Join the revolution - StartCom Linux  
Join the revolution - StartCom Linux

Official StartCom Public User Forum

 FAQ FAQ   View the advanced search options Advanced search   Members Members   Groups Groups  Register Register 
 User Control Panel User Control Panel       Login Login 
 


Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: HOWTO: Java keytool in windows
PostPosted: Mon Nov 16, 2009 5:02 pm 
Offline

Joined: Mon Nov 16, 2009 3:57 pm
Posts: 1
How to install a StartCom certificate using java keytool in windows

This will step through the process of installing a certificate from StartCom in a windows OS using the java keytool.

NOTE :
Obviously you will be replacing all instances of ‘yourdomain’ in my examples with the domain you wish to certify as well as all instances of ‘.com’ with your domains TLD (if it differs).
The default password for the keystore is : changeit
You must keep the password consistent when keytool asks you to specify a new password. So stick with “changeit” if you wish to avoid confusion.

I will assume you have created a directory called ‘ssl’ on your c drive : “C:\ssl\

1) We need to fetch and install the two StartCom public keys. So navigate to the following 2 websites and when prompted, save the certificates in your c:\ssl\ directory

http://www.startssl.com/certs/ca.crt
http://www.startssl.com/certs/sub.class1.server.ca.crt

2) Open up a command window :
<Start> -> <Run> and type “cmd” and click OK

3) When the command window appears type “keytool” and press enter

If you see a list of possible usages that keytool offers then you may continue to the next step. If you receive a “'keytool' is not recognized as an internal or external command” message then navigate to your java bin directory in the command window :
eg type “cd C:\Program Files\Java\jre1.6.0_07\bin” (This may be different to your setup)

4) We will now install the StartCom certificates you downloaded by typing :
Code:
keytool -import -trustcacerts -alias startcom.ca -file c:/ssl/ca.crt

(remember the password is : changeit)
Code:
keytool -import -alias startcom.ca.sub -file c:/ssl/sub.class1.server.ca.crt


5) We will now generate a keypair using the StartCom requirements.
Type in the following
Code:
keytool -genkey -alias http://www.yourdomain.com -keyalg RSA -keysize 2048 -dname "cn=www.yourdomain.com, o=yourdomain, o=.com"



6) Now generate a Certificate Request (CSR).
Code:
keytool -certreq -alias http://www.yourdomain.com -file c:/ssl/yourdomain.csr


7) Go to the file C:\ssl\yourdomain.csr and open it with notepad and copy the contents to your clipboard

8) Go to the StartCom Certificates Wizard tab and select your Certificate Target from the dropdown box , select “Web Server SSL” if that’s what you are intending to certify.
Note : If you don’t see the option you want then you may not yet have validated your domain. If so click on the Validation Wizard and complete that first.

9) SKIP the next screen that prompts you to generate a private key, since we have already made our own one.

10) PASTE the text we copied from step 7 into the textbox on the “Submit Certificate Request (CSR)” page and then click the “Continue” button and wait patiently.

11) You should now have a page with your new certificate, copy the text that is presented to you in the text box on the page.

12) Create a new text file in your c:\ssl\ directory (eg “New Text Document.txt”) and paste the certificate from step 11 into that file and save it. Rename that text file to “ssl.crt”

13) Open your command window and type the following :
Code:
keytool -import -alias http://www.yourdomain.com -file c:/ssl/ssl.crt


Congrats you have now installed the certificate and are ready to rock.

Note :
keytool will add all these certificates to your keystore file that may not be visible to your webserver / container.
On my machine the keystore file (Named “.keystore”) ended up in the directory
“C:\Documents and Settings\Administrator\”

..and my tomcat was looking for the file in
“C:\Documents and Settings\Default User\”

so to point to the correct file I added the attribute :
keystoreFile="C:/Documents and Settings/Administrator/.keystore"
in my Tomcats server.xml file in the <Connector> tag that handles my ssl connections.

Stop and start your web server and you should now have a trusted ssl certificate.

Hope this helps.

And a big thanks to StartCom for my free certificate.


Top
 Profile E-mail  
 
 Post subject: Re: HOWTO: Java keytool in windows
PostPosted: Fri Nov 20, 2009 3:26 pm 
Offline

Joined: Mon Oct 04, 2004 11:41 am
Posts: 712
Location: Israel
For those needing to import the certificate in form of a PKCS#12 file, use this comment:

Code:
keytool -importkeystore -srckeystore yourcert.p12
-srcstoretype pkcs12 -srcstorepass p12pass -srcalias somealias
-destkeystore yourkeystore -deststoretype jks
-deststorepass jkspass


Top
 Profile E-mail  
 
 Post subject: Re: HOWTO: Java keytool in windows
PostPosted: Wed Dec 30, 2009 8:04 am 
Offline

Joined: Wed Dec 30, 2009 7:37 am
Posts: 2
Location: US
For OpenFire users on Unix/Linux, these are the instructions I spent about 5 hours trying to find out.
1 Open terminal.
2 Go into the root user. (sudo -s/su)
3 change your directory to <OPENFIRE>/resources/security/ (cd /usr/local/openfire/resources/security/)
4 Download http://www.startssl.com/certs/ca.crt and http://www.startssl.com/certs/sub.class1.server.ca.crt and place them some were it is easy to access, I put mine in the root of my hard drive.
5 Run these commands in your terminal session
Code:
keytool -import -keystore truststore -trustcacerts -alias startcom.ca -file /ca.crt
keytool -import -keystore truststore -alias startcom.ca.sub -file /sub.class1.server.ca.crt

6 Restart your openfire server, on mac you go into the system preferences and choose the openfire panel.
7 Visit your servers control panel, http://localhost:9090/, and go into the server settings tab and the Server Certificates menu.
8 Delete the self signed certificates.
9 Click on the import link.
10 Place your key's password, key, and certificate in the right fields and your done.

Note: it may say "One or more certificates are missing. Click here to generate self-signed certificates or here to import a signed certificate and its private key." Just ignore that, it'll still work.

Hope this helps someone else, and also me when I need to go through this again.
Mr. Gecko.


Top
 Profile E-mail  
 
 Post subject: Re: HOWTO: Java keytool in windows
PostPosted: Wed Mar 23, 2011 1:16 pm 
Offline

Joined: Wed Mar 09, 2011 4:46 am
Posts: 3
Fuzz wrote:
How to install a StartCom certificate using java keytool in windows

This will step through the process of installing a certificate from StartCom in a windows OS using the java keytool.

NOTE :
Obviously you will be replacing all instances of ‘yourdomain’ in my examples with the domain you wish to certify as well as all instances of ‘.com’ with your domains TLD (if it differs).
The default password for the keystore is : changeit
You must keep the password consistent when keytool asks you to specify a new password. So stick with “changeit” if you wish to avoid confusion.

I will assume you have created a directory called ‘ssl’ on your c drive : “C:\ssl\

1) We need to fetch and install the two StartCom public keys. So navigate to the following 2 websites and when prompted, save the certificates in your c:\ssl\ directory

http://www.startssl.com/certs/ca.crt
http://www.startssl.com/certs/sub.class1.server.ca.crt

2) Open up a command window :
<Start> -> <Run> and type “cmd” and click OK

3) When the command window appears type “keytool” and press enter

If you see a list of possible usages that keytool offers then you may continue to the next step. If you receive a “'keytool' is not recognized as an internal or external command” message then navigate to your java bin directory in the command window :
eg type “cd C:\Program Files\Java\jre1.6.0_07\bin” (This may be different to your setup)

4) We will now install the StartCom certificates you downloaded by typing :
Code:
keytool -import -trustcacerts -alias startcom.ca -file c:/ssl/ca.crt

(remember the password is : changeit)
Code:
keytool -import -alias startcom.ca.sub -file c:/ssl/sub.class1.server.ca.crt


5) We will now generate a keypair using the StartCom requirements.
Type in the following
Code:
keytool -genkey -alias http://www.yourdomain.com -keyalg RSA -keysize 2048 -dname "cn=www.yourdomain.com, o=yourdomain, o=.com"



6) Now generate a Certificate Request (CSR).
Code:
keytool -certreq -alias http://www.yourdomain.com -file c:/ssl/yourdomain.csr


7) Go to the file C:\ssl\yourdomain.csr and open it with notepad and copy the contents to your clipboard

8) Go to the StartCom Certificates Wizard tab and select your Certificate Target from the dropdown box , select “Web Server SSL” if that’s what you are intending to certify.
Note : If you don’t see the option you want then you may not yet have validated your domain. If so click on the Validation Wizard and complete that first.

9) SKIP the next screen that prompts you to generate a private key, since we have already made our own one.

10) PASTE the text we copied from step 7 into the textbox on the “Submit Certificate Request (CSR)” page and then click the “Continue” button and wait patiently.

11) You should now have a page with your new certificate, copy the text that is presented to you in the text box on the page.

12) Create a new text file in your c:\ssl\ directory (eg “New Text Document.txt”) and paste the certificate from step 11 into that file and save it. Rename that text file to “ssl.crt”

13) Open your command window and type the following :
Code:
keytool -import -alias http://www.yourdomain.com -file c:/ssl/ssl.crt


Congrats you have now installed the certificate and are ready to rock.

Note :
keytool will add all these certificates to your keystore file that may not be visible to your webserver / container.
On my machine the keystore file (Named “.keystore”) ended up in the directory
“C:\Documents and Settings\Administrator\”

..and my tomcat was looking for the file in
“C:\Documents and Settings\Default User\”

so to point to the correct file I added the attribute :
keystoreFile="C:/Documents and Settings/Administrator/.keystore"
in my Tomcats server.xml file in the <Connector> tag that handles my ssl connections.

Stop and start your web server and you should now have a trusted ssl certificate.

Hope this helps.

And a big thanks to StartCom for my free certificate.


Hi Fuzz,
I really appreciate your information and I would like to share a few details about StartSSL XMPP Certificate In Openfire 3.6.4

StartSSL XMPP Certificate In Openfire 3.6.4


I newly discovered StartCom’s free grade 1 SSL certificates and determined to apply for a few for my server. I conceptualized, why not begin with Jabber? The Openfire admin interface creates it seem straightforward adequate.

Your server ought to be running JRE 6 with the Java (JCE) unrestrained potency Jurisdiction Policy Files 6 to be capable to use a certificate created by StartCom.
My proliferation is Debian based, so these directions will be written as such. All terminal guidelines here are performed as root.

1. Remove presented Certificates
2. Install and arrange JRE 6
3. Install JCE unrestrained potency Jurisdiction Policy Files 6
4. Get hold of secret key & official document from StartCom
5. Install StartCom’s rank 1 middle and root certificates
6. Extra Openfire configuring
7. Installing secret key & certificate

Have a nice discussion! - coop-systems.com


Top
 Profile E-mail  
 
 Post subject: Re: HOWTO: Java keytool in windows
PostPosted: Mon May 23, 2011 11:16 pm 
Offline

Joined: Mon May 23, 2011 11:10 pm
Posts: 1
Hi,


I am trying to sign jar file by keytool and getting next error at final step (the steps mentioned in this posts were done, but last one):

keytool -import -alias mykey -file organization.crt -keystore organization.keystore -storepass thepass
keytool error: java.lang.Exception: Failed to establish chain from reply

Could you help?
Thank you,


Top
 Profile E-mail  
 
 Post subject: Re: HOWTO: Java keytool in windows
PostPosted: Fri Jul 15, 2011 11:30 pm 
Offline

Joined: Fri Jul 15, 2011 11:23 pm
Posts: 1
Location: ZA
I have just spent a fair bit of time getting this sorted myself. specifically the damn error - keytool error: java.lang.Exception: Failed to establish chain from reply

Eventually I found the simplest solution so thought I would post it for others benefit.

You need to follow the steps in the variou posts to install the Startcom certs, except there is one important thing I didn't read anywhere - if you are wanting to sign an object code cert you need the speicifc object code certs.

In the toolbox page under "Startcom CA Certificates" find "Class 2 Code Signing CA"

once I imported this the problem was sorted...


Top
 Profile E-mail  
 
 Post subject: Re: HOWTO: Java keytool in windows
PostPosted: Thu Jul 31, 2014 5:58 pm 
Offline

Joined: Thu Jul 31, 2014 5:18 pm
Posts: 12
I really liked this information.


Top
 Profile E-mail  
 
 Post subject: Re: HOWTO: Java keytool in windows
PostPosted: Tue Mar 17, 2015 6:27 am 
Offline

Joined: Tue May 11, 2010 3:06 am
Posts: 2
i use a tool, also in java, called portecle : http://portecle.sourceforge.net/

This tool can create jks (java keystore), p12, pem and others, convert between then, requests certificate, manage several keys and trust and all this with a simple GUI

I used keytool in the past, after finding portecle, i use it for all most all my pki needs


Top
 Profile E-mail  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 2 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: