ESnetESnetNetworking for Science
⨠MyESnet
Services

Contact Us

Technical Assistance:

1 800-33-ESnet (Inside the US)
1 800-333-7638 (Inside the US)
1 510-486-7600 (Globally)
1 510-486-7607 (Globally)

Report Network Problems:

trouble@es.net

Provide Web Site Feedback:

info@es.net

Using Keytool

Managing a Java keystore

The keytool command is part of the  Java 2 JDK release. Complete documentation can be found at sun-keytool.html. The keytool command will do most of what you need: listing contents, setting aliases, adding new trust certificates. The one thing it does not do (prior to Java 6) is to import a trusted entry, e.g. cert and key.

OSCARS provides wrappers in tools/utils that simplify the use keytool by suggesting the location of the keystore and finding the password from the related configuration file. These wrappers should be used to edit $CATALINA_HOME/shared/classes/repo/{OSCARS.jks, ssl-keystore.jks}. You can use keytool to edit keystores in other locations.

Finding an CA certificate

Ask whoever is running the service that you want to connect to, to send you the CA certificate that signed its web site certificate. Then enter that in your ssl-keystore.

Get the site certificate

Another approach is to get the site certificate and use that instead. Connect to the service with your browser using https and then export the certificate from your browser.

 

In IE the following is reputed to work.

View certificate -> certificate details -> copy to file

 

For Firefox try.

preferences -> advanced -> Encryption -> View Certificates -> select -> export

or you may need the extension.- https://addons.mozilla.org/en-US/firefox/addon/1964

 

Once this is installed there will be a "certificate Manager" entry in the tools menu.

tools -> CertificateManager -> Servers -> select certificate -> view -> export

Input a site or CA certificate as a trustedCertEntry

You need to have the x.509 certificate of the CA in pem format (tagged ascii base-64 encoded). To convert from a DER format (binary) use openssl:

openssl x509 -in 'CAcert.der' -inform DER -outform PEM -out 'CAcert.pem'


To import into a keystore:

tools/users/idc-certadd 

or

keytool -import -keystore 'OSCARS.jks' -file 'CAcert.pem' -trustcacerts -alias 'CA'

Adding existing keyEntries to your OSCARS.jks keystore.

tools/utils/copyKey:

Used to copy a keyEntry from one keystore to another. May be useful when upgrading to a new release or when importing a keyEntry from an externally obtained pkcs12 file.

 

copyKey.sh -a <alias of keyEntry>

[-inpkcs12 <filename of input keyStore>  | -injks <filename of input keyStore> ]

-out <filename of output keystore>

 

It will prompt for the password of the input keystore, the password of the keyEntry in the input keystore and the password for the output key store. Normally the password of a keyEntry is the same the keystore. If this is the case just reply with a CR. If the -inpkcs12 option is used the entry will be imported from a pkcs12 file. If -injks is used it will be imported from another jks keystore.