Friday, 11 September 2015

SSL Certificates Openssl Keytool Keystore



Creation of Keystore and CSR file

Follow below steps for creation of Keystore:

Create new folder on D drive. 
Example: D:/SSLCertificate
Go to command prompt
Go to D drive by entering d: and hit ENTER









Go to Program filesà Java à JDK version à Bin

Example: - D:\Program Files\Java\jdk1.7.0_67\bin




Enter below command on command prompt to generate KEYSTORE



Command for creation of Keystore:


keytool -genkey -alias tomcat -keyalg RSA -keystore "<<Full path withFolder name>>" -keysize 2048 


Example for creation of keystore:


keytool -genkey -alias tomcat -keyalg RSA -keystore "D:/SSLCertificateRenew/tomcat.keystore" -keysize 2048         


After entering above command it will ask for Password.
Enter password as “changeit” [All small characters]
Or get the password from the path “D:\TrackWiseWeb\apache-tomcat\conf\server.xml” attribute name key store Password
Below mandatory information needs to be filled after entering password



Common Name = <<Certificate URL>>
Organizational Unit = <<Organization unit>>
Organization = <<Organization name>>
Locality = <<Location where the server located>>
State = <<State of the location>>
Country = <<2 digit country code>>



Important Note:Common name, location, State & country will change as per certificate location. Organizational unit, Organization information will not be change.



Once above information provided it will show information like






Enter YES for confirmation of information. This will create keystore.

Below are the steps for creation of CSR:
On same command window enter below command for creation of
CSR File





Command for creation of CSR:

  
keytool -certreq -keyalg RSA -alias tomcat -file "<<Full Path for CSR file generation>>" -keystore "<<Full Path of Keystore file>>"



Example for creation of CSR:


keytool -certreq -keyalg RSA -alias tomcat -file "D:/SSLCertificateRenew/certreq-twqaint_2013.csr" -keystore "D:/SSLCertificateRenew//tomcat.keystore"



Once CSR command enter in to the command prompt, it will ask for the 
Password. Enter password as “changeit” [All small characters]








IMP Note: Keystore file needs for deployment activity, please keep file in Safe location.






Add certificate in keystore

Add newly received SSL certificate in keystore file, which was generated in previous steps  

Follow below steps for importing cer file to keystore.


Go to command prompt
Go to D drive by entering d: and hit ENTER




Go to Program filesà Java à JDK version à Bin




Download latest Primarty.cer and Secondary.cer files from http://www.verisign.com/support/roots.html site. Keep Primary and secondary files on same folder where keystore generated
Import Primary, Secondary and new certificate to keystore
Command to import files as:


Command to import Primary cer file in to keystore:

keytool -import -alias root -keystore "<<Keystore path>>" -trustcacerts -file “<<Primary Cer file path>>"

Example for Import Primary cer file:

keytool -import -alias root -keystore
"D:/SSLCertificateRenew/tomcat.keystore" -trustcacerts –file
"D:/SSLCertificateRenew/primary.cer"



keytool -import -alias root -keystore "D:/SSLCertificateRenewal/Latest/tomcat.keystore" -trustcacerts -file "D:/SSLCertificateRenewal/Latest/primary.cer"




Command to import Secondary cer file in to keystore:

keytool -import -alias intermediate -keystore "<<Keystore path>>" -trustcacerts -file “<<Secondary Cer file path>>"

Example for Import Secondary cer file:

keytool -import -alias intermediate -keystore 
"D:/SSLCertificateRenew/tomcat.keystore" -trustcacerts –file
"D:/SSLCertificateRenew/secondary.cer"


keytool -import -alias intermediate -keystore "D:/SSLCertificateRenewal/Latest/tomcat.keystore" -trustcacerts -file "D:/SSLCertificateRenewal/Latest/secondary.cer"






Command to import New Certificate cer file in to keystore:

keytool -import -alias tomcat -keystore "<<Keystore path>>" -trustcacerts -file “<<Secondary Cer file path>>"

Example for Import New Certificate cer file:

                                               keytool -import -alias tomcat -keystore
"D:/SSLCertificateRenew/tomcat.keystore" -trustcacerts –file

"D:/SSLCertificateRenew/cert.p7b"


keytool -import -alias tomcat -keystore "D:/SSLCertificateRenewal/Latest/tomcat.keystore" -trustcacerts -file "D:/SSLCertificateRenewal/Latest/cert.p7b"





 

How to move an SSL certificate from Tomcat to Apache Resolution

Note: Keytool and OpenSSL are third party tools which are not supported by Symantec


Steps: 1) Get TEPRD certificate with keystore from support team.


1.1: Use keytool to convert the keystore to a p12 file 1.
Run the following keytool command to create a p12 file:


keytool -importkeystore -srckeystore [originalkeystore] -destkeystore [new_keystore_mystore.p12] -deststoretype PKCS12 -srcstorepass [keystore_password] -deststorepass [new_password] -srcalias [original_alias] -destalias [new_alias] -srckeypass [original_alias_password] -destkeypass [new_password] -noprompt



1.2.The output file is [new_keystore_mystore.p12]



1.3.Use Openssl to extract the private key:

openssl.exe pkcs12 -in new_keystore_mystore.p12 -nocerts -out privatekey.pem



1.4.Use Openssl to extract the certificate:

openssl.exe pkcs12 -in new_keystore_mystore.p12 -clcerts -nokeys -out publicCert.pem



Save the two files (privatekey.pem and publicCert.pem) to the Apache server



Step 2): Import files into the Apache server:


2.1. Download the intermediate certificate. Symantec Intermediate CA certificates can be found here: AR657


2.2. Using a plain text editor, save the Intermediate CA certificate as intermediate.crt, to the appropriate folder.




 
 
keytool -import -alias root -keystore "D:/UpgradeRepos/_STAGING/Production_SSL/tomcat.keystore" -trustcacerts -file "D:/UpgradeRepos/_STAGING/Production_SSL/secondary.cer"





keytool -import -alias intermediate -keystore "D:/UpgradeRepos/_STAGING/Production_SSL/tomcat.keystore" -trustcacerts -file "D:/UpgradeRepos/_STAGING/Production_SSL/secondary.cer"





keytool -import -alias tomcat -keystore "D:/UpgradeRepos/_STAGING/Production_SSL/tomcat.keystore" -trustcacerts -file "D:/UpgradeRepos/_STAGING/Production_SSL/pww.trackwise-intf.amec.dharmaraj.com.cer"





keytool -import -alias tomcat -keystore "D:\UpgradeRepos\_STAGING\Production_SSL\tomcat.keystore" -trustcacerts -file "D:\UpgradeRepos\_STAGING\Production_SSL\cert.p7b"





keytool -import -alias tomcat -keystore "D:\UpgradeRepos\_STAGING\Production_SSL\tomcat.keystore" -trustcacerts -file "D:\UpgradeRepos\_STAGING\Production_SSL\cert.p7b"





 https://www.sslshopper.com/ssl-converter.html



keytool -list -v -keystore "D:/SSL_PK7/SSLCertificate/tomcat.keystore"



keytool -importkeystore -srckeystore "D:/SSL_PK7/SSLCertificate/tomcat.keystore" -destkeystore "D:/SSL_PK7/SSLCertificate/tomcat.keystoreNew.p12" -deststoretype PKCS12 -srcstorepass "changeit" -deststorepass "changeit" -srcalias "tomcat" -destalias "tomcat" -srckeypass "changeit" -destkeypass "changeit" –noprompt





3.Use Openssl to extract the private key:

openssl.exe pkcs12 -in new_keystore_mystore.p12 -nocerts -out privatekey.pem





openssl.exe pkcs12 -in "D:/SSL_PK7/SSLCertificate/tomcat.keystoreNew.p12" -nocerts -out "D:/SSL_PK7/SSLCertificate/privatekey.pem"


openssl.exe pkcs12 -in "D:/SSL_PK7/SSLCertificate/tomcat.keystoreNew.p12" -nocerts -out "D:/SSL_PK7/SSLCertificate/publicCert.pem"



 D:\SSL_PK7\openssl-0.9.8e_X64\bin\openssl.exe pkcs12 -in tomcat.keystoreNew.p12 -nocerts -out "D:/SSL_PK7/SSLCertificate/privatekey.pem"
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)