Here's more on the different kind of files in /etc/letsencrypt/live/you.com/. These instructions are derived from the post "Create a Java Keystore (.JKS) from Let's Encrypt Certificates" on this blog. Otherwise, you'll import pkcs.12 into the existing keystore. If keystore.jks doesn't exist, it will be created containing the pkcs.12 file created above. Create the Java keystore keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 \ -srcstoretype PKCS12 -alias letsencrypt The export option specifies that a PKCS #12 file will be created rather than parsed (according to the manual). You'll be prompted for a password for pkcs.p12. They become active without your having to restart the server. This combines your SSL certificate fullchain.pem and your private key privkey.pem into a single file, pkcs.p12. You can import X.509 certificates that are defined in keystore instances of type JKS or PKCS12. Create a PKCS #12 file openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 \ -name letsencrypt OPTIONAL Step zero: Create self-signed certificate openssl genrsa -out server.key 2048 openssl req -new -out server.csr -key server.key openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crtĪssuming you've created your certificates and private keys with Let's Encrypt in /etc/letsencrypt/live/you.com: 1. Step two: Convert the pkcs12 file to a Java keystore keytool -importkeystore \ -deststorepass -destkeypass -destkeystore server.keystore \ -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass some-password \ -alias You MUST import your CA Reply into the SAME Keystore that the request (Public key). Note 2: You might want to add the -chain option to preserve the full certificate chain. each X.509 file from the command line using the Java Keytool command. Note: Make sure you put a password on the pkcs12 file - otherwise you'll get a null pointer exception when you try to import it. Step one: Convert the x.509 cert and key to a pkcs12 file openssl pkcs12 -export -in server.crt -inkey server.key \ -out server.p12 -name \ -CAfile ca.crt -caname root And, on Linux you can store certs in many different stores, eg Gnome Keyring, OpenSSL, possibly more.I used the following two steps which I found in the comments/posts linked in the other answers: But AFAIK that won't cover anything that's not SSL (eg SSH, Kerberos, more). Otherwise, as has been described and suggested, you can import the certificate for SSL access. B) Create a JKS - letsencrypt.jks with a RSA 2048 key (simple-cert) C) Add a second RSA 4096 key - (san-cert) D) Create a CSR for simple-cert and a CSR for san-cert. A) Talk about JKS, keytool and KeyStore Explorer. openssl pkcs12 -export -name myservercert -in selfsigned.crt -inkey server.key -out keystore.p12 Convert PKCS12 keystore into a JKS keystore keytool. JKS have been causing people a few headaches so I thought I would write a guide on this. Create PKCS12 keystore from private key and public certificate. Joining a company's network security (like AD, LDAP or NIS) is best done by simply running the proper applet in YAST. With your private key and public certificate, you need to create a PKCS12 keystore first, then convert it into a JKS. From then on, you should be able to login with your AD User account and be automatically authenticated to access and run any Domain resources (files, apps, network connections, more). If you mean what I think you mean, it likely means your company is using Windows Active Directory(or other network security like LDAP or less often NIS), and if this is so the simplest approach probably should be to simply join your openSUSE box to your company's Domain. Read from the certfile file named certfile.cer. ALIASDEST: name that will match your certificate entry in the JKS keystore, 'tomcat' for example. Assuming that you've been given a certificate file named 'certfile.cer' which contains an alias named 'foo', you can import it into a public keystore named 'publicKey.store' with the following keytool import command: keytool -import -alias foo -file certfile.cer -keystore publicKey.store. There, the 'alias name' field indicates the storage name of your certificate you need to use in the command line. However, it does make a difference what you mean by "so every application could trust this authority." To do this, you can run the following command beforehand: keytool -v -list -storetype pkcs12 -keystore FILEPFX. Where is system certificate store in openSUSE?The other suggestions are very good. You know, something like you can do in Windows: just click certificate and there is a button "Install certificate" Is there any instruction for this procedure? I have my company's CA root.crt certificate and I would like to import into openSUSE 11.2 so every application could trust this authority.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |