Security :: Can't Import A Cert - Signed With OpenSSL- Into A Java Key Store Using Keytool
Feb 11, 2011
When I do a "openssl x509 -in server1.pem -issuer -noout" after I've supposedly signed it with the CA, the issuer is, for some reason, the DN string of server1. If server1 generated the CSR, and it is coming up as issued by server1, doesn't that indicate a self signed cert? How could the CA be producing a cert that has an issuer of another server? Am I just completely off base? Sorry, I'm a bit of a newb with the SSL pieces.
I hope this is the right place for this, but I'm having some difficulty using the java keytool and OpenSSL tool on a Solaris system.
I have a server (CA server) with OpenSSL installed that I would like to use as a Certificate Authority. The second server (server1) is a WebLogic server with JDK 1.6.0_21. I'm trying to configure it to use a certificate that has been signed by server1.
For some reason it keeps giving me this error when I try to import the signed SSL certificate: keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Am I doing something wrong in this whole process?
1) Generate the Private Key for the CA server
openssl genrsa -out CA.key -des 2048
2) Generate the CSR on the CA
openssl req -new -key CA.key -out CA.csr
3) Sign the new CSR so that it can be used as the root certificate openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 730 -req -in CA.csr -out CA.pem -extfile /usr/local/ssl/openssl.cnf
4) On server1, create Server Private Key KeyStore keytool -genkey -alias server1 -keysize 2048 -keyalg RSA keystore server1.jks -dname "CN=server1.domain.com,OU=Organization,O=Company,L=City,ST=State,C=US"
5) On server1, create a CSR from the recently created Private Key
keytool -certreq -alias server1 -sigalg SHA1WithRSA -keystore server1.jks -file server1.csr
6) Transfer the CSR over to the CA (server1) so that it can be signed openssl x509 -extensions v3_ca -trustout -signkey CA.key -days 365 -req -in server1.csr -out server1.pem -extfile /usr/local/ssl/openssl.cnf
7) Transfer CA Public Cert to server1 and Import into keytool keytool -import -trustcacerts -alias CA_Public -file CA.pem -keystore server1.jks
8) Import recently signed CSR to app server keystore (This is where I receive the error) keytool -import -trustcacerts -alias server1 -file server1.pem -keystore server1.jks
View 1 Replies
ADVERTISEMENT
Jan 14, 2011
Updating my install of OpenSUSE from 11.0 to 11.3 and notice that the Nagios network monitor can no longer probe servers with self signed certs.It appears to be any monitor that used openssl 1.0.0 has an issue. If I install the openssl 0.9.8 libraries and use old plugins linked against it, they work fine.
View 9 Replies
View Related
Aug 9, 2011
I'm about to create a CSR and was reading this page in the Ubuntu docs: [URL] A couple of things:
* There's no date on the article. The documentation needs DATES because this information gets out of date! Check MySQL docs, for instance -- they are organized by version.
* The instructions for generating a cert only specify 2048 bits. I believe that's kind of out of date? The verisign site has big red warnings saying you need 2048 if you want your cert to last past 2013 -- and that article is 4 years old!
* The instructions are confusing when discussing the passphrase. We enter a passphrase only to remove it immediately. We need some clarity here. Why do this?
How to understand the current best practices for generating an HTTPS cert for apache and/or mail access?
View 6 Replies
View Related
Jun 24, 2011
I've got an uber simple test mail script in php on my awesome new dev machine running Ubuntu:
PHP Code:
Unfortunately, something is preventing mail delivery. I can't tell from this error log whether it's the remote machine rejecting me or whether it's my machine rejecting the self-signed cert on the remote machine:
Code:
I'm wondering what I could change in my postfix configuration to remedy this problem.
I tried setting smtp_tls_security_level = may = may but this did not change anything.
View 10 Replies
View Related
Mar 21, 2011
When I tried to install LibreOffice 3.3_64 on my Fedora14_64 I received the following error:
Package libobasis3.3-extension-pdf-import-3.3.1-8.x86_64.rpm is not signed Has anyone run into this? Is there a way to fix this?
View 2 Replies
View Related
Oct 14, 2010
am trying to upload packages o a PPA (packages that contain custom "sources.list"s designed to make upgrades or downgrades between Ubuntu releases easier) and, even after going through all that work to manually generate a key and sign them with gpg, dput still rejects them as "not signed".
View 3 Replies
View Related
Aug 27, 2010
I have my company's CA root.crt certificate and I would like to import into openSUSE 11.2 so every application could trust this authority. Is there any instruction for this procedure?
You know, something like you can do in Windows: just click certificate and there is a button "Install certificate"
Where is system certificate store in openSUSE?
View 1 Replies
View Related
Apr 5, 2010
Has anyone setup a system to only allow digitall signed (i.e. approved USB disk drives) to be used on a Linux System.
View 1 Replies
View Related
Feb 23, 2011
build a Linux environment in which only "signed" processes are allowed to run. When I say signed I don't mean a VeriSign etc. signature like you know it from Windows, but I mean signed by myself. I.e. I choose the software allowed to run, sign it, and then want to deny any other processes to run.If it is somehow possible I'd like to extend this even to scripts and the kernel (i.e. no unsigned modules can be loaded).Does anyone have a good idea how to solve this problem?The bad thing is: I'm pretty fine with coding stuff myself in C, but have absolutely 0 experience or knowledge in kernel (module)-programming.Any tipps, links, literatureOne approach I came up with (just a rough idea at the moment):Linux starts new processes with a fork-and-exec-combination. I therefore wonder if it is possible to change exec() in such a way that it will only execute signed programs
View 5 Replies
View Related
Jan 28, 2011
I'm trying to access a Verisign signed site [URL] and getting a certificate not known error when I do. Do I really need to import Verisign? If so, how?
View 6 Replies
View Related
May 27, 2010
I've setup OpenVPN-ALS (formerly known as Adito) on Ubuntu Server 10.04 edition. I have a security router (Untangle) in front of my internal network. I have a domain name and an SSL Certificate setup on our security router. I can access our web interface on our security router with no problems.
I've setup a portforward rule on our router to access this OpenVPN-ALS portal and I can access it, but I get an invalid certificate message. So I've bought another SSL certificate to install our our Portal, but I'm getting an error message when I enter in our information at the provider where I've bought the certificate.
Common Name does not contain fully qualified domain name. I'm not sure what the problem is. Do I use the hostname I've setup on the portal or do I use the hostname on my security router when I setup the SSL certificate on our portal?
View 5 Replies
View Related
Dec 10, 2010
i have a encrypted file using .aes256. I'm trying to decrypt but it fails. This is the command i used
Quote: openssl enc -d -aes256 -in insurance.aes256 > /media/DATA/out.dec And here's the error:Quote: enter aes-256-cbc decryption password: bad decrypt13930:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330:
View 3 Replies
View Related
Mar 29, 2010
i need to know more about openssl.In particular i'm having problems with some basic coammand-line stuff to do with signing and base64 encoding.You'll have to excuse me but i'm a security n00b. What is the command for signing some text file with a given private key and then after that base64 encoding the same file.Can this be done with a single command? what's wrong with:
Code:
openssl rsautl -sign -in textfile -inkey privatekey.pem enc -base64 -in textfile
or should that be:
Code:
openssl rsautl -sign -in textfile -inkey privatekey.pem | openssl enc -base64 -
View 1 Replies
View Related
Mar 30, 2010
I tried to compile C program that uses Openssl libraries on shell but got this error. I guess libraries are not linked properly.
undefined reference to SSL_library_init()
View 1 Replies
View Related
Apr 20, 2010
I just installed it by following steps in [URL]
but when I run "msfconsole", I got the following error messages telling me that ruby-openssl is not installed. I installed it "apt-get install libopenssl-ruby" but same message still comes again. I'm running Ubuntu 9.10.
root@qa-ud910-32-1:/opt/metasploit3/msf3/external/ruby-lorcon2# msfconsole
*** The ruby-openssl library is not installed, many features will be disabled!
*** Examples: Meterpreter, SSL Sockets, SMB/NTLM Authentication, and more
[-] ***
[Code]....
View 6 Replies
View Related
Aug 10, 2010
Quote: Security expert Georgi Guninski has pointed out a security issue in the 1.0 branch of OpenSSL that potentially allows SSL servers to compromise clients. Apparently the hole can be exploited simply by sending a specially crafted certificate to the client, causing deallocated memory to be accessed in the ssl3_get_key_exchange function (in ssls3_clnt.c). While this usually only causes an application to crash, it can potentially also be exploited to execute injected code.
View 1 Replies
View Related
Oct 27, 2010
I'm trying to make a java application in netbeans 6.9.1 (ubuntu 10.10) and I need to use the webcam on the system. Now I found this project: [URL] I am able to run the program and see the vid imput from the webcam using: "java -cp /usr/share/java/v4l4j.jar -Djava.library.path=/usr/lib/jni au.edu.jcu.v4l4j.examples.DeviceChooser" The problem is how to import the libaries into netbeans, there is an explanation on the site how to do it with eclipse but I don't have any experience with ecplipse and judging from what people have to say about how it works I don't want that either. I get the following error as output:
[Code]...
View 3 Replies
View Related
Jun 6, 2011
I have joined a number of websites over time and it seems harder to manage them. Would like advice on how to generate passwords and to store and keep track of them. I would like to hear of systems or programs that are good for this.
View 5 Replies
View Related
Mar 15, 2009
I want to import a key called PGP-public-key.asc, that is placed in the download folder to /etc/pki/rpm-gpg, but it fails. I tried both:
rpm --import /etc/pki/rpm-gpg/PGP-public-key.asc
and
rpm --import /etc/pki/rpm-gpg/
rpm --import /etc/pki/rpm-gpg/home/my/Download/PGP-public-key.asc
View 8 Replies
View Related
Nov 27, 2010
I've created encryption systems on servers, but nearly always I have stored the password somewhere on the machine itself. The file is always 0600 to the relevant user, but a systematic analysis of my system could easily find the scripts that invoke decryption and discover the password. (The most blatant example of this is mounting SMB shares with the "-o credential_file" option where both the username and password are plain-text. In the cases where I've used this, the security of the share hasn't particularly mattered.)
Soon I might be faced with storing "patient health information" (PHI in the healthcare world) whose privacy is heavily regulated by the provisions of the US law called HIPAA. I've been thinking about creating an encrypted partition to hold the PHI, but I need a highly fault-tolerant method for obtaining the key from a different machine than tha server itself. At first, I thought about running a script using scp and shared keys to copy the key from the remote, use it to decrypt the partition, then erase it. I'd like to be able to do this with a pipe; otherwise I'll write the key in a non-persistent location like /dev/shm.
I need more than one machine to make this work to ensure I can obtain the key when needed (like at boot). One solution is to place copies of the key on multiple servers and try each of them until I find it. A more elegant solution would place the key in a DNS TXT record. I suspect I could use LDAP for this as well, but OpenLDAP and I have never really been on speaking terms. So does this make sense? I presume I can write a bash script to do all this at boot. Most of what will be stored in this partition is the PostgreSQL database in /var/lib/pgsql and perhaps some other files.
My understanding of encrypted file systems is that they are only encrypted when unmounted. When mounted they must be as visible to the operating system as an unencrypted partition. I suppose you could apply encryption to every single disk transaction, but that would require knowing the key all the time, and would seem to add a lot of overhead.
View 1 Replies
View Related
Oct 18, 2010
I have an encrypted document (with my key) which I should decrypt. After the generation of my key, my computer is formated and new reinstalled. Now GnuPG find my key public and I can't use it for decryption!
View 9 Replies
View Related
Mar 18, 2010
I wanted to set up Computer Lab. loading Fedora 11 OS and one system acting as a Server to store Users(Student) Login Informations. When students do a programs, all programs (eg, C++ programs) files should be saved in the local fedora system but when login to the system, the login should be validate by a Server System.
View 5 Replies
View Related
Aug 14, 2010
is there a way to run flash and java securely? stupid question i guess. i'd like to use a couple of sites that require them but don't want to open my box up to the bad things that can happen with these. videos, pandora etc. i don't know linux security well and just wonder what the ramifications of this will be?
View 9 Replies
View Related
Dec 8, 2009
I have two students whose windows laptops are riddled with malware and not working properly. They want me to help them install Linux (which we use in school), but they are concerned about their iTunes.
Having avoided iPods as "defective by design", I know nothing about iTunes whatsoever. However I remember reading about DRM locking and such problems that have me concerned that I won't be able to do it.
Where does iTunes store its stuff?
Can I copy its data store to an external drive, and then into a linux home?
Then will it work on wine, or can another manager (rhythmbox etc) access the itunes data?
Alternatively, if I partition the drive and install linux, can rythmbox/wine/something access itunes data on the win partition?
Supposing they are buying music through iTunes, what will happen to that account?
Finally, one of them has an iphone. Does that work with linux?
Ironic that an apple application is blocking migration away from windows.
View 9 Replies
View Related
Jun 29, 2010
last week I decided to not just run dist-upgrade, but give the Lynx a completely fresh install. Before that I've only copied my home folder to an external hard-drive.
Now that I'm on Ubuntu 10.04 I have no clue how to import my old personal key and the passwords from the backup (my old home folder).
View 3 Replies
View Related
Jul 15, 2011
I just created an rpm and went to install it on another fc12 vm - it said the package was not signed. I searched on this and one place said to edit the yum.conf file to:
gpgcheck=0
View 2 Replies
View Related
May 16, 2011
How can I add self-signed certificates to e.g: Google Chrome under Linux (from the command line)?
View 1 Replies
View Related
Jul 22, 2009
I have a server which I use for mail:
[URL]
The above is the machines actual FQDN. Now because I also use it as a web server to access my website and webmail, I have a pointer record with my domain registrar to also forward all [URL] to the same IP as [URL]. when I generate a SSL self signed certificate for my server. Do I generate one for [URL] or [URL]?
View 2 Replies
View Related
Feb 8, 2010
I need to build a cert from an CRT file/
View 1 Replies
View Related
Apr 5, 2011
I removed using yast the package "ssl-cert". At this point yast2 started throwing the error:
Code:
Download failed:
Download (curl) error for 'https://nu.novell.com/repo/repoindex.xml?cookies=0&credentials=NCCcredentials':
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
And of course a redownload and install of ssl-cert is not possible,I get the same error So I tried downloading and installing the openssl package by hand, but still I got nowhere Does anyone knows how to reinstall this ssl-cert package again??
View 3 Replies
View Related
