Java Key Store: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
 
(35 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Manipulation ==
<source lang="bash">
<syntaxhighlight lang="bash">
keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
# show trusted root ca entries with empty/blank password
-dname    "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
keytool -keystore "$JAVA_HOME/jre/lib/security/cacerts" -list
-keystore  clients.jks -alias academia\
-storepass storepasswd\
-keypass  storepasswd
</source>


# show trusted certificate entries with store password
<source lang="bash">
keytool -keystore "$HOME/.chorke/jks/chorke.jks" -list
keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
-dname    "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
-storetype pkcs12 -keystore clients.jks -alias academia\
-storepass storepasswd\
-keypass  storepasswd
</source>


# change proprietary jks format to pkcs12
keytool -importkeystore -srckeystore chorke_source.jks \
-destkeystore chorke_target.jks -deststoretype pkcs12
</syntaxhighlight>


<syntaxhighlight lang="bash">
# import certificate with alias in java security
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts \
-alias ckirootca -file ckirootca.cer


keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts \
==Java Code==
-alias ckisubca -file ckisubca.cer
<source lang="java">
public class JavaKeyStoreTest {
    private static final Logger LOG = LoggerFactory.getLogger(JavaKeyStoreTest.class);
    private static final char[] STORE_PASSWORD = "storepasswd".toCharArray();
    private static final String STORE_TYPE = KeyStore.getDefaultType();
    private static final String KEY_ALIAS = "academia";


keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts \
    private KeyStore keyStore;
-alias chorke -file chorke.crt
</syntaxhighlight>


<syntaxhighlight lang="bash">
    @BeforeEach
    public void setUp() throws Exception {
        keyStore = KeyStore.getInstance(STORE_TYPE);
        Resource resource = new ClassPathResource("/META-INF/keystore/server.jks");
        keyStore.load(resource.getInputStream(), STORE_PASSWORD);
    }
 
    @Test
    public void testKey() throws  Exception {
        Key key = keyStore.getKey(KEY_ALIAS, STORE_PASSWORD);
        if (key instanceof PrivateKey){
            Certificate cert = keyStore.getCertificate(KEY_ALIAS);
            PublicKey publicKey = cert.getPublicKey();
            PrivateKey privateKey = (PrivateKey) key;
            LOG.info("Public Key:\n{}", Base64.getEncoder().encodeToString(publicKey.getEncoded()));
            KeyPair keyPair = new KeyPair(publicKey, privateKey);
        }
        Assertions.assertTrue(true);
    }
}
</source>
 
==Spring Boot==
<source lang="properties">
server.ssl.key-store: ${user.dir}/keystore/chorke.jks
server.ssl.key-store-password: storepasswd
server.ssl.key-password: storepasswd
server.ssl.keyAlias: academia
server.ssl.enabled: false
</source>
 
==Create==
<source lang="bash">
keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
-dname    "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
-storetype pkcs12 -keystore  clients.jks -alias academia\
-storepass storepasswd
</source>
 
==Import==
<source lang="bash">
keytool -importkeystore -deststoretype pkcs12\
-srckeystore  clients.jks\
-destkeystore  servers.jks\
-srcstorepass  storepasswd\
-deststorepass storepasswd\
-srcalias      academia\
-destalias    academia
</source>
 
<source lang="bash">
keytool -importkeystore -deststoretype pkcs12\
-srckeystore  clients.jks\
-destkeystore  clients.p12\
-srcstorepass  storepasswd\
-deststorepass storepasswd\
-srcalias      academia\
-destalias    academia
</source>
 
===Root CA Cert===
<source lang="bash">
keytool -importcert -trustcacerts\
-storepass storepasswd\
-keystore  clients.jks\
-file  rootca.cer\
-alias rootca
</source>
 
===Sub CA Cert===
<source lang="bash">
keytool -importcert -trustcacerts\
-storepass storepasswd\
-keystore  clients.jks\
-file  subca.cer\
-alias subca
</source>
 
===Certificate===
<source lang="bash">
keytool    -importcert\
-storepass storepasswd\
-keystore  clients.jks\
-file  software.crt\
-alias software
</source>
 
==Export==
===Keytool===
<source lang="bash">
keytool    -rfc -export\
-storepass storepasswd\
-keystore  clients.jks\
-alias academia\
-file  academia.pem
</source>
 
<source lang="bash">
keytool        -export\
-storepass storepasswd\
-keystore  clients.jks\
-alias academia\
-file  academia.pem
</source>
 
===OpenSSL===
<source lang="bash">
openssl pkcs12 -nodes -nocerts\
-out private_key.pem\
-in clients.p12
</source>
 
<source lang="bash">
openssl pkcs12 -nokeys\
-out public_key.pem\
-in clients.p12
</source>
 
==Certificate List==
<source lang="bash">
keytool -list -keystore clients.jks -storepass storepasswd
keytool -list -keystore clients.p12 -storepass storepasswd
keytool -list -keystore servers.jks -storepass storepasswd
</source>
 
==Knowledge==
<source lang="bash">
# debugging certificate handshacking
# debugging certificate handshacking
service='api.chorke.org:5443/soap/services';\
service='api.chorke.org:5443/soap/services';\
echo -e "GET / HTTP/1.0\r\n" | openssl s_client \
echo -e "GET / HTTP/1.0\r\n" | openssl s_client \
-connect $service -CAfile chorke_client.pem
-connect $service -CAfile chorke_client.pem
</syntaxhighlight>
</source>
 
openssl help
openssl help pkcs12
keytool --help -importkeystore
 
openssl s_client -connect mail.chorke.com:465 -state
openssl s_client -connect mail.chorke.org:465 -state
openssl s_client -connect mail.shahed.biz:465 -state
 
sudo keytool -import -trustcacerts -alias letsencrypt_r3 -file r3-chain.der -keystore\
  '''/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts'''
sudo keytool -import -trustcacerts -alias letsencrypt_r3 -file r3-chain.der -keystore\
  '''/etc/ssl/certs/java/cacerts'''
Enter keystore password: '''changeit'''


== References ==
== References ==
{|
| valign="top" |
* [https://stackoverflow.com/questions/49124091 How to create csr, key, crt and import crt, rootca, subca into jks?]
* [https://devcentral.f5.com/questions/difference-between-root-cert-intermediate-cert-and-ssl-cert Difference between Root Cert, Intermediate Cert and SSL Cert]
* [https://devcentral.f5.com/questions/difference-between-root-cert-intermediate-cert-and-ssl-cert Difference between Root Cert, Intermediate Cert and SSL Cert]
* [https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#RelsTM_KM Relationships between TrustManagers and KeyManagers]
* [https://blogs.oracle.com/jtc/installing-trusted-certificates-into-a-java-keystore Installing Trusted Certificates into a Java Keystore]
* [https://blogs.oracle.com/jtc/installing-trusted-certificates-into-a-java-keystore Installing Trusted Certificates into a Java Keystore]
* [https://pubs.vmware.com/view-50/index.jsp#com.vmware.view.installation.doc/GUID-671E07A6-5B9A-43F4-BF47-2A59B95056EB.html Use an Existing SSL Certificate and Private Key]
* [https://pubs.vmware.com/view-50/index.jsp#com.vmware.view.installation.doc/GUID-671E07A6-5B9A-43F4-BF47-2A59B95056EB.html Use an Existing SSL Certificate and Private Key]
Line 40: Line 189:
* [https://stackoverflow.com/questions/7064087 How to convert .csr to .cer?]
* [https://stackoverflow.com/questions/7064087 How to convert .csr to .cer?]
* [http://portecle.sourceforge.net/ Portecle]
* [http://portecle.sourceforge.net/ Portecle]
| valign="top" |
* [https://stackoverflow.com/questions/49959148/ Generate a key with keytool, in a non-interactive way]
* [https://dzone.com/articles/extracting-a-private-key-from-java-keystore-jks Extracting a Private Key From the Java Keystore]
* [https://stackoverflow.com/questions/51547746/ Export public key from JKS using Keytool]
* [https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html Import a public SSL certificate into a JVM]
* [[Raspberry Pi Apache2 Lets Encrypt SSL]]
* [https://docs.oracle.com/cd/E19509-01/820-3503/ggfen/index.html Creating a KeyStore in JKS Format]
* [https://sslcontext-kickstart.com/client/feign.html Feign » SSL Client Configuration]
* [https://stackoverflow.com/questions/65908364/ Feign » Using SSL Certificate]
* [https://stackoverflow.com/questions/26711731/ Read public key from JKS]
* [[Java Mail API]]
| valign="top" |
* [https://letsencrypt.org/docs/certificates-for-localhost/ ACME » Certificates for localhost]
* [https://medium.com/@charled.breteche/manage-ssl-certificates-for-local-kubernetes-clusters-with-cert-manager-9037ba39c799 Manage Ingress TLS for local K8s]
|}

Latest revision as of 01:32, 8 August 2023

keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
 -dname     "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
 -keystore  clients.jks -alias academia\
 -storepass storepasswd\
 -keypass   storepasswd

keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
 -dname     "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
 -storetype pkcs12 -keystore  clients.jks -alias academia\
 -storepass storepasswd\
 -keypass   storepasswd


Java Code

public class JavaKeyStoreTest {
    private static final Logger LOG = LoggerFactory.getLogger(JavaKeyStoreTest.class);
    private static final char[] STORE_PASSWORD = "storepasswd".toCharArray();
    private static final String STORE_TYPE = KeyStore.getDefaultType();
    private static final String KEY_ALIAS = "academia";

    private KeyStore keyStore;

    @BeforeEach
    public void setUp() throws Exception {
        keyStore = KeyStore.getInstance(STORE_TYPE);
        Resource resource = new ClassPathResource("/META-INF/keystore/server.jks");
        keyStore.load(resource.getInputStream(), STORE_PASSWORD);
    }

    @Test
    public void testKey() throws  Exception {
        Key key = keyStore.getKey(KEY_ALIAS, STORE_PASSWORD);
        if (key instanceof PrivateKey){
            Certificate cert = keyStore.getCertificate(KEY_ALIAS);
            PublicKey publicKey = cert.getPublicKey();
            PrivateKey privateKey = (PrivateKey) key;
            LOG.info("Public Key:\n{}", Base64.getEncoder().encodeToString(publicKey.getEncoded()));
            KeyPair keyPair = new KeyPair(publicKey, privateKey);
        }
        Assertions.assertTrue(true);
    }
}

Spring Boot

server.ssl.key-store: ${user.dir}/keystore/chorke.jks
server.ssl.key-store-password: storepasswd
server.ssl.key-password: storepasswd
server.ssl.keyAlias: academia
server.ssl.enabled: false

Create

keytool -genkey -keyalg RSA -keysize 2048 -validity 7300\
 -dname     "CN=Chorke Academia, OU=Academia, O=Chorke Inc, L=Kuala Lumpur, ST=WP, C=MY"\
 -storetype pkcs12 -keystore  clients.jks -alias academia\
 -storepass storepasswd

Import

keytool -importkeystore -deststoretype pkcs12\
 -srckeystore   clients.jks\
 -destkeystore  servers.jks\
 -srcstorepass  storepasswd\
 -deststorepass storepasswd\
 -srcalias      academia\
 -destalias     academia

keytool -importkeystore -deststoretype pkcs12\
 -srckeystore   clients.jks\
 -destkeystore  clients.p12\
 -srcstorepass  storepasswd\
 -deststorepass storepasswd\
 -srcalias      academia\
 -destalias     academia

Root CA Cert

keytool -importcert -trustcacerts\
 -storepass storepasswd\
 -keystore  clients.jks\
 -file  rootca.cer\
 -alias rootca

Sub CA Cert

keytool -importcert -trustcacerts\
 -storepass storepasswd\
 -keystore  clients.jks\
 -file  subca.cer\
 -alias subca

Certificate

keytool     -importcert\
 -storepass storepasswd\
 -keystore  clients.jks\
 -file  software.crt\
 -alias software

Export

Keytool

keytool    -rfc -export\
 -storepass storepasswd\
 -keystore  clients.jks\
 -alias academia\
 -file  academia.pem

keytool         -export\
 -storepass storepasswd\
 -keystore  clients.jks\
 -alias academia\
 -file  academia.pem

OpenSSL

openssl pkcs12 -nodes -nocerts\
 -out private_key.pem\
 -in clients.p12

 openssl pkcs12 -nokeys\
 -out public_key.pem\
 -in clients.p12

Certificate List

keytool -list -keystore clients.jks -storepass storepasswd
keytool -list -keystore clients.p12 -storepass storepasswd
keytool -list -keystore servers.jks -storepass storepasswd

Knowledge

# debugging certificate handshacking
service='api.chorke.org:5443/soap/services';\
echo -e "GET / HTTP/1.0\r\n" | openssl s_client \
-connect $service -CAfile chorke_client.pem

openssl help
openssl help pkcs12
keytool --help -importkeystore

openssl s_client -connect mail.chorke.com:465 -state
openssl s_client -connect mail.chorke.org:465 -state
openssl s_client -connect mail.shahed.biz:465 -state

sudo keytool -import -trustcacerts -alias letsencrypt_r3 -file r3-chain.der -keystore\
 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts

sudo keytool -import -trustcacerts -alias letsencrypt_r3 -file r3-chain.der -keystore\
 /etc/ssl/certs/java/cacerts

Enter keystore password: changeit

References

Retrieved from "https://cdn.chorke.org/weke/index.php?title=Java_Key_Store&oldid=10252"