Ubuntu/openssl

From r00tedvw.com wiki
(Difference between revisions)
Jump to: navigation, search
(Discover the alias name from a JKS keystore)
Line 73: Line 73:
 
Alias name: SecretAlias
 
Alias name: SecretAlias
 
Creation date: Aug 16, 2016</nowiki>
 
Creation date: Aug 16, 2016</nowiki>
 +
====Export CRT from JKS====
 +
<nowiki>
 +
~$ keytool -export -alias alias_name -keystore path_to_keystore_file -rfc -file path_to_certificate_file
 +
 +
Example:
 +
~$ /usr/java/jdk1.8.0_74/bin/keytool -export -alias SecretAlias -keystore /home/user/selfsigned.jks -rfc -file /home/user/selfsigned.crt
 +
Enter keystore password:
 +
</nowiki>

Revision as of 21:14, 14 December 2016

common openssl commands http://www.sslshopper.com/article-most-common-openssl-commands.html

generating a SSL cert with a SAN http://apetec.com/support/GenerateSAN-CSR.htm

Contents

 [hide

Generating SAN Certificate

Oracle Linux

find openssl.cnf. I found it located at:

/etc/pki/tls/openssl.cnf

Verify this is present and uncommented:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

You'll probably need to add the following:

[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = domain1.com
DNS.2 = sub.domain1.com
DNS.3 = domain2.com

Now we need to create the Key, CSR, and CRT

~$ openssl genrsa -out san_domain_com.key 2048
~$ openssl req -new -out san_domain_com.csr -key san_domain_com.key -config openssl.cnf
~$ openssl x509 -req -days 3650 -in san_domain_com.csr -signkey san_domain_com.key -out san_domain_com.crt -extensions v3_req -extfile openssl.cnf

Converting to PKCS12

You may want to first merge the certs into a single CRT like this.
Export to PKCS12:

$ openssl pkcs12 -export -in san_domain_com.crt -inkey san_domain_com.key -out san_domain_com.p12 -name alias_self_signed
Enter Export Password:
Verifying - Enter Export Password:

Convert PKCS12 to JKS

If you have a java site and need to secure it, you'll probably need to create a jks.
You'll need know the following info:

  • alias
  • pkcs12 password
~$ /usr/java/jdk1.8.0_74/bin/keytool -importkeystore -srckeystore san_domain_com.p12 -srcstoretype pkcs12 -srcalias alias_self_signed -srcstorepass password -destkeystore san_domain_com.jks -deststoretype jks -deststorepass password -destalias alias_self_signed

Check it to make sure its right:

~$ /usr/java/jdk1.8.0_74/bin/keytool -list -v -keystore san_domain_com.jks
Enter keystore password:

Discover the alias name from a JKS keystore

If you dont know the alias name, you can discover it as long as you know the keystore password.

~$ /usr/java/jdk1.8.0_74/bin/keytool -list -keystore /home/user/puppet/site/service/files/selfsigned.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

james, Aug 16, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 13:36:7B:A7:21:D9:50:82:D2:74:14:7D:A0:AA:AB:FE:93:74:A3:C9

Another way is to:

$ /usr/java/jdk1.8.0_74/bin/keytool -list -v -keystore ./selfsigned.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: SecretAlias
Creation date: Aug 16, 2016

Export CRT from JKS

~$ keytool -export -alias alias_name -keystore path_to_keystore_file -rfc -file path_to_certificate_file

Example:
~$ /usr/java/jdk1.8.0_74/bin/keytool -export -alias SecretAlias -keystore /home/user/selfsigned.jks -rfc -file /home/user/selfsigned.crt
Enter keystore password:

Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki