Keytool Import PFX Certificate

Hi,

I need help to import certificate in tomcat. My actual certificate expired in January and i have a new Certificate in PFX Format. I follow this steps to renew the certificate but i can´t se the new certificate:

1- Generate the Keystore with this command:  keytool -genkey -keystore SecretariatQA -keyalg RSA -sigalg md5withrsa

2- Import the certificate in Keystore with this command: keytool -import -alias tomcat -file d:\SecretariatQA.pfx -keystore secretariatqa

I would be failing to see the change with the new certificate? the name of alias is OK or would have to be url?

Thanks
certificado.jpg
LVL 1
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CEHJCommented:
>>-keystore SecretariatQA

Is that really where your keystore is as far as Tomcat is concerned?

0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
How can i check if is my keystore for tomcat?
0
CEHJCommented:
Don't specify a keystore location unless you're also doing that in the server config
0
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
On my Server.xml in Tomcat Directory have this lines:

    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="D:/Appls/Java/jre1.5.0_11/bin/secretariatqa"
               keystoreType="pkcs12"
               keystorePass="XxxXxXxX"/>

Its OK?
0
CEHJCommented:
But i'm confused:

>> My actual certificate expired in January and i have a new Certificate in PFX Format.

>>keytool -genkey

Why are you generating one in that case?
0
CEHJCommented:
>>keystoreFile="D:/Appls/Java/jre1.5.0_11/bin/secretariatqa"

Don't use a location inside the runtime - that's volatile. Also, that's not the exact path you used with genkey
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
Sorry i don't known what is the corrects steps.
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
What would be the correct steps to import the certificate again? Sorry but do not know this.
0
CEHJCommented:
Try
keytool -importcert -alias tomcat -file x.pfx -keystore D:\Appls\Java\jre1.5.0_11\bin\secretariatqa

Open in new window

0
CEHJCommented:
(After having changed the keystore to something more sensible ;))
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
I see this error:

Illegal option:  -importcert
0
CEHJCommented:
You could have a slightly different keytool than me. Run it without args to find out the format for the import command
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
I have this Arguments to import:

-import      [-v] [-noprompt] [-trustcacerts] [-protected]
             [-alias <alias>]
             [-file <cert_file>] [-keypass <keypass>]
             [-keystore <keystore>] [-storepass <storepass>]
             [-storetype <storetype>] [-providerName <name>]
             [-providerClass <provider_class_name> [-providerArg <arg>]] ...

I only need replace importcert for import and its ok?
0
CEHJCommented:
>>I only need replace importcert for import and its ok?

Should be. Obviously the path to the certificate file has to be correct
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
yeap :)
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
I have this error:

D:\Appls\Java\jre1.5.0_11\bin>keytool -import -alias tomcat -file d:\Secreqa.pfx -keystore D:\Appls\Java\jre1.5.0_11\bin\SecretariatQA
Enter keystore password:  XXxxxx
keytool error: java.lang.Exception: Input not an X.509 certificate
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
Sorry but i don't understand, i have the PFX (Certificate with private Key) i try import only .cer but when i import i restart tomcat service and i see the old certificate.
0
CEHJCommented:
>>i try import only .cer

With what command?
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
keytool -import -alias tomcat -file d:\SecretariatQA.cer -keystore secretariatqa
0
CEHJCommented:
Try using the full path to the keystore. If that doesn't work, attach that public key file to this question and i'll test to esnure it's doable
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
This is the tomcat5 Log.
catalina.2010-03-27.log
0
CEHJCommented:
>> but when i import i restart tomcat service and i see the old certificate.

How do you determine that from the log file? The problem seems to be that there's something wrong with doing IO on the cert
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
Sorry, when i import a certificate now i can't see nothing i have an error "The page cannot be displayed".
But if i resotre the old keystore from a backup i can see old certificate but the site work OK.
apologize for my confusion.

What would be the steps to import a certificate from PFX Certificate to tomcat?

1 - Generate a Keystore if don't exist?, how?
2 - Import the certificate, how?

That error is having the certificate? if you need i can upload any file.

Currently the site is showing error page can not be displayed

Sorry but I am really confused with this. Thank you very much for helping me
0
CEHJCommented:
First of all, list the keystore that you're using with Tomcat

keytool -list -keystore <path to keystore>
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

tomcat, Mar 27, 2010, trustedCertEntry,
Certificate fingerprint (MD5): A9:94:BD:38:01:C3:E9:1C:18:90:91:25:64:B0:5C:5D
mykey, Mar 27, 2010, keyEntry,
Certificate fingerprint (MD5): 87:36:A5:EC:DB:E7:9F:6F:A9:E1:C3:97:59:55:5C:B4
0
CEHJCommented:
The first one is correct and shows that it has been imported. That's the one you attached to this question. Make sure you're using the correct alias (tomcat) in your server config
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
This is the config
server.xml
0
CEHJCommented:
If you don't need that other thing in the keystore i'd delete it. Then restart Tomcat and watch the log
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Mar 27, 2010, trustedCertEntry,
Certificate fingerprint (MD5): A9:94:BD:38:01:C3:E9:1C:18:90:91:25:64:B0:5C:5D

and the log:


catalina.2010-03-27.log
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
I think the problem is with Public or Private Key with certificate? because when i import i use

 keytool -import -alias tomcat -file d:\Secre.cer -keystore .keystore


But .Cer no have private key. Its Possible?
0
CEHJCommented:
I think you might like at this point to google on

"DerInputStream.getLength(): lengthTag=109, too big."

as i'm afraid i'm not sure what the exact problem is at this point
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
I found a solution only need modify in server.xml full path to .pfx only. No need keystore.

                <Connector port="443" maxHttpHeaderSize="8192"
                           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                           enableLookups="false" disableUploadTimeout="true"
                           acceptCount="100" scheme="https" secure="true"
                           clientAuth="false" sslProtocol="TLS"
                         keystoreFile="D:/secreqa.pfx"
                         keystoreType="pkcs12"
                                                       keystorePass="XXxXxxxXxx"/>

But i think i have a problem with Private Key in my Original Keystore i found this article to Export PrivateKey from openssl.

http://www.readylines.com/openssl-one-liners-examples


Only I would be remiss to knowing how to generate the keystore with the private key and publishes both in order to replace the PFX.

You helped me a lot to find the solution, thank you very much for the help, I will accept the final solution is yours so you assign the points.

Thanks a lot

0
CEHJCommented:
:-)
0
Mick BarryJava DeveloperCommented:
>  I will accept the final solution is yours so you assign the points.

Don't accept an answer that is wrong. That is not how EE works.
If you answer the question yourself you should accept your own for the benefit of others reading this question in the future.

0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
0
CEHJCommented:
>>Since it is a public key file only, I see no cryptographic security risk, but there is potential identifying information in the certificate

... which of course will be available once the public key is made .. er .. public
0
Mick BarryJava DeveloperCommented:
> Since it is a public key file only

did you check it?  A certificate with just a public key is not much use to tomcat

> I found a solution only need modify in server.xml full path to .pfx only. No need keystore.

CEHJ actually suggested *not* doing that in his earlier comment
0
Mick BarryJava DeveloperCommented:
thanks mate :)
0
CEHJCommented:
>>Some askers care and some don't (about the issue of anonymity).

OK - i see what you mean
0
Gonzalo BecerraSharePoint - Technical Lead for Operations & Engineering Team - Superrvising AssociateAuthor Commented:
1- Generate a Keystore:
keytool -genkey -alias tomcat -keyalg RSA -keystore D:\Appls\Tomcat5\Certs\secretariat

2- Generate a Request:
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore D:\Appls\Tomcat5\Certs\secretariat

3- Import a Root CA
keytool -import -alias root -keystore D:\Appls\Tomcat5\Certs\secretariat -trustcacerts -file D:\Appls\Tomcat5\Certs\Tenaris_Root_CA.cer

4- Import Second Chain:
keytool -import -alias root2 -keystore "D:\Appls\Tomcat 5.5\Certs\secretariat" -trustcacerts -file "D:\Appls\Tomcat 5.5\Certs\Tenaris_Intermediate_CA.crt"

5- Import Third Chain:
keytool -import -alias root3 -keystore D:\Appls\Tomcat5\Certs\ secretariat -trustcacerts -file D:\Appls\Tomcat5\Certs\TNSWPK03.tenaris.techint.net_Tenaris_Issuing_1_CA.crt

6- Import Four Chain:
keytool -import -alias root4 -keystore "D:\Appls\Tomcat 5.5\Certs\secretariat" -trustcacerts -file "D:\Appls\Tomcat 5.5\Certs\TNSWPK04.tenaris.techint.net_Tenaris_Issuing_2_CA.crt"

7- Import a Certificate:
keytool -import -alias secretariat -keystore "D:\Appls\Tomcat 5.5\Certs\secretariat" -trustcacerts -file D:\Appls\Tomcat 5.5\Certs\%CertificateName%

8- Edit Sever.xml in Tomcat Directory:
Add This Line (keystoreFile="D:\Appls\Tomcat5\Certs\secretariat" keystorePass="changeit") in:

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" />

9- Reset Tomcat Service.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java EE

From novice to tech pro — start learning today.