem
openssl help openssl help pkcs12 keytool --help -importkeystore
openssl s_client -connect mail.chorke.com:465 -state openssl s_client -connect mail.chorke.org:465 -state openssl s_client -connect mail.shahed.biz:465 -state
sudo keytool -import -trustcacerts -alias letsencrypt_r3 -file r3-chain.der -keystore\ /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts sudo keytool -import -trustcacerts -alias letsencrypt_r3 -file r3-chain.der -keystore\ /etc/ssl/certs/java/cacerts Enter keystore password: changeit