Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.basic.visual.misc > #4023
| Newsgroups | comp.lang.basic.visual.misc |
|---|---|
| Date | 2024-01-18 04:24 -0800 |
| Message-ID | <032dd834-7e39-46e2-b7b8-87c2d94a55f1n@googlegroups.com> (permalink) |
| Subject | Keytool Gui Download ##BEST## |
| From | Elin Lidstrom <lidstromelin18@gmail.com> |
<div>I've been wrestling with java keytool, trying to make it generate a usable JKS entry for the web application's purposes. The problem is that any entry I generate, lacks an AuthorityKeyIdentifier element. It has a SubjectKeyIdentifier (of course) and using this documentation I've found how to add SubjectAlternativeName and other elements... but nothing I can find tells me how to get the AuthorityKeyIdentifier.</div><div></div><div></div><div></div><div>keytool gui download</div><div></div><div>Download ✦ https://t.co/0y9pMkThU5</div><div></div><div></div><div></div><div></div><div></div><div></div><div>I suspect the normal means for this involves generating a CSR and getting it signed by a CA, but since this is strictly an internal QA environment, I'd much prefer to stick with self-signed. As I understand it, a self-signed JKS entry can -- and should -- have an AuthorityKeyIdentifier whose KeyIdentifier is a duplicate of the one in the SubjectKeyIdentifier. But like I said, I'm stuck on how to obtain that using java keytool.</div><div></div><div></div><div>AWS CloudHSM key store is a special-purpose JCE key store that utilizes certificatesassociated with keys on your HSM through third-party tools such as keytool andjarsigner. AWS CloudHSM does not store certificates on the HSM, as certificatesare public, non-confidential data. The AWS CloudHSM key store stores the certificates in a localfile and maps the certificates to corresponding keys on your HSM.</div><div></div><div></div><div>Power users may be accustomed to specifying-providerName, -providerclass, and-providerpath command line options when using keytool,instead of updating the security configuration file. If you attempt tospecify command line options when generating keys with AWS CloudHSM keystore, it will cause errors.</div><div></div><div></div><div>Keytool is a popular command line utility for common key and certificatetasks on Linux systems. A complete tutorial on keytool is out of scope for AWS CloudHSMdocumentation. This article explains the specific parameters you should use with variouskeytool functions when utilizing AWS CloudHSM as the root of trust through the AWS CloudHSM keystore.</div><div></div><div></div><div>Instructions for creating non-extractable keys directly on the HSM, and then usingthem with keytool or Jarsigner, are shown in the code sample in Registering Pre-existing Keyswith AWS CloudHSM Key Store. We strongly recommend generating non-exportablekeys outside of keytool, and then importing corresponding certificates to the keystore. If you use extractable RSA or EC keys through keytool and jarsigner, theproviders export keys from the AWS CloudHSM and then use the key locally for signingoperations.</div><div></div><div></div><div>You receive the greatest flexibility in generating a certificate signing request(CSR) if you use the OpenSSL Dynamic Engine. The following command uses keytool to generate a CSR for a key pair with thealias, my-key-pair.</div><div></div><div></div><div></div><div></div><div></div><div></div><div>To use a key pair from keytool, that key pair must have an entry in thespecified key store file. If you want to use a key pair that was generatedoutside of keytool, you must import the key and certificate metadata into thekey store. For instructions on importing the keystore data see Importing Intermediate and rootcertificates into AWS CloudHSM Key Store using Keytool.</div><div></div><div></div><div>The alias should be a key pair with an associated certificate in the key store. Ifthe key is generated outside of keytool, or is generated on a different clientinstance, you must first import the key and certificate metadata into the key store.For instructions on importing the certificate metadata, see the code sample in Registering Pre-existing Keyswith AWS CloudHSM Key Store.</div><div></div><div></div><div>Set up your signing keys and the associated certificates and certificatechain which should be stored in the AWS CloudHSM key store of the current server orclient instance. Create the keys on the AWS CloudHSM and then import associatedmetadata into your AWS CloudHSM key store. Use the code sample in RegisteringPre-existing Keys with AWS CloudHSM Key Store to import metadatainto the key store. If you want to use keytool to set up the keys andcertificates, see Create new keys with keytool. If you use multiple clientinstances to sign your JARs, create the key and import the certificatechain. Then copy the resulting key store file to each client instance. Ifyou frequently generate new keys, you may find it easier to individuallyimport certificates to each client instance.</div><div></div><div></div><div>The entire certificate chain should be verifiable. For the certificatechain to be verifiable, you may need to add the CA certificate andintermediate certificates to the AWS CloudHSM key store. See the code snippet inSign a JAR fileusing AWS CloudHSM and Jarsigner for instruction on using Java codeto verify the certificate chain. If you prefer, you can use keytool toimport certificates. For instructions on using keytool, see Using Keytool to import intermediateand root certificates into AWS CloudHSM Key Store.</div><div></div><div></div><div>When generating keys using keytool, the first (supported) provider in thesecurity configuration file is used to generate the key. This is generally asoftware provider. The generated key is then given an alias and imported intothe AWS CloudHSM HSM as a persistent (token) key during the key addition process.</div><div></div><div></div><div>When using keytool with AWS CloudHSM key store, do not specify-providerName, -providerclass, or-providerpath options on the command line. Specify theseoptions in the security provider file as described in the Key store prerequisites.</div><div></div><div></div><div>When using non-extractable EC keys through keytool and Jarsigner, the SunECprovider needs to be removed/disabled from the list of providers in thejava.security file. If you use extractable EC keys through keytool andJarsigner, the providers export key bits from the AWS CloudHSM HSM and use the keylocally for signing operations. We do not recommend you use exportable keys withkeytool or Jarsigner.</div><div></div><div></div><div>The following section provides a code sample that demonstrates how to generate a new keypair on the HSM and register it using existing keys imported to the AWS CloudHSM key store.The imported keys are available for use with third-party tools such as keytool andJarsigner.</div><div></div><div></div><div>Keytool is a command-line utility that allows you to manage keystores, public and private keys, and SSL certificates for Java-based web servers, such as Tomcat or JBoss. Certificates and key pairs are stored in a secured keystore. This article explains how to create a new keystore and how to generate a Certificate Signing Request file using keytool. If you already obtained your certificate from the certificate authority, you may wish to read : How to install an SSL Certificate using keytool .</div><div></div><div></div><div>To sign a jar file using jarsigner, the alias of the signing key needs to be specified. The aliases of the keys stored on the YubiKey PIV are fixed and unmodifiable. The key aliases are displayed when listing the content of the YubiKey using keytool -list above or they can be found in this list</div><div></div><div> df19127ead</div>
Back to comp.lang.basic.visual.misc | Previous | Next | Find similar
Keytool Gui Download ##BEST## Elin Lidstrom <lidstromelin18@gmail.com> - 2024-01-18 04:24 -0800
csiph-web