shifahim
Reputation: 137
Unable to find details of private key in JKS
I generated a JKS using this command:
keytool -genkey -alias $1 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=$3,OU=$4,O=$5,L=$6,S=$7,C=$8" -keypass $9 -keystore keystore.jks -storepass ${10} -validity 375
$1 to $10 all being variables stored in a file.
I then generated a CSR using this command.
keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr
I then applied for Digi sign CA cert. I received the below 4 certs which i imported in my JKS.
Alias, Filename and details below:
root AddTrustExternalCARoot.crt Owner: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
inter USERTrustRSAAddTrustCA.crt Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
inter_second DigiSignCADigiSSL.crt Owner: CN=Digi-Sign CA Digi-SSL, O=Digi-Sign Limited, L=Dublin, ST=County Dublin, C=IE Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
mydomain mydomain_com.crt Owner: CN=mymac1.com, OU=Digi-SSL Xp, OU=Provided by Digi-Sign Limited, OU=Batel Affinity, O=Batel & Moss Group, L=Texas, ST=NJ, C=US Issuer: CN=Digi-Sign CA Digi-SSL, O=Digi-Sign Limited, L=Dublin, ST=County Dublin, C=IE
Imported them in JKS using the below command:
keytool -import -v -alias "root" -file AddTrustExternalCARoot.crt -keystore keystore.jks
keytool -import -v -alias "intermediate1" -file USERTrustRSAAddTrustCA.crt -keystore keystore.jks
keytool -import -v -alias "intermediate2" -file DigiSignCADigiSSL.crt -keystore keystore.jks
keytool -import -v -alias "USWL1212CONPERF01" -file mydomain_com.crt -keystore keystore.jks
When i set the JKS in weblogic i get this exception in WebLogic Server logs:
####<Jul 31, 2017 11:07:14 AM CDT> <Error> <WebLogicServer> <sysa5av> <ISIS01> <[ACTIVE] ExecuteThread: '34' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1501517234413> <BEA-000297> <Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: No identity key/certificate entry was found under alias mydomain in keystore /web/bea/mydomains/config/keystore.jks on server MS1.>
i tried changing my JKS to PKCS12 format so that i can see what my private key and alias is but that too failed with the below error:
keytool -v -importkeystore -srckeystore keystore.jks -srcalias certificatekey -destkeystore myp12file.p12 -deststoretype PKCS12
Problem importing entry for alias root: java.security.KeyStoreException: TrustedCertEntry not supported.
i Then tried the java program here: keytool - see the public and private keys
But the output does not show any private keys. I used the alias mydomain. Could be the alias for the privatekey is wrong as it was populated using variables as shown in the first command of this post. What would be the solution in that case ? How could i retrieve the alias and the private key for the certificate that digisign gave me ?
If the alias is correct why am i getting error starting the weblogic server ?
Incase needed, I'm also sharing the output of
keytool -v -list -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
Alias name: root
Creation date: Jul 31, 2017
Entry type: trustedCertEntry
Owner: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Serial number: 1
Valid from: Tue May 30 06:48:38 EDT 2000 until: Sat May 30 06:48:38 EDT 2020
Certificate fingerprints:
MD5: 1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
SHA1: 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
SHA256: 68:7F:A4:51:38:22:78:FF:F0:C8:B1:1F:8D:43:D5:76:67:1C:6E:B2:BC:EA:B4:13:FB:83:D9:65:D0:6D:2F:F2
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7 FA C4 26 54 EF 03 BD E0 ...z4.&...&T....
0010: 24 CB 54 1A $.T.
]
[CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE]
SerialNumber: [ 01]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
]
#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7 FA C4 26 54 EF 03 BD E0 ...z4.&...&T....
0010: 24 CB 54 1A $.T.
]
]
*******************************************
*******************************************
Alias name: mydomain
Creation date: Jul 31, 2017
Entry type: trustedCertEntry
Owner: CN=mymac1.com, OU=Digi-SSL Xp, OU=Provided by Digi-Sign Limited, OU=Batel Affinity, O=Batel & Moss Group, L=Texas, ST=NJ, C=US
Issuer: CN=Digi-Sign CA Digi-SSL, O=Digi-Sign Limited, L=Dublin, ST=County Dublin, C=IE
Serial number: 6f70e9e8abce2003529156bf5cb98a1f
Valid from: Sun Jul 16 20:00:00 EDT 2017 until: Tue Jul 17 19:59:59 EDT 2018
Certificate fingerprints:
MD5: 9A:F1:62:71:C4:02:C2:C1:64:87:84:A2:07:EA:1A:07
SHA1: A0:BF:8A:61:D7:AE:82:A6:EE:4B:EB:E0:22:19:73:2E:FC:85:F8:AC
SHA256: 56:1D:22:04:4B:E5:9D:09:1E:0C:FD:36:33:0B:E7:49:DB:C0:37:2D:93:24:F1:B1:8B:6E:27:D5:D9:76:3D:59
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://crt.usertrust.com/DigiSignCADigiSSL.crt
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp.usertrust.com
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 78 29 0F AE CD 90 2C C0 DC D2 7A D4 9B 5F 9C 45 x)....,...z.._.E
0010: E0 88 A8 2C ...,
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.usertrust.com/DigiSignCADigiSSL.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.9]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 19 68 74 74 70 73 3A 2F 2F 63 70 73 2E 75 73 ..https://cps.us
0010: 65 72 74 72 75 73 74 2E 63 6F 6D ertrust.com
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: mymac1.com
DNSName: www.mymac1.com
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F 71 B1 50 5A 94 A7 0E 4E 1C B6 7E 6D 06 43 90 ?q.PZ...N...m.C.
0010: 90 5F 86 AF ._..
]
]
*******************************************
*******************************************
Alias name: intermediate2
Creation date: Jul 31, 2017
Entry type: trustedCertEntry
Owner: CN=Digi-Sign CA Digi-SSL, O=Digi-Sign Limited, L=Dublin, ST=County Dublin, C=IE
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Serial number: 1b3249d255747b4e23feb384e5cdcab5
Valid from: Thu Nov 06 19:00:00 EST 2014 until: Wed Nov 06 18:59:59 EST 2024
Certificate fingerprints:
MD5: 71:BC:96:90:5B:38:8F:01:4C:32:90:06:90:D3:CF:51
SHA1: 70:60:8B:40:D0:B7:76:17:4A:4E:D8:54:16:58:27:70:B3:07:B9:05
SHA256: EC:0E:91:6E:74:AB:F1:50:D7:26:9B:A8:85:AE:6C:74:1E:48:78:55:CF:DD:00:21:B1:F9:25:0E:0F:02:40:A4
Signature algorithm name: SHA384withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
,
accessMethod: ocsp
accessLocation: URIName: http://ocsp.usertrust.com
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF 54 80 E1 D8 9B C0 9D F2 Sy.Z.+J.T.......
0010: B2 03 66 CB ..f.
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.9]
[] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 78 29 0F AE CD 90 2C C0 DC D2 7A D4 9B 5F 9C 45 x)....,...z.._.E
0010: E0 88 A8 2C ...,
]
]
*******************************************
*******************************************
Alias name: intermediate1
Creation date: Jul 31, 2017
Entry type: trustedCertEntry
Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Serial number: 13ea28705bf4eced0c36630980614336
Valid from: Tue May 30 06:48:38 EDT 2000 until: Sat May 30 06:48:38 EDT 2020
Certificate fingerprints:
MD5: DB:78:CB:D1:90:95:27:35:D9:40:BC:80:AC:24:32:C0
SHA1: EA:B0:40:68:9A:0D:80:5B:5D:6F:D6:54:FC:16:8C:FF:00:B7:8B:E3
SHA256: 1A:51:74:98:0A:29:4A:52:8A:11:07:26:D5:85:56:50:26:6C:48:D9:88:3B:EA:69:2B:67:B6:D7:26:DA:98:C5
Signature algorithm name: SHA384withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.usertrust.com
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7 FA C4 26 54 EF 03 BD E0 ...z4.&...&T....
0010: 24 CB 54 1A $.T.
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.usertrust.com/AddTrustExternalCARoot.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[] ]
]
#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF 54 80 E1 D8 9B C0 9D F2 Sy.Z.+J.T.......
0010: B2 03 66 CB ..f.
]
]
*******************************************
*******************************************
Please Suggest & let me know if you need more information.
Upvotes: 1
Views: 3716
Answers (1)
Imtiyaz J
Reputation: 19
It doesnt looks like you added the public certificates from CA to the same keystore.jks file.
Can you try to run keytool with just the list command without verbose option?
keytool -list -keystore keystore.jks -storepass <your storepass>
Upvotes: 0
Related Questions
- How to access certificate details and private key from AWS certificate manager in java to build SSLContext?
- How to find private key of SSL certificate generated via Marklogic certificates template?
- how to generate a private key certificate using keytool
- keytool - see the public and private keys
- adding private key to a keystore
- Unable to convert .jks to .pkcs12: excess private key
- Get private key from PEM
- How to get private key of a pkcs12 certificate that I created using keytool
- link between private key and signed certificate in keystore
- Read PrivateKey from WAS KeyStore