Menu
I have a server with a self signed certificate, but also requires client side cert authentication. I am having a rough time trying to get the raw CA server cert so I can import it into a keystore. Anyone have some suggestions on how to easily do that? Thanks.
932
In the Websites and Domains section for the domain name you want to use, click SSL/TLS Certificates. Click Add SSL Certificate. Enter a Certificate name, complete the fields in the Settings section, and then click Request.
Was looking at how to trust a certificate while using jenkins cli, and found https://issues.jenkins-ci.org/browse/JENKINS-12629 which has some recipe for that.
This will give you the certificate:
openssl s_client -connect ${HOST}:${PORT} </dev/null if you are interested only in the certificate part, cut it out by piping it to:
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' and redirect to a file:
> ${HOST}.cert Then import it using keytool:
keytool -import -noprompt -trustcacerts -alias ${HOST} -file ${HOST}.cert \ -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} In one go:
HOST=myhost.example.com PORT=443 KEYSTOREFILE=dest_keystore KEYSTOREPASS=changeme # get the SSL certificate openssl s_client -connect ${HOST}:${PORT} </dev/null \ | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert # create a keystore and import certificate keytool -import -noprompt -trustcacerts \ -alias ${HOST} -file ${HOST}.cert \ -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} # verify we've got it. keytool -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST} I use openssl, but if you prefer not to, or are on a system (particularly Windows) that doesn't have it, since java 7 in 2011 keytool can do the whole job:
keytool -printcert -sslserver host[:port] -rfc >tempfile keytool -import [-noprompt] -alias nm -keystore file [-storepass pw] [-storetype ty] <tempfile # or with noprompt and storepass (so nothing on stdin besides the cert) piping works: keytool -printcert -sslserver host[:port] -rfc | keytool -import -noprompt -alias nm -keystore file -storepass pw [-storetype ty] Conversely, for java 9 up always, and for earlier versions in many cases, Java can use a PKCS12 file for a keystore instead of the traditional JKS file, and OpenSSL can create a PKCS12 without any assistance from keytool:
openssl s_client -connect host:port </dev/null | openssl pkcs12 -export -nokeys [-name nm] [-passout option] -out p12file # <NUL on Windows # default is to prompt for password, but -passout supports several options # including actual value, envvar, or file; see the openssl(1ssl) man page If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
