Java Keystore, Certificates, Private Keys, Tomcat SSL

I was trying to setup Single Sign On using CAS and I had to deal with creating self signed certificate and configure Tomcat to use it. A few things I learned are following:


1. Tomcat SSL Connector can be configured in two way; JSSE or APR.


JSSE uses native libraries and need different connector attributes to be configured.  APR stands for Advanced Portable Runtime. It requires additional libraries to be installed but provides more performance and flexibility.  For normal demo scenario, one may be good with JSSE connector configuration.

2.  To configure JSSE Tomcat SSL connector , you need a keystore. Assuming you are using self signed cert, use following command line.



  • keytool -genkey  -alias ss   -keyalg RSA -keypass pwd  -storepass pwd -keystore  storefilepath


This will prompt for first name , last name and organizational information.  Make sure you enter right value for the very first question "first and last name". This becomes CN value in the certificate and used in SSL handshake. I had a space in this and it made me to spend half a day to figure out the issue.

For my setup I kept for key password and store passwords same.
This will create the keystore file.  This keystore contains public and private key pairs.  Now you can extract a certificate( public key )  from it using following comand


  • keytool -export  -alias ss -storepass pwd -file certfilepath -keystore  storefilepath


The certificate is the one which is used in SSL handshake.

3. Once you configure tomcat SSL connector with the keystore, you need one more step. Had the certificate not been self-signed, you wouldn't need this additional step. Wherever this certificate is being used and verified for authenticity, you need make sure the trust store for that system imports your self signed certificate.   I was using connecting a java client and was getting following exception.

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Once I imported the self signed certificate into the JVM truststore , the error was gone. Use following command for the same. In my case I happened to import the whole keystore as it only had one certificate into it.


  • keytool -importkeystore -srckeystore  srcstorepath -destkeystore deststorepath


Hope this saves somebody half a day !!!

4. Somebody sent me a .jks file when I requested him a certificate.  This is how I extracted certificate from it


  • First I listed all the certs inside the jks file


keytool -list -keystore knox.jks

aliasname, Mar 27, 2020, trustedCertEntry,
Certificate fingerprint (SHA-256): 26:46:2B:DD:22:1E:86:7B:CC:37:F4:B8:E2:5F:92:D2:D0:EF:44:DW:2F:1B:1D:18:78:AF:02:22:60:37:CA:73


  • I picked up alias name from above and tried to export it to a file


keytool -exportcert -alias aliasname -keystore knox.jks -file tes.cert

This actually exports certificate in a format which has some non-ascii characters. So I had to specify the -rfc switch in the command line.

keytool -exportcert -rfc -alias aliasname -keystore knox.jks -file test.cert

5.  While testing a new ODBC driver for Hive, I came across a situation where I needed truststore for Hive/Knox server. I had the certificate with me. Below is how I ended up creating  truststore hive_test.jks  using the cert I had


  • keytool -importcert -file C:\Users\vf774xt\certs\hive_test.cer -keystore  .\hive_test.jks -storepass  changeit -storetype PKCS12





Comments

Popular posts from this blog

SQL

Analytics

DBeaver