certificate in PKCS7 format in Ofbiz

> Info Olagos wrote:
>> Hello,
>>
>> Has anyone already imported a PKCS7 certificate into the java keystore for
>> use with embedded Tomcat Ofbiz?
>>
>> Regards,
>> Heidi
>>
>
> I think I had to convert one to PKCS12.  IIRC, Java6 lets you use PKCS12
> as a key store with key tool.  I read that Tomcat can use PKCS12
> directly, but I converted mine to the Java keystore format.
>
> Regards,
>
> Richard Siddall

> Yes from experience I confirm,
>
> PKCS12 is the way
>
> Jacques
>
>
> Richard Siddall wrote:
>
>> Info Olagos wrote:
>>
>>> Hello,
>>>
>>> Has anyone already imported a PKCS7 certificate into the java keystore
>>> for
>>> use with embedded Tomcat Ofbiz?
>>>
>>> Regards,
>>> Heidi
>>>
>>>
>> I think I had to convert one to PKCS12.  IIRC, Java6 lets you use PKCS12
>> as a key store with key tool.  I read that Tomcat can use PKCS12
>> directly, but I converted mine to the Java keystore format.
>>
>> Regards,
>>
>> Richard Siddall
>>
>
>

> Hello,
>
> Thanks for the info.
>
> At the end i have a near working solution for the certificates.
>
> I learned that the keytool doesn't accept anymore .p7b or PKCS7
> certificates.
> So i converted with openssl the PKCS7 certificate back to X.509 certificate
> and that one i imported into the keystore with the keytool.
>
> So far that worked.
> Now the parameters in the ofbiz-container.xml for HTTPS are configured
> also.
>
> But on the level of SSL i have now still a problem. It doesn't recognize
> the ciphers ....
>
> Will be solved and followed up ......
>
> Thanks for knowing that PKCS12 is also ok.
>
> At the end it was a thorough study of certificates before you can logically
> handle them ................
>
> Regards,
> Heidi
>
>   2011/3/16 Jacques Le Roux <[hidden email]>
>
>> Yes from experience I confirm,
>>
>> PKCS12 is the way
>>
>> Jacques
>>
>>
>> Richard Siddall wrote:
>>
>>> Info Olagos wrote:
>>>
>>>> Hello,
>>>>
>>>> Has anyone already imported a PKCS7 certificate into the java keystore
>>>> for
>>>> use with embedded Tomcat Ofbiz?
>>>>
>>>> Regards,
>>>> Heidi
>>>>
>>>>
>>> I think I had to convert one to PKCS12.  IIRC, Java6 lets you use PKCS12
>>> as a key store with key tool.  I read that Tomcat can use PKCS12
>>> directly, but I converted mine to the Java keystore format.
>>>
>>> Regards,
>>>
>>> Richard Siddall
>>>
>>
>>
>
>
>  --
> Olagos bvba
> http://www.olagos.eu <http://www.olagos.eu/>
> http://www.olagos.com
> http://www.olagos.be
> http://www.olagos.nl
> Olagos team
> Heesterbos 5
> 2570 Duffel
> Belgium
>
>
>
>

> Info Olagos schrieb:
>
> Apparently PKCS7 can not work because it doens't convert the private key
>> and
>> doesn't contain the private key.
>>
>
> A certificate never contains the private key.
>
>
> But i think here we have a wrong information in the WIKI in the technical
>> startup document.
>>
>
> I don't think there's wrong information, it just doesn't explain how to
> setup ssl with an "external" key.
>
>
> So then we have to use PKCS12.
>>
>
> I've used the "ImportKey.java" programm (from
> http://www.agentbob.info/agentbob/79-AB.html) in the past to import
> a private key into the Java Key Store.
>
>
> Christian
>

> Info Olagos schrieb:
>
> ok thanks for info.
>>
>> But the certificate in PKCS#12 format (standard) contains both the private
>> key and public key. It is a standard to transfer the certificates from the
>> public certificate provider to my webserver.
>>
>> Because i didn't generate the private key myself. And i didn't request for
>> a
>> certificate to the certificate provider. It was only my provider who
>> generated the private key and the public key.
>>
>
> Uh, the point of a *private* key is that you keep it private...
>
> So your problem now is that you want to import the private key into the
> JKS?
> See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html for
> a solution.
>
>
> Christian
>

> Thanks. !
>
> Very useful document about PKCS12 import.
>
> Heidi
>
>  2011/3/16 Christian Geisert <[hidden email]>
>
>> Info Olagos schrieb:
>>
>> ok thanks for info.
>>>
>>> But the certificate in PKCS#12 format (standard) contains both the
>>> private
>>> key and public key. It is a standard to transfer the certificates from
>>> the
>>> public certificate provider to my webserver.
>>>
>>> Because i didn't generate the private key myself. And i didn't request
>>> for a
>>> certificate to the certificate provider. It was only my provider who
>>> generated the private key and the public key.
>>>
>>
>> Uh, the point of a *private* key is that you keep it private...
>>
>> So your problem now is that you want to import the private key into the
>> JKS?
>> See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.htmlfor a solution.
>>
>>
>> Christian
>>
>
>
>
> --
> Olagos bvba
> http://www.olagos.eu <http://www.olagos.eu/>
> http://www.olagos.com
> http://www.olagos.be
> http://www.olagos.nl
> Olagos team
> Heesterbos 5
> 2570 Duffel
> Belgium
>
>
>
>

> But if i want to import the PKCS12 certificate into a new keystore, i try
> to do:
>
> keytool -importcert -alias ssl -trustcacerts -file c:\...\...\...\mypfx.pfx
> -keystore eee.pfx
> Enter keystore password:*****
> Re-enter new password: *****
> keytool error: java.lang.Exception: Input not an X.509 certificate
>
> Has anyone an idea how to solve this ?
>
> regards,
> Heidi
>  2011/3/16 Info Olagos <[hidden email]>
>
>> Thanks. !
>>
>> Very useful document about PKCS12 import.
>>
>> Heidi
>>
>>  2011/3/16 Christian Geisert <[hidden email]>
>>
>>> Info Olagos schrieb:
>>>
>>> ok thanks for info.
>>>>
>>>> But the certificate in PKCS#12 format (standard) contains both the
>>>> private
>>>> key and public key. It is a standard to transfer the certificates from
>>>> the
>>>> public certificate provider to my webserver.
>>>>
>>>> Because i didn't generate the private key myself. And i didn't request
>>>> for a
>>>> certificate to the certificate provider. It was only my provider who
>>>> generated the private key and the public key.
>>>>
>>>
>>> Uh, the point of a *private* key is that you keep it private...
>>>
>>> So your problem now is that you want to import the private key into the
>>> JKS?
>>> See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.htmlfor a solution.
>>>
>>>
>>> Christian
>>>
>>
>>
>>
>> --
>> Olagos bvba
>> http://www.olagos.eu <http://www.olagos.eu/>
>> http://www.olagos.com
>> http://www.olagos.be
>> http://www.olagos.nl
>> Olagos team
>> Heesterbos 5
>> 2570 Duffel
>> Belgium
>>
>>
>>
>>
>
>
> --
> Olagos bvba
> http://www.olagos.eu <http://www.olagos.eu/>
> http://www.olagos.com
> http://www.olagos.be
> http://www.olagos.nl
> Olagos team
> Heesterbos 5
> 2570 Duffel
> Belgium
>
>
>
>

> Hello,
>
> For anyone who has succesfully imported a PKCS12 certificate in a keystore :
>
> Does this work with the java keytool tool on a linux system, i mean is it
> possible to import PKCS 12 certificates on that?
>
> It seams impossible to import with the java keytool tool on a windows vista
> business system a PKCS12 certificate.
>
> Anyone experience with it?
>
> Regards,
> Heidi
>
> 2011/3/16 Info Olagos <[hidden email]>
>
>> But if i want to import the PKCS12 certificate into a new keystore, i try
>> to do:
>>
>> keytool -importcert -alias ssl -trustcacerts -file c:\...\...\...\mypfx.pfx
>> -keystore eee.pfx
>> Enter keystore password:*****
>> Re-enter new password: *****
>> keytool error: java.lang.Exception: Input not an X.509 certificate
>>
>> Has anyone an idea how to solve this ?
>>
>> regards,
>> Heidi
>>  2011/3/16 Info Olagos <[hidden email]>
>>
>>> Thanks. !
>>>
>>> Very useful document about PKCS12 import.
>>>
>>> Heidi
>>>
>>>  2011/3/16 Christian Geisert <[hidden email]>
>>>
>>>> Info Olagos schrieb:
>>>>
>>>> ok thanks for info.
>>>>>
>>>>> But the certificate in PKCS#12 format (standard) contains both the
>>>>> private
>>>>> key and public key. It is a standard to transfer the certificates from
>>>>> the
>>>>> public certificate provider to my webserver.
>>>>>
>>>>> Because i didn't generate the private key myself. And i didn't request
>>>>> for a
>>>>> certificate to the certificate provider. It was only my provider who
>>>>> generated the private key and the public key.
>>>>>
>>>>
>>>> Uh, the point of a *private* key is that you keep it private...
>>>>
>>>> So your problem now is that you want to import the private key into the
>>>> JKS?
>>>> See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.htmlfor a solution.
>>>>
>>>>
>>>> Christian
>>>>
>>>
>>>
>>>
>>> --
>>> Olagos bvba
>>> http://www.olagos.eu <http://www.olagos.eu/>
>>> http://www.olagos.com
>>> http://www.olagos.be
>>> http://www.olagos.nl
>>> Olagos team
>>> Heesterbos 5
>>> 2570 Duffel
>>> Belgium
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Olagos bvba
>> http://www.olagos.eu <http://www.olagos.eu/>
>> http://www.olagos.com
>> http://www.olagos.be
>> http://www.olagos.nl
>> Olagos team
>> Heesterbos 5
>> 2570 Duffel
>> Belgium
>>
>>
>>
>>
>
>
> --
> Olagos bvba
> http://www.olagos.eu <http://www.olagos.eu/>
> http://www.olagos.com
> http://www.olagos.be
> http://www.olagos.nl
> Olagos team
> Heesterbos 5
> 2570 Duffel
> Belgium
>

> IIRW, to import a such certificate in Windows you can rely on Windows
> itself. In file explorer right click: install. There are more explanations
> on the Net
>
> Jacques
>
> From: "Info Olagos" <[hidden email]>
>
>>  Hello,
>>
>> For anyone who has succesfully imported a PKCS12 certificate in a keystore
>> :
>>
>> Does this work with the java keytool tool on a linux system, i mean is it
>> possible to import PKCS 12 certificates on that?
>>
>> It seams impossible to import with the java keytool tool on a windows
>> vista
>> business system a PKCS12 certificate.
>>
>> Anyone experience with it?
>>
>> Regards,
>> Heidi
>>
>> 2011/3/16 Info Olagos <[hidden email]>
>>
>>   But if i want to import the PKCS12 certificate into a new keystore, i
>>> try
>>> to do:
>>>
>>> keytool -importcert -alias ssl -trustcacerts -file
>>> c:\...\...\...\mypfx.pfx
>>> -keystore eee.pfx
>>> Enter keystore password:*****
>>> Re-enter new password: *****
>>> keytool error: java.lang.Exception: Input not an X.509 certificate
>>>
>>> Has anyone an idea how to solve this ?
>>>
>>> regards,
>>> Heidi
>>>  2011/3/16 Info Olagos <[hidden email]>
>>>
>>>   Thanks. !
>>>>
>>>> Very useful document about PKCS12 import.
>>>>
>>>> Heidi
>>>>
>>>>  2011/3/16 Christian Geisert <[hidden email]>
>>>>
>>>>   Info Olagos schrieb:
>>>>>
>>>>> ok thanks for info.
>>>>>
>>>>>>
>>>>>> But the certificate in PKCS#12 format (standard) contains both the
>>>>>> private
>>>>>> key and public key. It is a standard to transfer the certificates from
>>>>>> the
>>>>>> public certificate provider to my webserver.
>>>>>>
>>>>>> Because i didn't generate the private key myself. And i didn't request
>>>>>> for a
>>>>>> certificate to the certificate provider. It was only my provider who
>>>>>> generated the private key and the public key.
>>>>>>
>>>>>>
>>>>> Uh, the point of a *private* key is that you keep it private...
>>>>>
>>>>> So your problem now is that you want to import the private key into the
>>>>> JKS?
>>>>> See
>>>>> http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.htmlfora solution.
>>>>>
>>>>>
>>>>> Christian
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Olagos bvba
>>>> http://www.olagos.eu <http://www.olagos.eu/>
>>>>
>>>> http://www.olagos.com
>>>> http://www.olagos.be
>>>> http://www.olagos.nl
>>>> Olagos team
>>>> Heesterbos 5
>>>> 2570 Duffel
>>>> Belgium
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Olagos bvba
>>> http://www.olagos.eu <http://www.olagos.eu/>
>>>
>>> http://www.olagos.com
>>> http://www.olagos.be
>>> http://www.olagos.nl
>>> Olagos team
>>> Heesterbos 5
>>> 2570 Duffel
>>> Belgium
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Olagos bvba
>> http://www.olagos.eu <http://www.olagos.eu/>
>>
>> http://www.olagos.com
>> http://www.olagos.be
>> http://www.olagos.nl
>> Olagos team
>> Heesterbos 5
>> 2570 Duffel
>> Belgium
>>
>>
>

> Hello,
>
> For anyone who has succesfully imported a PKCS12 certificate in a keystore :
>
> Does this work with the java keytool tool on a linux system, i mean is it
> possible to import PKCS 12 certificates on that?
>
> It seams impossible to import with the java keytool tool on a windows vista
> business system a PKCS12 certificate.
>
> Anyone experience with it?
>
> Regards,
> Heidi

> Info Olagos wrote:
>
>> Hello,
>>
>> For anyone who has succesfully imported a PKCS12 certificate in a keystore
>> :
>>
>> Does this work with the java keytool tool on a linux system, i mean is it
>> possible to import PKCS 12 certificates on that?
>>
>> It seams impossible to import with the java keytool tool on a windows
>> vista
>> business system a PKCS12 certificate.
>>
>> Anyone experience with it?
>>
>> Regards,
>> Heidi
>>
>
> This is on CentOS 5.5 using java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5
>
> Use OpenSSL to create a PKCS#12 file from an SSL certificate (in
> server.crt) and private key (in server.key):
>
> openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
> -name ofbiz
>
> Go and find the .jks file:
>
> cd /opt/apache-ofbiz-09.04/framework/base/config/
>
> Back it up:
>
> mv ofbizssl.jks ofbizssl.jks.old
>
> Run keytool to import the PKCS12 cert & key:
>
> keytool -importkeystore -deststorepass changeit -destkeypass changeit
> -destkeystore ofbizssl.jks -srckeystore /root/server.pkcs12 -srcstoretype
> PKCS12 -srcstorepass changeit -alias ofbiz
>
> Check the results:
>
> keytool -list -v -keystore ofbizssl.jks -storepass changeit
>
> Start OFBiz and make sure SSL works...
>
> Note that I'm using the existing password 'changeit' as I'm too lazy to
> reconfigure OFBiz to use something different.
>
> Regards,
>
>        Richard Siddall
>
> P.S. The keytool commands also work on Windows XP with JDK 1.6.0-21 with
> the same PKCS12 file.
>

> Info Olagos wrote:
>
>> Hello,
>>
>> For anyone who has succesfully imported a PKCS12 certificate in a keystore
>> :
>>
>> Does this work with the java keytool tool on a linux system, i mean is it
>> possible to import PKCS 12 certificates on that?
>>
>> It seams impossible to import with the java keytool tool on a windows
>> vista
>> business system a PKCS12 certificate.
>>
>> Anyone experience with it?
>>
>> Regards,
>> Heidi
>>
>
> This is on CentOS 5.5 using java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5
>
> Use OpenSSL to create a PKCS#12 file from an SSL certificate (in
> server.crt) and private key (in server.key):
>
> openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
> -name ofbiz
>
> Go and find the .jks file:
>
> cd /opt/apache-ofbiz-09.04/framework/base/config/
>
> Back it up:
>
> mv ofbizssl.jks ofbizssl.jks.old
>
> Run keytool to import the PKCS12 cert & key:
>
> keytool -importkeystore -deststorepass changeit -destkeypass changeit
> -destkeystore ofbizssl.jks -srckeystore /root/server.pkcs12 -srcstoretype
> PKCS12 -srcstorepass changeit -alias ofbiz
>
> Check the results:
>
> keytool -list -v -keystore ofbizssl.jks -storepass changeit
>
> Start OFBiz and make sure SSL works...
>
> Note that I'm using the existing password 'changeit' as I'm too lazy to
> reconfigure OFBiz to use something different.
>
> Regards,
>
>        Richard Siddall
>
> P.S. The keytool commands also work on Windows XP with JDK 1.6.0-21 with
> the same PKCS12 file.
>