Created
March 7, 2021 16:54
-
-
Save dolphinotaku/52a879fe3330bed32e1113dab3331dc5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ---------- Pre-execute command promtp script ---------- | |
| set PATH=%PATH%;"C:\Program Files\Java\jdk-10.0.2\bin\"; | |
| set PATH=%PATH%;"C:\Users\90474\Desktop\software\openssl-1.0.2d-x64_86-win64\openssl"; | |
| ------------------------------------------------------- | |
| this time was purchased a wildcard certificate (*.example.com) from Sectigo | |
| I received the certificate request, private key, 4 certificate files (1 root certificate, 2 intermediate certificate, 1 wildcard certificate) | |
| ---------- Preparement (P.0) -------------- | |
| P.1). create certificate request (csr) | |
| As the CSR was created by other people, first to do was extract the CSR info | |
| P.2). verify certificate request (csr) | |
| openssl req -in "example_com.csr" -noout -text > 00.verify.certificate.request.txt | |
| the extracted info was: | |
| Subject: C=HK, ST=HK, L=Hong Kong, O=Super Software Limited, CN=*.example.com | |
| ---------- End of P.0 -------------- | |
| ---------- Complete Certificate Request (C.0) -------------- | |
| before complete the certificate request, you must import the Root CA certificate and the intermediate CA certificate to the IIS/mmc | |
| after imported all CA to the computer, import the domain certificate, | |
| import the Root CA to Certificates > Trusted Root Certificate Authorities > Certificates | |
| import the Intermediate CA to Certificates > Intermediate Certificate Authorities > Certificates | |
| The domain certificate was signed by | |
| Sectigo(AAA) | |
| -> USERTrust RSA Certificate Authority | |
| --> Sectigo RSA Organization Validation Secure Server CA | |
| --> *.example.com | |
| Example Import steps | |
| Open mmc | |
| File > Add/Remove Snap-ins | |
| Select Certificates, Click "Add >" | |
| Select Computer account, select Local computer, click Finish | |
| Click OK in "Add/Remove Snap-ins" dialog | |
| Expand the folder tree, for this case, need to add a Intermediate Certificate, | |
| Expand the folder Certificates > Intermediate Certificate Authorities > Certificates | |
| Export the certificate in p7b format | |
| run mmc, locate and right click on the imported domain certificate, select Export | |
| select p7b format | |
| checked with "Include all certificates in the certificate path if possible" | |
| the password please entered as changeit this time | |
| ---------- End of C.0 -------------- | |
| 0.1 verify the pfx password | |
| openssl pkcs12 -in example_com.key -noout | |
| openssl jks -in example_com.key -noout | |
| openssl rsa -noout -in example_com.key -passin "pass:Abcd1234" | |
| ----------- Create a New Keystore --------------- | |
| 1.0 Create a New Keystore | |
| 01.1 create a new keystore file option 1 | |
| keytool -genkey -alias "example" -keyalg RSA -keysize 2048 -keystore example_Identify.jks | |
| Enter keystore password: !Abcd1234 | |
| Re-enter new password: !Abcd1234 | |
| What is your first and last name? | |
| *.example.com | |
| What is the name of your organizational unit? | |
| [Enter] | |
| What is the name of your organizational? | |
| Super Software Limited | |
| What is the name of City or Locality? | |
| Hong Kong | |
| What is the name of State or Province? | |
| HK | |
| What is the two-letter country code for this unit? | |
| HK | |
| Is.... correct? | |
| yes | |
| Enter key password for <server> | |
| (RETURN if same as keystore password): | |
| <<<<< press enter here >>>>> | |
| 01.2 create a keystore, option 2 | |
| keytool.exe -genkey -alias "example" -keyalg rsa -keysize 2048 -dname "CN=*.example.com, OU=, O=Super Software Limited, L=Hong Kong, ST=HK, C=HK" -keystore example_Identify.jks -storepass !Abcd1234 | |
| Enter key password for <example> | |
| (RETURN if same as keystore password): [Press Enter] | |
| ----------- verify the initialize keystore --------------- | |
| 1.99 verify the initialize keystore | |
| keytool -list -v -keystore example_Identify.jks -storepass !Abcd1234 > 01.verify.initialize.keystore.txt | |
| ----------- verify the initialize keystore --------------- | |
| ----------- End of 1.0 Create a New Keystore --------------- | |
| As a checkpoint for easy rollback/redo, I will copy the example_Identify.jks and rename as example_Identify.01empty.jks | |
| please run | |
| copy example_Identify.jks example_Identify.01empty.jks /y /v | |
| ----------- End of 1.0 Create a New Keystore --------------- | |
| ----------- Import Root/Intermediate CA --------------- | |
| 2.0 Import Root/Intermediate CA | |
| 2.1 Import the root CA certificate to the Java keystore | |
| keytool -import -trustcacerts -alias rootca -file "01AAACertificateServices.crt" -keystore example_Identify.jks -storepass !Abcd1234 | |
| Do you still want to add it to your own keystore? [no]: yes | |
| Should see: | |
| Certificate was added to keystore | |
| 2.2 Import the intermediate CA certificate(s) to the Java keystore | |
| The domain certificate was signed by | |
| Sectigo(AAA) | |
| -> USERTrust RSA Certificate Authority | |
| --> Sectigo RSA Organization Validation Secure Server CA | |
| --> *.example.com | |
| keytool.exe -import -trustcacerts -alias "interca2" -file "02SectigoRSAOrganizationValidationSecureServerCA.crt" -keystore example_Identify.jks -storepass !Abcd1234 | |
| Should see: | |
| Certificate was added to keystore | |
| keytool.exe -import -trustcacerts -alias "interca3" -file "03USERTrustRSAAAACA.crt" -keystore example_Identify.jks -storepass !Abcd1234 | |
| Should see: | |
| Certificate was added to keystore | |
| 2.3 Remove the certificate request alias/entity | |
| keytool.exe -delete -alias "example" -keystore example_Identify.jks -storepass !Abcd1234 | |
| ----------- verify the imported CA certificate(s) keystore --------------- | |
| 2.99 verify the Identify keystore and Identity keystore | |
| keytool -list -v -keystore example_Identify.jks -storepass !Abcd1234 > 02.verify.imported.CA.txt | |
| ----------- verify the imported domain certificate keystore --------------- | |
| ----------- End of 2.0 Import Root/Intermediate CA --------------- | |
| As a checkpoint for easy rollback/redo, I will copy the example_Identify.jks and rename as example_Identify.02.CA.ready.jks | |
| please run | |
| copy example_Identify.jks example_Identify.02.CA.ready.jks /y /v | |
| ----------- End of 2.0 Import Root/Intermediate CA --------------- | |
| =============== Import Signed Primary / Domain certificate =============== | |
| 3.0 Import the signed primary certificate to the Java Keystore | |
| ----------- Convert the x.509 cert and key to a pkcs12 file ----------- | |
| 3.0a | |
| combine certificate file and private key into keystore file in PKCS#12 format | |
| PKCS12 (for PKCS#12 files, often with extension .p12 or sometimes .pfx). | |
| If you have a chain of certificates, combine the certificates into a single file and use it for the input file, | |
| as shown below. The order of certificates must be from server certificate to the CA root certificate. | |
| Linux Systax | |
| cat <signed_cert_filename> \ | |
| <intermediate.cert> [<intermediate2.cert>] | |
| ... \ | |
| > cert-chain.txt | |
| Windows | |
| use type to instead of using cat in windows | |
| type works across command.com, cmd, and PowerShell (though in the latter it's an alias for Get-Content, so is cat, so you could use either). | |
| Example | |
| type STAR_example_com.crt 03USERTrustRSAAAACA.crt 02SectigoRSAOrganizationValidationSecureServerCA.crt 01AAACertificateServices.crt > cert-chain.txt | |
| openssl pkcs12 -export -in cert-chain.txt -inkey example_com.key -name "*.example.com" -out example_com.p12 | |
| -------------------------------------------------------------------------------- | |
| 3.1 Import the pfx format certificate to the Java Keystore | |
| keytool -importkeystore -srckeystore STAR_example_com.pfx -srcstoretype pkcs12 -destkeystore example_Identify.jks -deststoretype JKS | |
| Result: | |
| Entry for alias 6a6acdc32d2f4e0ea55f53d0a99928a2 successfully imported. | |
| Import command completed: 1 entries successfully imported, 0 entries failed or cancelled | |
| keytool -changealias -alias "6a6acdc32d2f4e0ea55f53d0a99928a2" -destalias "example" -keystore example_Identify.jks -storepass !Abcd1234 | |
| 3.2 Convert the pfx format to pkcs12 format | |
| openssl pkcs12 -in STAR_example_com.pfx -nokeys -out STAR_example_com.cer | |
| 3.3 Import the signed primary certificate to new Java keystore for using for Customer Trust Keystore | |
| keytool -import -alias "example" -trustcacerts -file STAR_example_com.cer -keystore example_trust.jks -storepass !Abcd1234 | |
| ----------- verify the imported domain certificate keystore --------------- | |
| 3.99 verify the Identify keystore and Identity keystore | |
| keytool -list -v -keystore example_Identify.jks -storepass !Abcd1234 > 03.verify.Identify.imported.domain.txt | |
| keytool -list -v -keystore example_trust.jks -storepass !Abcd1234 > 03.verify.trust.imported.domain.txt | |
| ----------- End of 3.0 Import Signed Primary / Domain certificate --------------- | |
| As a checkpoint for easy rollback/redo, I will copy the example_Identify.jks and rename as example_Identify.03.domain.ready.jks | |
| please run | |
| copy example_Identify.jks example_Identify.03.domain.ready.jks /y /v | |
| copy example_trust.jks example_trust.03.domain.ready.jks /y /v | |
| ----------- End of 3.0 Import Signed Primary / Domain certificate --------------- | |
| -------------------------------------------------------------------------------- | |
| ================================ | |
| Other Command | |
| Export the private key from PKCS12 format as PEM format | |
| openssl pkcs12 -in example_com.p12 -nocerts -out example_com.pem | |
| keytool -list -v -keystore example_Identify.jks -alias example | |
| keytool -list -v -keystore "C:\tibco\tss\7.11.1\tomcat\certs\spotfireserver.jks" -alias serverkey | |
| openssl pkcs12 -export -out STAR_example_com.pfx -inkey example_com.key -in STAR_example_com.crt | |
| openssl pkcs12 -export -out STAR_example_com.pfx -inkey example_com.key -in STAR_example_com.crt -in 01AAACertificateServices.crt | |
| openssl pkcs12 -export -out STAR_example_com.pfx -inkey example_com.key -in STAR_example_com.crt -in 01AAACertificateServices.crt -certfile 01AAACertificateServices.crt | |
| openssl pkcs12 -export -out STAR_example_com.pfx -inkey example_com.key -in STAR_example_com.crt -certfile 03USERTrustRSAAAACA.crt.crt | |
| openssl pkcs12 -export -out STAR_example_com.pfx -inkey example_com.key -in STAR_example_com.crt -certfile 03USERTrustRSAAAACA.crt -certfile 02SectigoRSAOrganizationValidationSecureServerCA.crt -certfile 01AAACertificateServices.crt | |
| ================================ | |
| Reference | |
| Keystore type: which one to use? | |
| keystoreType=[JKS|PKCS12] | |
| https://stackoverflow.com/questions/11536848/keystore-type-which-one-to-use | |
| How to quickly identify SSH private key file formats? | |
| https://superuser.com/questions/1515261/how-to-quickly-identify-ssh-private-key-file-formats | |
| Create a PKCS#12 keystore from a private key and certificate | |
| https://documentation.solarwinds.com/en/Success_Center/WHD/Content/HelpDeskCreatePKCS12iKeystorefromPrivateKeyCert.htm | |
| What is the Windows equivalent of the Unix command cat? | |
| https://superuser.com/questions/434870/what-is-the-windows-equivalent-of-the-unix-command-cat | |
| 4 Configuring SSL with Tomcat | |
| https://docs.oracle.com/cd/E57014_01/edq/DQSEC/ssl_tomcat.htm#DQSEC166 | |
| SSL/TLS Configuration How-To | |
| https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment