Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Java Keystore PrivateKeyEntry vs trustedCertEntry

Tags:

security

ssl

hadoop

jks

I'm renewing a certificate used by my Hadoop cluster. Current JKS has one entry:

Your keystore contains 1 entry

Alias name: myalias
Creation date: Jan 10, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1

I'm trying to create a new keystore from the new cert:

keytool -importcert -alias myalias  -file newcertfile.crt -keystore newkeystore.jks

But I get asked about whether I trust this certificate (If I say no, keytool quits):

Trust this certificate? [no]:  yes

And when I look at the result, it's no longer a PrivateKeyEntry but a trustedCertEntry:

keytool -list -v -keystore newkeystore.jks
...
...
Your keystore contains 1 entry

Alias name: myalias
Creation date: Feb 20, 2019
Entry type: trustedCertEntry
...
...

What am I missing here? Should I just use the JKS with the trustedCertEntry or is there a way to make it just like the old JKS (with PrivateKeyEntry)?

like image 373
yurmix Avatar asked Jun 28 '18 21:06

yurmix

People also ask

What is the difference between TrustedCertEntry and PrivateKeyEntry?

Key stores are meant to only contain PrivateKeyEntry. Trust stores are meant to contain public certificates, not private keys, that a client will use to establish trust with a server.

What is PrivateKeyEntry in keystore?

public static final class KeyStore.PrivateKeyEntry extends Object implements KeyStore.Entry. A KeyStore entry that holds a PrivateKey and corresponding certificate chain.

What is entry type TrustedCertEntry?

TrustedCertEntry do not have private keys associated with them, only the public key the certificate contains. A keyEntry (I think!) is a public/private key pair without the certificate. A privateKeyEntry is a public/private key pair with an associated CA-signed or self-signed certificate.

What is the difference between jks and PKCS12?

The biggest difference between JKS and PKCS12 is that JKS is a format specific to Java, while PKCS12 is a standardized and language-neutral way of storing encrypted private keys and certificates.

1 Answers

I eventually figured out that I have to supply the private key as well (As Roshith mentioned in the link he supplied).

So I started with first creating a pfx file:

openssl pkcs12 -export -out newcertbundle.pfx -inkey myprivate.key -in newcertfile.crt

And then converted it to jks:

keytool -importkeystore -srckeystore newcertbundle.pfx -srcstoretype PKCS12 -srcstorepass mypass -deststorepass mypass -destkeypass mypass -destkeystore newkeystore.jks

The only thing I couldn't figure out (but wasn't too important to me) was how to use an alias, so I went with a default one (when I tried specifying one I got: Alias does not exist. This is discussed here).

like image 172
yurmix Avatar answered Sep 17 '22 14:09

yurmix
Sign in to Comment

Related questions

How to set up Java to use user specific certificates for Eclipse?
SSL on entire site or just part of it?
Directory Security
Making A Webservice Secure
Where can a service running under the "local service" account save its state
How can I proctect my .NET application against DLL Hijacking?
C# Role-based security
c# online compiling and execution security issues
Web Application - Storing a Password
How to overwrite php memory for security reason?
Java two way encryption library [duplicate]
Risks in allowing users to upload HTML/JS files
How can I grant Team Project access to all users?
Why is Java 7 requesting network permissions for a signed application?
How To Password Protect a Static Site in Azure
What Java classes/packages are safe to whitelist in a security sandbox?
AES with password based SecretKeySpec vs PBE
Credentials for ServerManager.OpenRemote
Combined command for git tag verification and git checkout?
AES-256-CTR Encryption in node JS and decryption in Java

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!