Hello,
Has anyone already imported a PKCS7 certificate into the java keystore for use with embedded Tomcat Ofbiz? Regards, Heidi -- Olagos bvba http://www.olagos.eu <http://www.olagos.eu/> http://www.olagos.com http://www.olagos.be http://www.olagos.nl Olagos team Heesterbos 5 2570 Duffel Belgium |
Info Olagos wrote:
> Hello, > > Has anyone already imported a PKCS7 certificate into the java keystore for > use with embedded Tomcat Ofbiz? > > Regards, > Heidi > I think I had to convert one to PKCS12. IIRC, Java6 lets you use PKCS12 as a key store with key tool. I read that Tomcat can use PKCS12 directly, but I converted mine to the Java keystore format. Regards, Richard Siddall |
Administrator
|
Yes from experience I confirm,
PKCS12 is the way Jacques Richard Siddall wrote: > Info Olagos wrote: >> Hello, >> >> Has anyone already imported a PKCS7 certificate into the java keystore for >> use with embedded Tomcat Ofbiz? >> >> Regards, >> Heidi >> > > I think I had to convert one to PKCS12. IIRC, Java6 lets you use PKCS12 > as a key store with key tool. I read that Tomcat can use PKCS12 > directly, but I converted mine to the Java keystore format. > > Regards, > > Richard Siddall |
Hello,
Thanks for the info. At the end i have a near working solution for the certificates. I learned that the keytool doesn't accept anymore .p7b or PKCS7 certificates. So i converted with openssl the PKCS7 certificate back to X.509 certificate and that one i imported into the keystore with the keytool. So far that worked. Now the parameters in the ofbiz-container.xml for HTTPS are configured also. But on the level of SSL i have now still a problem. It doesn't recognize the ciphers .... Will be solved and followed up ...... Thanks for knowing that PKCS12 is also ok. At the end it was a thorough study of certificates before you can logically handle them ................ Regards, Heidi 2011/3/16 Jacques Le Roux <[hidden email]> > Yes from experience I confirm, > > PKCS12 is the way > > Jacques > > > Richard Siddall wrote: > >> Info Olagos wrote: >> >>> Hello, >>> >>> Has anyone already imported a PKCS7 certificate into the java keystore >>> for >>> use with embedded Tomcat Ofbiz? >>> >>> Regards, >>> Heidi >>> >>> >> I think I had to convert one to PKCS12. IIRC, Java6 lets you use PKCS12 >> as a key store with key tool. I read that Tomcat can use PKCS12 >> directly, but I converted mine to the Java keystore format. >> >> Regards, >> >> Richard Siddall >> > > -- Olagos bvba http://www.olagos.eu <http://www.olagos.eu/> http://www.olagos.com http://www.olagos.be http://www.olagos.nl Olagos team Heesterbos 5 2570 Duffel Belgium |
Apparently PKCS7 can not work because it doens't convert the private key and
doesn't contain the private key. But i think here we have a wrong information in the WIKI in the technical startup document. So then we have to use PKCS12. Regards, Heidi 2011/3/16 Info Olagos <[hidden email]> > Hello, > > Thanks for the info. > > At the end i have a near working solution for the certificates. > > I learned that the keytool doesn't accept anymore .p7b or PKCS7 > certificates. > So i converted with openssl the PKCS7 certificate back to X.509 certificate > and that one i imported into the keystore with the keytool. > > So far that worked. > Now the parameters in the ofbiz-container.xml for HTTPS are configured > also. > > But on the level of SSL i have now still a problem. It doesn't recognize > the ciphers .... > > Will be solved and followed up ...... > > Thanks for knowing that PKCS12 is also ok. > > At the end it was a thorough study of certificates before you can logically > handle them ................ > > Regards, > Heidi > > 2011/3/16 Jacques Le Roux <[hidden email]> > >> Yes from experience I confirm, >> >> PKCS12 is the way >> >> Jacques >> >> >> Richard Siddall wrote: >> >>> Info Olagos wrote: >>> >>>> Hello, >>>> >>>> Has anyone already imported a PKCS7 certificate into the java keystore >>>> for >>>> use with embedded Tomcat Ofbiz? >>>> >>>> Regards, >>>> Heidi >>>> >>>> >>> I think I had to convert one to PKCS12. IIRC, Java6 lets you use PKCS12 >>> as a key store with key tool. I read that Tomcat can use PKCS12 >>> directly, but I converted mine to the Java keystore format. >>> >>> Regards, >>> >>> Richard Siddall >>> >> >> > > > -- > Olagos bvba > http://www.olagos.eu <http://www.olagos.eu/> > http://www.olagos.com > http://www.olagos.be > http://www.olagos.nl > Olagos team > Heesterbos 5 > 2570 Duffel > Belgium > > > > -- Olagos bvba http://www.olagos.eu <http://www.olagos.eu/> http://www.olagos.com http://www.olagos.be http://www.olagos.nl Olagos team Heesterbos 5 2570 Duffel Belgium |
Info Olagos schrieb:
> Apparently PKCS7 can not work because it doens't convert the private key and > doesn't contain the private key. A certificate never contains the private key. > But i think here we have a wrong information in the WIKI in the technical > startup document. I don't think there's wrong information, it just doesn't explain how to setup ssl with an "external" key. > So then we have to use PKCS12. I've used the "ImportKey.java" programm (from http://www.agentbob.info/agentbob/79-AB.html) in the past to import a private key into the Java Key Store. Christian |
ok thanks for info.
But the certificate in PKCS#12 format (standard) contains both the private key and public key. It is a standard to transfer the certificates from the public certificate provider to my webserver. Because i didn't generate the private key myself. And i didn't request for a certificate to the certificate provider. It was only my provider who generated the private key and the public key. So it is possible to have the private key also in the certificate (bundle) who is sent to me via PKCS#12. Following the nice information in the cookbook of Ruth Hoffman, it has to work with PKCS#12. Regards, Heidi 2011/3/16 Christian Geisert <[hidden email]> > Info Olagos schrieb: > > Apparently PKCS7 can not work because it doens't convert the private key >> and >> doesn't contain the private key. >> > > A certificate never contains the private key. > > > But i think here we have a wrong information in the WIKI in the technical >> startup document. >> > > I don't think there's wrong information, it just doesn't explain how to > setup ssl with an "external" key. > > > So then we have to use PKCS12. >> > > I've used the "ImportKey.java" programm (from > http://www.agentbob.info/agentbob/79-AB.html) in the past to import > a private key into the Java Key Store. > > > Christian > -- Olagos bvba http://www.olagos.eu <http://www.olagos.eu/> http://www.olagos.com http://www.olagos.be http://www.olagos.nl Olagos team Heesterbos 5 2570 Duffel Belgium |
Info Olagos schrieb:
> ok thanks for info. > > But the certificate in PKCS#12 format (standard) contains both the private > key and public key. It is a standard to transfer the certificates from the > public certificate provider to my webserver. > > Because i didn't generate the private key myself. And i didn't request for a > certificate to the certificate provider. It was only my provider who > generated the private key and the public key. Uh, the point of a *private* key is that you keep it private... So your problem now is that you want to import the private key into the JKS? See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html for a solution. Christian |
Thanks. !
Very useful document about PKCS12 import. Heidi 2011/3/16 Christian Geisert <[hidden email]> > Info Olagos schrieb: > > ok thanks for info. >> >> But the certificate in PKCS#12 format (standard) contains both the private >> key and public key. It is a standard to transfer the certificates from the >> public certificate provider to my webserver. >> >> Because i didn't generate the private key myself. And i didn't request for >> a >> certificate to the certificate provider. It was only my provider who >> generated the private key and the public key. >> > > Uh, the point of a *private* key is that you keep it private... > > So your problem now is that you want to import the private key into the > JKS? > See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html for > a solution. > > > Christian > -- Olagos bvba http://www.olagos.eu <http://www.olagos.eu/> http://www.olagos.com http://www.olagos.be http://www.olagos.nl Olagos team Heesterbos 5 2570 Duffel Belgium |
But if i want to import the PKCS12 certificate into a new keystore, i try to
do: keytool -importcert -alias ssl -trustcacerts -file c:\...\...\...\mypfx.pfx -keystore eee.pfx Enter keystore password:***** Re-enter new password: ***** keytool error: java.lang.Exception: Input not an X.509 certificate Has anyone an idea how to solve this ? regards, Heidi 2011/3/16 Info Olagos <[hidden email]> > Thanks. ! > > Very useful document about PKCS12 import. > > Heidi > > 2011/3/16 Christian Geisert <[hidden email]> > >> Info Olagos schrieb: >> >> ok thanks for info. >>> >>> But the certificate in PKCS#12 format (standard) contains both the >>> private >>> key and public key. It is a standard to transfer the certificates from >>> the >>> public certificate provider to my webserver. >>> >>> Because i didn't generate the private key myself. And i didn't request >>> for a >>> certificate to the certificate provider. It was only my provider who >>> generated the private key and the public key. >>> >> >> Uh, the point of a *private* key is that you keep it private... >> >> So your problem now is that you want to import the private key into the >> JKS? >> See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.htmlfor a solution. >> >> >> Christian >> > > > > -- > Olagos bvba > http://www.olagos.eu <http://www.olagos.eu/> > http://www.olagos.com > http://www.olagos.be > http://www.olagos.nl > Olagos team > Heesterbos 5 > 2570 Duffel > Belgium > > > > -- Olagos bvba http://www.olagos.eu <http://www.olagos.eu/> http://www.olagos.com http://www.olagos.be http://www.olagos.nl Olagos team Heesterbos 5 2570 Duffel Belgium |
Hello,
For anyone who has succesfully imported a PKCS12 certificate in a keystore : Does this work with the java keytool tool on a linux system, i mean is it possible to import PKCS 12 certificates on that? It seams impossible to import with the java keytool tool on a windows vista business system a PKCS12 certificate. Anyone experience with it? Regards, Heidi 2011/3/16 Info Olagos <[hidden email]> > But if i want to import the PKCS12 certificate into a new keystore, i try > to do: > > keytool -importcert -alias ssl -trustcacerts -file c:\...\...\...\mypfx.pfx > -keystore eee.pfx > Enter keystore password:***** > Re-enter new password: ***** > keytool error: java.lang.Exception: Input not an X.509 certificate > > Has anyone an idea how to solve this ? > > regards, > Heidi > 2011/3/16 Info Olagos <[hidden email]> > >> Thanks. ! >> >> Very useful document about PKCS12 import. >> >> Heidi >> >> 2011/3/16 Christian Geisert <[hidden email]> >> >>> Info Olagos schrieb: >>> >>> ok thanks for info. >>>> >>>> But the certificate in PKCS#12 format (standard) contains both the >>>> private >>>> key and public key. It is a standard to transfer the certificates from >>>> the >>>> public certificate provider to my webserver. >>>> >>>> Because i didn't generate the private key myself. And i didn't request >>>> for a >>>> certificate to the certificate provider. It was only my provider who >>>> generated the private key and the public key. >>>> >>> >>> Uh, the point of a *private* key is that you keep it private... >>> >>> So your problem now is that you want to import the private key into the >>> JKS? >>> See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.htmlfor a solution. >>> >>> >>> Christian >>> >> >> >> >> -- >> Olagos bvba >> http://www.olagos.eu <http://www.olagos.eu/> >> http://www.olagos.com >> http://www.olagos.be >> http://www.olagos.nl >> Olagos team >> Heesterbos 5 >> 2570 Duffel >> Belgium >> >> >> >> > > > -- > Olagos bvba > http://www.olagos.eu <http://www.olagos.eu/> > http://www.olagos.com > http://www.olagos.be > http://www.olagos.nl > Olagos team > Heesterbos 5 > 2570 Duffel > Belgium > > > > -- Olagos bvba http://www.olagos.eu <http://www.olagos.eu/> http://www.olagos.com http://www.olagos.be http://www.olagos.nl Olagos team Heesterbos 5 2570 Duffel Belgium |
IIRW, to import a such certificate in Windows you can rely on Windows itself.
In file explorer right click: install. There are more explanations on the Net Jacques From: "Info Olagos" <[hidden email]> > Hello, > > For anyone who has succesfully imported a PKCS12 certificate in a keystore : > > Does this work with the java keytool tool on a linux system, i mean is it > possible to import PKCS 12 certificates on that? > > It seams impossible to import with the java keytool tool on a windows vista > business system a PKCS12 certificate. > > Anyone experience with it? > > Regards, > Heidi > > 2011/3/16 Info Olagos <[hidden email]> > >> But if i want to import the PKCS12 certificate into a new keystore, i try >> to do: >> >> keytool -importcert -alias ssl -trustcacerts -file c:\...\...\...\mypfx.pfx >> -keystore eee.pfx >> Enter keystore password:***** >> Re-enter new password: ***** >> keytool error: java.lang.Exception: Input not an X.509 certificate >> >> Has anyone an idea how to solve this ? >> >> regards, >> Heidi >> 2011/3/16 Info Olagos <[hidden email]> >> >>> Thanks. ! >>> >>> Very useful document about PKCS12 import. >>> >>> Heidi >>> >>> 2011/3/16 Christian Geisert <[hidden email]> >>> >>>> Info Olagos schrieb: >>>> >>>> ok thanks for info. >>>>> >>>>> But the certificate in PKCS#12 format (standard) contains both the >>>>> private >>>>> key and public key. It is a standard to transfer the certificates from >>>>> the >>>>> public certificate provider to my webserver. >>>>> >>>>> Because i didn't generate the private key myself. And i didn't request >>>>> for a >>>>> certificate to the certificate provider. It was only my provider who >>>>> generated the private key and the public key. >>>>> >>>> >>>> Uh, the point of a *private* key is that you keep it private... >>>> >>>> So your problem now is that you want to import the private key into the >>>> JKS? >>>> See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.htmlfor a solution. >>>> >>>> >>>> Christian >>>> >>> >>> >>> >>> -- >>> Olagos bvba >>> http://www.olagos.eu <http://www.olagos.eu/> >>> http://www.olagos.com >>> http://www.olagos.be >>> http://www.olagos.nl >>> Olagos team >>> Heesterbos 5 >>> 2570 Duffel >>> Belgium >>> >>> >>> >>> >> >> >> -- >> Olagos bvba >> http://www.olagos.eu <http://www.olagos.eu/> >> http://www.olagos.com >> http://www.olagos.be >> http://www.olagos.nl >> Olagos team >> Heesterbos 5 >> 2570 Duffel >> Belgium >> >> >> >> > > > -- > Olagos bvba > http://www.olagos.eu <http://www.olagos.eu/> > http://www.olagos.com > http://www.olagos.be > http://www.olagos.nl > Olagos team > Heesterbos 5 > 2570 Duffel > Belgium > |
Thanks Jacques,
And you know, by the way, how to reference to it then in ofbiz-containers.xml to the certificate? Heidi 2011/3/17 Jacques Le Roux <[hidden email]> > IIRW, to import a such certificate in Windows you can rely on Windows > itself. In file explorer right click: install. There are more explanations > on the Net > > Jacques > > From: "Info Olagos" <[hidden email]> > >> Hello, >> >> For anyone who has succesfully imported a PKCS12 certificate in a keystore >> : >> >> Does this work with the java keytool tool on a linux system, i mean is it >> possible to import PKCS 12 certificates on that? >> >> It seams impossible to import with the java keytool tool on a windows >> vista >> business system a PKCS12 certificate. >> >> Anyone experience with it? >> >> Regards, >> Heidi >> >> 2011/3/16 Info Olagos <[hidden email]> >> >> But if i want to import the PKCS12 certificate into a new keystore, i >>> try >>> to do: >>> >>> keytool -importcert -alias ssl -trustcacerts -file >>> c:\...\...\...\mypfx.pfx >>> -keystore eee.pfx >>> Enter keystore password:***** >>> Re-enter new password: ***** >>> keytool error: java.lang.Exception: Input not an X.509 certificate >>> >>> Has anyone an idea how to solve this ? >>> >>> regards, >>> Heidi >>> 2011/3/16 Info Olagos <[hidden email]> >>> >>> Thanks. ! >>>> >>>> Very useful document about PKCS12 import. >>>> >>>> Heidi >>>> >>>> 2011/3/16 Christian Geisert <[hidden email]> >>>> >>>> Info Olagos schrieb: >>>>> >>>>> ok thanks for info. >>>>> >>>>>> >>>>>> But the certificate in PKCS#12 format (standard) contains both the >>>>>> private >>>>>> key and public key. It is a standard to transfer the certificates from >>>>>> the >>>>>> public certificate provider to my webserver. >>>>>> >>>>>> Because i didn't generate the private key myself. And i didn't request >>>>>> for a >>>>>> certificate to the certificate provider. It was only my provider who >>>>>> generated the private key and the public key. >>>>>> >>>>>> >>>>> Uh, the point of a *private* key is that you keep it private... >>>>> >>>>> So your problem now is that you want to import the private key into the >>>>> JKS? >>>>> See >>>>> http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.htmlfora solution. >>>>> >>>>> >>>>> Christian >>>>> >>>>> >>>> >>>> >>>> -- >>>> Olagos bvba >>>> http://www.olagos.eu <http://www.olagos.eu/> >>>> >>>> http://www.olagos.com >>>> http://www.olagos.be >>>> http://www.olagos.nl >>>> Olagos team >>>> Heesterbos 5 >>>> 2570 Duffel >>>> Belgium >>>> >>>> >>>> >>>> >>>> >>> >>> -- >>> Olagos bvba >>> http://www.olagos.eu <http://www.olagos.eu/> >>> >>> http://www.olagos.com >>> http://www.olagos.be >>> http://www.olagos.nl >>> Olagos team >>> Heesterbos 5 >>> 2570 Duffel >>> Belgium >>> >>> >>> >>> >>> >> >> -- >> Olagos bvba >> http://www.olagos.eu <http://www.olagos.eu/> >> >> http://www.olagos.com >> http://www.olagos.be >> http://www.olagos.nl >> Olagos team >> Heesterbos 5 >> 2570 Duffel >> Belgium >> >> > -- Olagos bvba http://www.olagos.eu <http://www.olagos.eu/> http://www.olagos.com http://www.olagos.be http://www.olagos.nl Olagos team Heesterbos 5 2570 Duffel Belgium |
In reply to this post by Heidi Dehaes - Olagos
Info Olagos wrote:
> Hello, > > For anyone who has succesfully imported a PKCS12 certificate in a keystore : > > Does this work with the java keytool tool on a linux system, i mean is it > possible to import PKCS 12 certificates on that? > > It seams impossible to import with the java keytool tool on a windows vista > business system a PKCS12 certificate. > > Anyone experience with it? > > Regards, > Heidi This is on CentOS 5.5 using java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5 Use OpenSSL to create a PKCS#12 file from an SSL certificate (in server.crt) and private key (in server.key): openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12 -name ofbiz Go and find the .jks file: cd /opt/apache-ofbiz-09.04/framework/base/config/ Back it up: mv ofbizssl.jks ofbizssl.jks.old Run keytool to import the PKCS12 cert & key: keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore ofbizssl.jks -srckeystore /root/server.pkcs12 -srcstoretype PKCS12 -srcstorepass changeit -alias ofbiz Check the results: keytool -list -v -keystore ofbizssl.jks -storepass changeit Start OFBiz and make sure SSL works... Note that I'm using the existing password 'changeit' as I'm too lazy to reconfigure OFBiz to use something different. Regards, Richard Siddall P.S. The keytool commands also work on Windows XP with JDK 1.6.0-21 with the same PKCS12 file. |
Waow
Thanks for all the information !! Regards, Heidi 2011/3/17 Richard Siddall <[hidden email]> > Info Olagos wrote: > >> Hello, >> >> For anyone who has succesfully imported a PKCS12 certificate in a keystore >> : >> >> Does this work with the java keytool tool on a linux system, i mean is it >> possible to import PKCS 12 certificates on that? >> >> It seams impossible to import with the java keytool tool on a windows >> vista >> business system a PKCS12 certificate. >> >> Anyone experience with it? >> >> Regards, >> Heidi >> > > This is on CentOS 5.5 using java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5 > > Use OpenSSL to create a PKCS#12 file from an SSL certificate (in > server.crt) and private key (in server.key): > > openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12 > -name ofbiz > > Go and find the .jks file: > > cd /opt/apache-ofbiz-09.04/framework/base/config/ > > Back it up: > > mv ofbizssl.jks ofbizssl.jks.old > > Run keytool to import the PKCS12 cert & key: > > keytool -importkeystore -deststorepass changeit -destkeypass changeit > -destkeystore ofbizssl.jks -srckeystore /root/server.pkcs12 -srcstoretype > PKCS12 -srcstorepass changeit -alias ofbiz > > Check the results: > > keytool -list -v -keystore ofbizssl.jks -storepass changeit > > Start OFBiz and make sure SSL works... > > Note that I'm using the existing password 'changeit' as I'm too lazy to > reconfigure OFBiz to use something different. > > Regards, > > Richard Siddall > > P.S. The keytool commands also work on Windows XP with JDK 1.6.0-21 with > the same PKCS12 file. > -- Olagos bvba http://www.olagos.eu <http://www.olagos.eu/> http://www.olagos.com http://www.olagos.be http://www.olagos.nl Olagos team Heesterbos 5 2570 Duffel Belgium |
In reply to this post by Richard Siddall
Thanks Richard,
This is the exact method for having a working solution !! Thanks, Heidi 2011/3/17 Richard Siddall <[hidden email]> > Info Olagos wrote: > >> Hello, >> >> For anyone who has succesfully imported a PKCS12 certificate in a keystore >> : >> >> Does this work with the java keytool tool on a linux system, i mean is it >> possible to import PKCS 12 certificates on that? >> >> It seams impossible to import with the java keytool tool on a windows >> vista >> business system a PKCS12 certificate. >> >> Anyone experience with it? >> >> Regards, >> Heidi >> > > This is on CentOS 5.5 using java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5 > > Use OpenSSL to create a PKCS#12 file from an SSL certificate (in > server.crt) and private key (in server.key): > > openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12 > -name ofbiz > > Go and find the .jks file: > > cd /opt/apache-ofbiz-09.04/framework/base/config/ > > Back it up: > > mv ofbizssl.jks ofbizssl.jks.old > > Run keytool to import the PKCS12 cert & key: > > keytool -importkeystore -deststorepass changeit -destkeypass changeit > -destkeystore ofbizssl.jks -srckeystore /root/server.pkcs12 -srcstoretype > PKCS12 -srcstorepass changeit -alias ofbiz > > Check the results: > > keytool -list -v -keystore ofbizssl.jks -storepass changeit > > Start OFBiz and make sure SSL works... > > Note that I'm using the existing password 'changeit' as I'm too lazy to > reconfigure OFBiz to use something different. > > Regards, > > Richard Siddall > > P.S. The keytool commands also work on Windows XP with JDK 1.6.0-21 with > the same PKCS12 file. > -- Olagos bvba http://www.olagos.eu <http://www.olagos.eu/> http://www.olagos.com http://www.olagos.be http://www.olagos.nl Olagos team Heesterbos 5 2570 Duffel Belgium |
Free forum by Nabble | Edit this page |