certificate in PKCS7 format in Ofbiz

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

certificate in PKCS7 format in Ofbiz

Heidi Dehaes - Olagos
Hello,

Has anyone already imported a PKCS7 certificate into the java keystore for
use with embedded Tomcat Ofbiz?

Regards,
Heidi

--
Olagos bvba
http://www.olagos.eu <http://www.olagos.eu/>
http://www.olagos.com
http://www.olagos.be
http://www.olagos.nl
Olagos team
Heesterbos 5
2570 Duffel
Belgium
Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Richard Siddall
Info Olagos wrote:
> Hello,
>
> Has anyone already imported a PKCS7 certificate into the java keystore for
> use with embedded Tomcat Ofbiz?
>
> Regards,
> Heidi
>

I think I had to convert one to PKCS12.  IIRC, Java6 lets you use PKCS12
as a key store with key tool.  I read that Tomcat can use PKCS12
directly, but I converted mine to the Java keystore format.

Regards,

        Richard Siddall

Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Jacques Le Roux
Administrator
Yes from experience I confirm,

PKCS12 is the way

Jacques

Richard Siddall wrote:

> Info Olagos wrote:
>> Hello,
>>
>> Has anyone already imported a PKCS7 certificate into the java keystore for
>> use with embedded Tomcat Ofbiz?
>>
>> Regards,
>> Heidi
>>
>
> I think I had to convert one to PKCS12.  IIRC, Java6 lets you use PKCS12
> as a key store with key tool.  I read that Tomcat can use PKCS12
> directly, but I converted mine to the Java keystore format.
>
> Regards,
>
> Richard Siddall

Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Heidi Dehaes - Olagos
Hello,

Thanks for the info.

At the end i have a near working solution for the certificates.

I learned that the keytool doesn't accept anymore .p7b or PKCS7
certificates.
So i converted with openssl the PKCS7 certificate back to X.509 certificate
and that one i imported into the keystore with the keytool.

So far that worked.
Now the parameters in the ofbiz-container.xml for HTTPS are configured also.

But on the level of SSL i have now still a problem. It doesn't recognize the
ciphers ....

Will be solved and followed up ......

Thanks for knowing that PKCS12 is also ok.

At the end it was a thorough study of certificates before you can logically
handle them ................

Regards,
Heidi

2011/3/16 Jacques Le Roux <[hidden email]>

> Yes from experience I confirm,
>
> PKCS12 is the way
>
> Jacques
>
>
> Richard Siddall wrote:
>
>> Info Olagos wrote:
>>
>>> Hello,
>>>
>>> Has anyone already imported a PKCS7 certificate into the java keystore
>>> for
>>> use with embedded Tomcat Ofbiz?
>>>
>>> Regards,
>>> Heidi
>>>
>>>
>> I think I had to convert one to PKCS12.  IIRC, Java6 lets you use PKCS12
>> as a key store with key tool.  I read that Tomcat can use PKCS12
>> directly, but I converted mine to the Java keystore format.
>>
>> Regards,
>>
>> Richard Siddall
>>
>
>


--
Olagos bvba
http://www.olagos.eu <http://www.olagos.eu/>
http://www.olagos.com
http://www.olagos.be
http://www.olagos.nl
Olagos team
Heesterbos 5
2570 Duffel
Belgium
Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Heidi Dehaes - Olagos
Apparently PKCS7 can not work because it doens't convert the private key and
doesn't contain the private key.

But i think here we have a wrong information in the WIKI in the technical
startup document.

So then we have to use PKCS12.

Regards,
Heidi

2011/3/16 Info Olagos <[hidden email]>

> Hello,
>
> Thanks for the info.
>
> At the end i have a near working solution for the certificates.
>
> I learned that the keytool doesn't accept anymore .p7b or PKCS7
> certificates.
> So i converted with openssl the PKCS7 certificate back to X.509 certificate
> and that one i imported into the keystore with the keytool.
>
> So far that worked.
> Now the parameters in the ofbiz-container.xml for HTTPS are configured
> also.
>
> But on the level of SSL i have now still a problem. It doesn't recognize
> the ciphers ....
>
> Will be solved and followed up ......
>
> Thanks for knowing that PKCS12 is also ok.
>
> At the end it was a thorough study of certificates before you can logically
> handle them ................
>
> Regards,
> Heidi
>
>   2011/3/16 Jacques Le Roux <[hidden email]>
>
>> Yes from experience I confirm,
>>
>> PKCS12 is the way
>>
>> Jacques
>>
>>
>> Richard Siddall wrote:
>>
>>> Info Olagos wrote:
>>>
>>>> Hello,
>>>>
>>>> Has anyone already imported a PKCS7 certificate into the java keystore
>>>> for
>>>> use with embedded Tomcat Ofbiz?
>>>>
>>>> Regards,
>>>> Heidi
>>>>
>>>>
>>> I think I had to convert one to PKCS12.  IIRC, Java6 lets you use PKCS12
>>> as a key store with key tool.  I read that Tomcat can use PKCS12
>>> directly, but I converted mine to the Java keystore format.
>>>
>>> Regards,
>>>
>>> Richard Siddall
>>>
>>
>>
>
>
>  --
> Olagos bvba
> http://www.olagos.eu <http://www.olagos.eu/>
> http://www.olagos.com
> http://www.olagos.be
> http://www.olagos.nl
> Olagos team
> Heesterbos 5
> 2570 Duffel
> Belgium
>
>
>
>


--
Olagos bvba
http://www.olagos.eu <http://www.olagos.eu/>
http://www.olagos.com
http://www.olagos.be
http://www.olagos.nl
Olagos team
Heesterbos 5
2570 Duffel
Belgium
Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Christian Geisert
Info Olagos schrieb:
> Apparently PKCS7 can not work because it doens't convert the private key and
> doesn't contain the private key.

A certificate never contains the private key.

> But i think here we have a wrong information in the WIKI in the technical
> startup document.

I don't think there's wrong information, it just doesn't explain how to
setup ssl with an "external" key.

> So then we have to use PKCS12.

I've used the "ImportKey.java" programm (from
http://www.agentbob.info/agentbob/79-AB.html) in the past to import
a private key into the Java Key Store.


Christian
Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Heidi Dehaes - Olagos
ok thanks for info.

But the certificate in PKCS#12 format (standard) contains both the private
key and public key. It is a standard to transfer the certificates from the
public certificate provider to my webserver.

Because i didn't generate the private key myself. And i didn't request for a
certificate to the certificate provider. It was only my provider who
generated the private key and the public key.

So it is possible to have the private key also in the certificate (bundle)
who is sent to me via PKCS#12.

Following the nice information in the cookbook of Ruth Hoffman, it has to
work with PKCS#12.

Regards,
Heidi

2011/3/16 Christian Geisert <[hidden email]>

> Info Olagos schrieb:
>
> Apparently PKCS7 can not work because it doens't convert the private key
>> and
>> doesn't contain the private key.
>>
>
> A certificate never contains the private key.
>
>
> But i think here we have a wrong information in the WIKI in the technical
>> startup document.
>>
>
> I don't think there's wrong information, it just doesn't explain how to
> setup ssl with an "external" key.
>
>
> So then we have to use PKCS12.
>>
>
> I've used the "ImportKey.java" programm (from
> http://www.agentbob.info/agentbob/79-AB.html) in the past to import
> a private key into the Java Key Store.
>
>
> Christian
>



--
Olagos bvba
http://www.olagos.eu <http://www.olagos.eu/>
http://www.olagos.com
http://www.olagos.be
http://www.olagos.nl
Olagos team
Heesterbos 5
2570 Duffel
Belgium
Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Christian Geisert
Info Olagos schrieb:
> ok thanks for info.
>
> But the certificate in PKCS#12 format (standard) contains both the private
> key and public key. It is a standard to transfer the certificates from the
> public certificate provider to my webserver.
>
> Because i didn't generate the private key myself. And i didn't request for a
> certificate to the certificate provider. It was only my provider who
> generated the private key and the public key.

Uh, the point of a *private* key is that you keep it private...

So your problem now is that you want to import the private key into the JKS?
See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html 
for a solution.


Christian
Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Heidi Dehaes - Olagos
Thanks. !

Very useful document about PKCS12 import.

Heidi

2011/3/16 Christian Geisert <[hidden email]>

> Info Olagos schrieb:
>
> ok thanks for info.
>>
>> But the certificate in PKCS#12 format (standard) contains both the private
>> key and public key. It is a standard to transfer the certificates from the
>> public certificate provider to my webserver.
>>
>> Because i didn't generate the private key myself. And i didn't request for
>> a
>> certificate to the certificate provider. It was only my provider who
>> generated the private key and the public key.
>>
>
> Uh, the point of a *private* key is that you keep it private...
>
> So your problem now is that you want to import the private key into the
> JKS?
> See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html for
> a solution.
>
>
> Christian
>



--
Olagos bvba
http://www.olagos.eu <http://www.olagos.eu/>
http://www.olagos.com
http://www.olagos.be
http://www.olagos.nl
Olagos team
Heesterbos 5
2570 Duffel
Belgium
Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Heidi Dehaes - Olagos
But if i want to import the PKCS12 certificate into a new keystore, i try to
do:

keytool -importcert -alias ssl -trustcacerts -file c:\...\...\...\mypfx.pfx
-keystore eee.pfx
Enter keystore password:*****
Re-enter new password: *****
keytool error: java.lang.Exception: Input not an X.509 certificate

Has anyone an idea how to solve this ?

regards,
Heidi
2011/3/16 Info Olagos <[hidden email]>

> Thanks. !
>
> Very useful document about PKCS12 import.
>
> Heidi
>
>  2011/3/16 Christian Geisert <[hidden email]>
>
>> Info Olagos schrieb:
>>
>> ok thanks for info.
>>>
>>> But the certificate in PKCS#12 format (standard) contains both the
>>> private
>>> key and public key. It is a standard to transfer the certificates from
>>> the
>>> public certificate provider to my webserver.
>>>
>>> Because i didn't generate the private key myself. And i didn't request
>>> for a
>>> certificate to the certificate provider. It was only my provider who
>>> generated the private key and the public key.
>>>
>>
>> Uh, the point of a *private* key is that you keep it private...
>>
>> So your problem now is that you want to import the private key into the
>> JKS?
>> See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.htmlfor a solution.
>>
>>
>> Christian
>>
>
>
>
> --
> Olagos bvba
> http://www.olagos.eu <http://www.olagos.eu/>
> http://www.olagos.com
> http://www.olagos.be
> http://www.olagos.nl
> Olagos team
> Heesterbos 5
> 2570 Duffel
> Belgium
>
>
>
>


--
Olagos bvba
http://www.olagos.eu <http://www.olagos.eu/>
http://www.olagos.com
http://www.olagos.be
http://www.olagos.nl
Olagos team
Heesterbos 5
2570 Duffel
Belgium
Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Heidi Dehaes - Olagos
Hello,

For anyone who has succesfully imported a PKCS12 certificate in a keystore :

Does this work with the java keytool tool on a linux system, i mean is it
possible to import PKCS 12 certificates on that?

It seams impossible to import with the java keytool tool on a windows vista
business system a PKCS12 certificate.

Anyone experience with it?

Regards,
Heidi

2011/3/16 Info Olagos <[hidden email]>

> But if i want to import the PKCS12 certificate into a new keystore, i try
> to do:
>
> keytool -importcert -alias ssl -trustcacerts -file c:\...\...\...\mypfx.pfx
> -keystore eee.pfx
> Enter keystore password:*****
> Re-enter new password: *****
> keytool error: java.lang.Exception: Input not an X.509 certificate
>
> Has anyone an idea how to solve this ?
>
> regards,
> Heidi
>  2011/3/16 Info Olagos <[hidden email]>
>
>> Thanks. !
>>
>> Very useful document about PKCS12 import.
>>
>> Heidi
>>
>>  2011/3/16 Christian Geisert <[hidden email]>
>>
>>> Info Olagos schrieb:
>>>
>>> ok thanks for info.
>>>>
>>>> But the certificate in PKCS#12 format (standard) contains both the
>>>> private
>>>> key and public key. It is a standard to transfer the certificates from
>>>> the
>>>> public certificate provider to my webserver.
>>>>
>>>> Because i didn't generate the private key myself. And i didn't request
>>>> for a
>>>> certificate to the certificate provider. It was only my provider who
>>>> generated the private key and the public key.
>>>>
>>>
>>> Uh, the point of a *private* key is that you keep it private...
>>>
>>> So your problem now is that you want to import the private key into the
>>> JKS?
>>> See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.htmlfor a solution.
>>>
>>>
>>> Christian
>>>
>>
>>
>>
>> --
>> Olagos bvba
>> http://www.olagos.eu <http://www.olagos.eu/>
>> http://www.olagos.com
>> http://www.olagos.be
>> http://www.olagos.nl
>> Olagos team
>> Heesterbos 5
>> 2570 Duffel
>> Belgium
>>
>>
>>
>>
>
>
> --
> Olagos bvba
> http://www.olagos.eu <http://www.olagos.eu/>
> http://www.olagos.com
> http://www.olagos.be
> http://www.olagos.nl
> Olagos team
> Heesterbos 5
> 2570 Duffel
> Belgium
>
>
>
>


--
Olagos bvba
http://www.olagos.eu <http://www.olagos.eu/>
http://www.olagos.com
http://www.olagos.be
http://www.olagos.nl
Olagos team
Heesterbos 5
2570 Duffel
Belgium
Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Jacques Le Roux-3
IIRW, to import a such certificate in Windows you can rely on Windows itself.
In file explorer right click: install. There are more explanations on the Net

Jacques

From: "Info Olagos" <[hidden email]>

> Hello,
>
> For anyone who has succesfully imported a PKCS12 certificate in a keystore :
>
> Does this work with the java keytool tool on a linux system, i mean is it
> possible to import PKCS 12 certificates on that?
>
> It seams impossible to import with the java keytool tool on a windows vista
> business system a PKCS12 certificate.
>
> Anyone experience with it?
>
> Regards,
> Heidi
>
> 2011/3/16 Info Olagos <[hidden email]>
>
>> But if i want to import the PKCS12 certificate into a new keystore, i try
>> to do:
>>
>> keytool -importcert -alias ssl -trustcacerts -file c:\...\...\...\mypfx.pfx
>> -keystore eee.pfx
>> Enter keystore password:*****
>> Re-enter new password: *****
>> keytool error: java.lang.Exception: Input not an X.509 certificate
>>
>> Has anyone an idea how to solve this ?
>>
>> regards,
>> Heidi
>>  2011/3/16 Info Olagos <[hidden email]>
>>
>>> Thanks. !
>>>
>>> Very useful document about PKCS12 import.
>>>
>>> Heidi
>>>
>>>  2011/3/16 Christian Geisert <[hidden email]>
>>>
>>>> Info Olagos schrieb:
>>>>
>>>> ok thanks for info.
>>>>>
>>>>> But the certificate in PKCS#12 format (standard) contains both the
>>>>> private
>>>>> key and public key. It is a standard to transfer the certificates from
>>>>> the
>>>>> public certificate provider to my webserver.
>>>>>
>>>>> Because i didn't generate the private key myself. And i didn't request
>>>>> for a
>>>>> certificate to the certificate provider. It was only my provider who
>>>>> generated the private key and the public key.
>>>>>
>>>>
>>>> Uh, the point of a *private* key is that you keep it private...
>>>>
>>>> So your problem now is that you want to import the private key into the
>>>> JKS?
>>>> See http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.htmlfor a solution.
>>>>
>>>>
>>>> Christian
>>>>
>>>
>>>
>>>
>>> --
>>> Olagos bvba
>>> http://www.olagos.eu <http://www.olagos.eu/>
>>> http://www.olagos.com
>>> http://www.olagos.be
>>> http://www.olagos.nl
>>> Olagos team
>>> Heesterbos 5
>>> 2570 Duffel
>>> Belgium
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Olagos bvba
>> http://www.olagos.eu <http://www.olagos.eu/>
>> http://www.olagos.com
>> http://www.olagos.be
>> http://www.olagos.nl
>> Olagos team
>> Heesterbos 5
>> 2570 Duffel
>> Belgium
>>
>>
>>
>>
>
>
> --
> Olagos bvba
> http://www.olagos.eu <http://www.olagos.eu/>
> http://www.olagos.com
> http://www.olagos.be
> http://www.olagos.nl
> Olagos team
> Heesterbos 5
> 2570 Duffel
> Belgium
>

Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Heidi Dehaes - Olagos
Thanks Jacques,

And you know, by the way, how to reference to it then in
ofbiz-containers.xml to the certificate?

Heidi

2011/3/17 Jacques Le Roux <[hidden email]>

> IIRW, to import a such certificate in Windows you can rely on Windows
> itself. In file explorer right click: install. There are more explanations
> on the Net
>
> Jacques
>
> From: "Info Olagos" <[hidden email]>
>
>>  Hello,
>>
>> For anyone who has succesfully imported a PKCS12 certificate in a keystore
>> :
>>
>> Does this work with the java keytool tool on a linux system, i mean is it
>> possible to import PKCS 12 certificates on that?
>>
>> It seams impossible to import with the java keytool tool on a windows
>> vista
>> business system a PKCS12 certificate.
>>
>> Anyone experience with it?
>>
>> Regards,
>> Heidi
>>
>> 2011/3/16 Info Olagos <[hidden email]>
>>
>>   But if i want to import the PKCS12 certificate into a new keystore, i
>>> try
>>> to do:
>>>
>>> keytool -importcert -alias ssl -trustcacerts -file
>>> c:\...\...\...\mypfx.pfx
>>> -keystore eee.pfx
>>> Enter keystore password:*****
>>> Re-enter new password: *****
>>> keytool error: java.lang.Exception: Input not an X.509 certificate
>>>
>>> Has anyone an idea how to solve this ?
>>>
>>> regards,
>>> Heidi
>>>  2011/3/16 Info Olagos <[hidden email]>
>>>
>>>   Thanks. !
>>>>
>>>> Very useful document about PKCS12 import.
>>>>
>>>> Heidi
>>>>
>>>>  2011/3/16 Christian Geisert <[hidden email]>
>>>>
>>>>   Info Olagos schrieb:
>>>>>
>>>>> ok thanks for info.
>>>>>
>>>>>>
>>>>>> But the certificate in PKCS#12 format (standard) contains both the
>>>>>> private
>>>>>> key and public key. It is a standard to transfer the certificates from
>>>>>> the
>>>>>> public certificate provider to my webserver.
>>>>>>
>>>>>> Because i didn't generate the private key myself. And i didn't request
>>>>>> for a
>>>>>> certificate to the certificate provider. It was only my provider who
>>>>>> generated the private key and the public key.
>>>>>>
>>>>>>
>>>>> Uh, the point of a *private* key is that you keep it private...
>>>>>
>>>>> So your problem now is that you want to import the private key into the
>>>>> JKS?
>>>>> See
>>>>> http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.htmlfora solution.
>>>>>
>>>>>
>>>>> Christian
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Olagos bvba
>>>> http://www.olagos.eu <http://www.olagos.eu/>
>>>>
>>>> http://www.olagos.com
>>>> http://www.olagos.be
>>>> http://www.olagos.nl
>>>> Olagos team
>>>> Heesterbos 5
>>>> 2570 Duffel
>>>> Belgium
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>> Olagos bvba
>>> http://www.olagos.eu <http://www.olagos.eu/>
>>>
>>> http://www.olagos.com
>>> http://www.olagos.be
>>> http://www.olagos.nl
>>> Olagos team
>>> Heesterbos 5
>>> 2570 Duffel
>>> Belgium
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Olagos bvba
>> http://www.olagos.eu <http://www.olagos.eu/>
>>
>> http://www.olagos.com
>> http://www.olagos.be
>> http://www.olagos.nl
>> Olagos team
>> Heesterbos 5
>> 2570 Duffel
>> Belgium
>>
>>
>


--
Olagos bvba
http://www.olagos.eu <http://www.olagos.eu/>
http://www.olagos.com
http://www.olagos.be
http://www.olagos.nl
Olagos team
Heesterbos 5
2570 Duffel
Belgium
Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Richard Siddall
In reply to this post by Heidi Dehaes - Olagos
Info Olagos wrote:

> Hello,
>
> For anyone who has succesfully imported a PKCS12 certificate in a keystore :
>
> Does this work with the java keytool tool on a linux system, i mean is it
> possible to import PKCS 12 certificates on that?
>
> It seams impossible to import with the java keytool tool on a windows vista
> business system a PKCS12 certificate.
>
> Anyone experience with it?
>
> Regards,
> Heidi

This is on CentOS 5.5 using java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5

Use OpenSSL to create a PKCS#12 file from an SSL certificate (in
server.crt) and private key (in server.key):

openssl pkcs12 -export -in server.crt -inkey server.key -out
server.pkcs12 -name ofbiz

Go and find the .jks file:

cd /opt/apache-ofbiz-09.04/framework/base/config/

Back it up:

mv ofbizssl.jks ofbizssl.jks.old

Run keytool to import the PKCS12 cert & key:

keytool -importkeystore -deststorepass changeit -destkeypass changeit
-destkeystore ofbizssl.jks -srckeystore /root/server.pkcs12
-srcstoretype PKCS12 -srcstorepass changeit -alias ofbiz

Check the results:

keytool -list -v -keystore ofbizssl.jks -storepass changeit

Start OFBiz and make sure SSL works...

Note that I'm using the existing password 'changeit' as I'm too lazy to
reconfigure OFBiz to use something different.

Regards,

        Richard Siddall

P.S. The keytool commands also work on Windows XP with JDK 1.6.0-21 with
the same PKCS12 file.
Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Heidi Dehaes - Olagos
Waow

Thanks for all the information !!

Regards,
Heidi

2011/3/17 Richard Siddall <[hidden email]>

> Info Olagos wrote:
>
>> Hello,
>>
>> For anyone who has succesfully imported a PKCS12 certificate in a keystore
>> :
>>
>> Does this work with the java keytool tool on a linux system, i mean is it
>> possible to import PKCS 12 certificates on that?
>>
>> It seams impossible to import with the java keytool tool on a windows
>> vista
>> business system a PKCS12 certificate.
>>
>> Anyone experience with it?
>>
>> Regards,
>> Heidi
>>
>
> This is on CentOS 5.5 using java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5
>
> Use OpenSSL to create a PKCS#12 file from an SSL certificate (in
> server.crt) and private key (in server.key):
>
> openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
> -name ofbiz
>
> Go and find the .jks file:
>
> cd /opt/apache-ofbiz-09.04/framework/base/config/
>
> Back it up:
>
> mv ofbizssl.jks ofbizssl.jks.old
>
> Run keytool to import the PKCS12 cert & key:
>
> keytool -importkeystore -deststorepass changeit -destkeypass changeit
> -destkeystore ofbizssl.jks -srckeystore /root/server.pkcs12 -srcstoretype
> PKCS12 -srcstorepass changeit -alias ofbiz
>
> Check the results:
>
> keytool -list -v -keystore ofbizssl.jks -storepass changeit
>
> Start OFBiz and make sure SSL works...
>
> Note that I'm using the existing password 'changeit' as I'm too lazy to
> reconfigure OFBiz to use something different.
>
> Regards,
>
>        Richard Siddall
>
> P.S. The keytool commands also work on Windows XP with JDK 1.6.0-21 with
> the same PKCS12 file.
>



--
Olagos bvba
http://www.olagos.eu <http://www.olagos.eu/>
http://www.olagos.com
http://www.olagos.be
http://www.olagos.nl
Olagos team
Heesterbos 5
2570 Duffel
Belgium
Reply | Threaded
Open this post in threaded view
|

Re: certificate in PKCS7 format in Ofbiz

Heidi Dehaes - Olagos
In reply to this post by Richard Siddall
Thanks Richard,

This is the exact method for having a working solution !!

Thanks,
Heidi

2011/3/17 Richard Siddall <[hidden email]>

> Info Olagos wrote:
>
>> Hello,
>>
>> For anyone who has succesfully imported a PKCS12 certificate in a keystore
>> :
>>
>> Does this work with the java keytool tool on a linux system, i mean is it
>> possible to import PKCS 12 certificates on that?
>>
>> It seams impossible to import with the java keytool tool on a windows
>> vista
>> business system a PKCS12 certificate.
>>
>> Anyone experience with it?
>>
>> Regards,
>> Heidi
>>
>
> This is on CentOS 5.5 using java-1.6.0-openjdk-1.6.0.0-1.16.b17.el5
>
> Use OpenSSL to create a PKCS#12 file from an SSL certificate (in
> server.crt) and private key (in server.key):
>
> openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
> -name ofbiz
>
> Go and find the .jks file:
>
> cd /opt/apache-ofbiz-09.04/framework/base/config/
>
> Back it up:
>
> mv ofbizssl.jks ofbizssl.jks.old
>
> Run keytool to import the PKCS12 cert & key:
>
> keytool -importkeystore -deststorepass changeit -destkeypass changeit
> -destkeystore ofbizssl.jks -srckeystore /root/server.pkcs12 -srcstoretype
> PKCS12 -srcstorepass changeit -alias ofbiz
>
> Check the results:
>
> keytool -list -v -keystore ofbizssl.jks -storepass changeit
>
> Start OFBiz and make sure SSL works...
>
> Note that I'm using the existing password 'changeit' as I'm too lazy to
> reconfigure OFBiz to use something different.
>
> Regards,
>
>        Richard Siddall
>
> P.S. The keytool commands also work on Windows XP with JDK 1.6.0-21 with
> the same PKCS12 file.
>



--
Olagos bvba
http://www.olagos.eu <http://www.olagos.eu/>
http://www.olagos.com
http://www.olagos.be
http://www.olagos.nl
Olagos team
Heesterbos 5
2570 Duffel
Belgium