Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@deekayen

deekayen/README.md

Last active March 5, 2020 18:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save deekayen/dc4d8fdcdb7b5bc0798b2d716b0771c5 to your computer and use it in GitHub Desktop.
Save deekayen/dc4d8fdcdb7b5bc0798b2d716b0771c5 to your computer and use it in GitHub Desktop.
Download ZIP
Instructions on how to make various TLS certificate file outputs
Raw
README.md

*.example.com

Expires: [When does the signed cert expire?]

Keystore password: OMITTED

Copied from: http://www.entrust.net/knowledge-base/technote.cfm?tn=8898

This presumes your signing authority provided a .crt and .key file.

In order to install the intermediate certificates into a keystore, you need to download two intermediate certificate files from Entrust certificate pickup link. These files are L1K Intermediate certificate (default file name: Intermediate1.crt) and G2 Cross certificate (default file name : Intermediate2.crt).

Create a chained PKCS12

Create a chained .pem file first by ordering the server certificate, intermediate, chained root, then root certificates in a single text file.

openssl pkcs12 -export -out wildcard.example.com.pfx -inkey wildcard.example.com.key -in wildcard.example.com.pem

Import wildcard.example.com.pfx into Java keystore (JKS)

This is a one-time activity. The output from this is saved to this repository to be re-used and copied across servers.

keytool -importkeystore -srckeystore wildcard.example.com.pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
keytool -import -alias Intermediate -keystore keystore.jks -trustcacerts -file Intermediate.crt
keytool -import -alias entrust_l1k_chain_root -keystore keystore.jks -trustcacerts -file entrust_l1k_chain_root.cer
keytool -changealias -alias 1 -destalias wildcard -keystore keystore.jks

Validate outputs with:

keytool -list -keystore keystore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 3 entries

Your keystore contains 3 entries

wildcard, Mar 5, 2020, PrivateKeyEntry,
Certificate fingerprint (SHA1): FE:A9:06:5F:72:9D:E3:71:E1:33:EE:FD:5B:9B:4C:6C:EB:A0:FE:FB
intermediate, Mar 5, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): F2:1C:12:F4:6C:DB:6B:2E:16:F0:9F:94:19:CD:FF:32:84:37:B2:D7
entrust_l1k_chain_root, Mar 5, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 9E:1A:0C:35:E7:14:B6:97:92:D0:90:B2:CC:4B:BA:45:83:3C:30:15

Jenkins config

The keystore directions on https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins may be helpful for importing the .pfx file to a keystore file.

https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+IIS

Jenkins.xml

  <arguments>-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=0 --httpsPort=443 --httpsKeyStore="%BASE%\secrets\wildcard.example.com.jks" --httpsKeyStorePassword=OMITTED --webroot="%BASE%\war"</arguments>

Convert keystore to PKCS12

keytool -importkeystore -srckeystore wildcard.example.com.jks -destkeystore wildcard.example.com.p12 -deststoretype PKCS12
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias *.example.com successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Export Public Cert from PKCS12

openssl pkcs12 -in wildcard.example.com.p12 -nokeys -out wildcard.example.com.crt
Enter Import Password:
MAC verified OK

Export Private Key from PKCS12

openssl pkcs12 -in wildcard.example.com.p12 -nodes -nocerts -out wildcard.example.com.key

Match the private and public hashes

To verify the consistency of the RSA private key and to view its modulus:

openssl rsa -modulus -noout -in myserver.key | openssl md5
openssl x509 -modulus -noout -in myserver.crt | openssl md5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment