Key Points

Java supports full security management - stores, certificates, keys in different key stores

References

Reference_description_with_linked_URLs_______________________	Notes______________________________________________________________


https://docs.oracle.com/en/java/javase/14/security/general-security1.html	Java Security v1.4

https://www.openssl.org/
https://www.openssl.org/docs/ https://www.openssl.org/docs/man1.1.1/
https://www.openssl.org/docs/OpenSSLStrategicArchitecture.html
Openssl Cookbook - 2016 - gdrive
https://slproweb.com/products/Win32OpenSSL.html	Openssl Windows binaries
	Linux includes openssl ... openssl version -a ( shows details )
https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs	Tutorial creating ssl certificates with openssl

https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview	Java Keystore types
https://docs.oracle.com/javase/9/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549	Java keytool for CA administration

https://www.geotrust.com/resources/csr/apache_mod_ssl.htm openssl-create-server-cert-process-geotrust.com-Generate a Certificate Signing Request CSR.pdf	common openssl process to create a server certificate for ssl - geotrust

https://www.thewindowsclub.com/manage-trusted-root-certificates-windows windows10-certificate-trust-mgt-mmc-thewindowsclub.com-How to manage Trusted Root Certificates in Windows 10.pdf	Using Windows 10 Trust store with MMC - add certificates to Windows Trust Store
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt	Mozilla keeps the trust store in the source code repository: This file contains the object definitions for the certs and other # information "built into" NSS.
https://better-coding.com/how-to-add-ssl-certificate-into-java-cacerts-file-and-jks-keystore/	Add SSL cert into Java keystore jks and cacerts file from download

https://www.baeldung.com/java-digital-signature java-security-sign-documents-JCA-baeldung.com-Digital Signatures in Java.pdf	Use Java JCA to sign documents

Key Concepts

Certificate and PKI concepts

https://support.code42.com/Administrator/6/Configuring/Install_a_CA-signed_SSL_certificate_for_HTTPS_console_access

These instructions use the following terms:

Key: A unique string of characters that seeds a mathematical algorithm for encryption and decryption. Keys come in pairs. A public key encrypts data to be decrypted with the corresponding private key.
Certificate: A file that contains a public key and identifies who owns that key and its corresponding private key. In a signed certificate, a trusted certificate authority (CA) affirms that a public key does indeed belong to the owner named in the certificate. A certificate chain links a public key to a widely trusted root certificate.
Keystore: A file that holds a combination of keys and certificates.
PKCS, PFX: A binary format for key, certificate, and keystore files. Typical file names are *.pkcs, *.p12, *.p7b, *.pfx
Java keystore: The binary format for keystores used by Code42 servers. Typical file names are .keystore and *.jks
PEM: An ASCII text format for keys and certificates. Typical file extensions are *.pem, *.key, *.csr, *.cert. The binary counterpart is DER-format file. An X.509 certificate may or may not be in PEM format.

To identify a PEM file, read it with a console or text editor. If you see ASCII text, it's a PEM file.

Java Keytool Management

https://support.code42.com/Administrator/6/Configuring/Install_a_CA-signed_SSL_certificate_for_HTTPS_console_access

The Java keytool installs as part of a system's Java runtime engine (JRE) and runs at the Windows or Linux command line. To use keytool, install it on your system and configure its use as described below.

Windows keytool install

Download and install a recent version of the JRE from Oracle.
Locate the keytool with two commands.
The second command returns the location of keytool.exe.
cd \ dir /b/s keytool.exe
Add the directory where keytool.exe resides to the PATH variable.
PATH=%PATH%;<directoryWhereKeytool.exeResides>
For example:
PATH=%PATH%;C:\Program Files\Java\jre1.8.0_111\bin
Return to a directory that belongs to your user name:
cd \Users\<yourusername>
Repeat steps 2 and 3 for any terminal window in which you want to use the keytool command.

Keytool

Linux keytool install

Install a recent version of the JRE with commands like the following:
sudo apt-get update sudo apt-get install default-jre

Create a keystore

Create a keystore using one of the following options:

Option 1: Create a new key and Java keystore; import a CA's signature.
Option 2: Package existing PEM-format keys and certificates in a new Java keystore.
Option 3: Convert an existing PKCS or PFX keystore to a Java keystore.

Option 1: Create a new key and Java keystore; import a CA's signature

Step 1: Create a keystore and a signing request

Create a Java keystore and a request for a CA to sign your public key.

Help writing commands
For help writing these commands, see DigiCert's Java Keytool CSR Wizard.

Create the keystore with the command below, after substituting your value for one variable:

<your.domain.com>: the complete domain name of your Code42 server.

Enter the same password twice
The command will prompt you for two passwords. Supply the same value for both of them:

Enter keystore password:

Enter key password:

keytool -genkeypair -alias <your.domain.com> -storetype jks -keystore <your.domain.com>.jks -validity 366 -keyalg RSA -keysize 4096

The command prompts you for identifying data.
At "What is your first and last name" you must supply the domain name of the Code42 server you want to secure.
Most CAs require values for the other fields as well.

What is your first and last name? <your.domain.com>
What is the name of your organizational unit? yourunit
What is the name of your organization? yourorg
What is the name of your City or Locality? yourcity
What is the name of your State or Province? yourstate
What is the two-letter country code for this unit? US

Create the certificate signing request (CSR) with the command below, after substituting your value for all four occurrences of one variable:

<your.domain.com>: the complete domain name of your Code42 server.

keytool -certreq -alias <your.domain.com> -file <your.domain.com>.csr 
        -keystore <your.domain.com>.jks -ext san=dns:<your.domain.com>

Step 2: Request a CA-signed certificate

In the directory where you ran Step 1 above, find the file <your.domain.com>.csr
Submit the file <your.domain.com>.csr to your CA.
- Details vary from one CA to another. Typically, you submit your request via a website, then the CA contacts you to verify your identity.
- CAs can send signed reply files in a variety of formats, and CAs use a variety of names for those formats. You want the CA's reply in PEM or PKCS#7 format.
Wait (usually days or a week) for the CA's reply.

Step 3: Import the CA's reply

The CA's reply will provide one PKCS file or multiple PEM files. Import them into your keystore as follows:

Copy the CA's files into the directory where you created the keystore in Step 1 above.
Windows only: Configure the Keytool Command as described above.
Use keytool to import the CA reply files to your keystore
(The commands will prompt you for your keystore password):

If the CA sent a PKCS file, use the command below, after substituting your values for two variables:
- <your.domain.com> : The complete domain name of your Code42 server.
- <CAreply.pkcs> : The name of the PKCS file provided by the CA.

keytool -importcert -alias <your.domain.com> -file <CAreply.pkcs> -keystore <your.domain.com>.jks -trustcacerts

If the CA sent PEM files, there may be one file, but most often there are two or three. Import the files to your keystore with commands in the order shown below, after substituting your values for four variables:
- <root.cert.pem> : The name of the root certificate file
- <intermediate.cert.pem> : The name of the intermediate certificate file
  The root and intermediate files link the CA's signature to a widely trusted root certificate that is known to web browsers. Most, but not all, CA replies include roots and intermediates.
- <your.domain.com> : The complete domain name of your Code42 server
- <server.cert.pem> : The name of the server certificate file
  The file links your domain name with your public key and the CA's signature.

keytool -importcert -alias root -file <root.cert.pem> -keystore <your.domain.com>.jks -trustcacerts
keytool -importcert -alias intermediate -file <intermediate.cert.pem> -keystore <your.domain.com>.jks -trustcacerts
keytool -importcert -alias intermediat2 -file <intermediat2.cert.pem> -keystore <your.domain.com>.jks -trustcacerts
keytool -importcert -alias <your.domain.com> -file <server.cert.pem> -keystore <your.domain.com>.jks -trustcacerts

Troubleshoot
If you import certificates in the wrong order, the above commands return an error message. To resolve the error, you can:

Consult your CA.
Re-arrange the order of certificates and try again.
Read each certificate with the following command:
keytool -printcert -file <filename.cert.pem>
In the output, note the Owner and Issuer (signer) of each certificate. Order your import commands so that the Issuer of each certificate matches the Owner in the previous command.

Proceed to configuring your Code42 server below.

Option 2: Package existing PEM-format key and certificates in a new Java keystore

If you have an existing private key and certificates for your Code42 server's domain, in PEM format, importing them into a Java keystore requires the OpenSSL tool. OpenSSL can package the PEM files in a PKCS keystore. Java keytool can then convert the PKCS keystore to a Java keystore.

Install OpenSSL:
- Windows: Download and install OpenSSL.
- Linux: Verify that OpenSSL is installed by issuing the command openssl version
  If that returns an error, install OpenSSL with a command like sudo apt-get install openssl
Gather your private key, server certificate, and intermediate certificate into one directory.
Package the key and certificates into a PKCS keystore with the command below, after substituting your values for four variables
(The command will prompt you for your keystore password):
- <server.cert.pem>: The name of the server certificate file
  The file links your domain name with your public key and CA's signature.
- <private.key.pem>: The private counterpart to the public key in <server.cert.pem>
- <intermediate.cert.pem>: The name of the intermediate certificate file
  The file links the CA's signature to a widely trusted root certificate that is known to web browsers.
- <your.domain.com> : The complete domain name of your Code42 server

openssl pkcs12 -export -in <server.cert.pem> -inkey <private.key.pem> -certfile <intermediate.cert.pem> -name "<your.domain.com>" -out <your.domain.com>.p12

Convert the resulting PKCS keystore file, <your.domain.com>.p12 into a Java keystore. See Option 3, below.

Option 3: Convert an existing PKCS or PFX keystore to a Java keystore

If you have an existing PKCS or PFX keystore for your Code42 server's domain, convert it to a Java keystore.

Windows only: Configure the keytool command as described above.
Issue the command below, after substituting your values for two variables
(The command will prompt you for keystore passwords):
- <your.domain.com.p12> : The existing keystore file.
- <your.domain.com> : The complete domain name of your Code42 server

keytool -importkeystore -srckeystore <your.domain.com.p12> -srcstoretype PKCS12 -destkeystore <your.domain.com>.jks -deststoretype jks

Proceed to configuring your Code42 server below.

Configure your server to use your keystore

Step 1: Back up your Code42 server's database

As a best practice, back up your Code42 server's database:

Open the administration console.
Navigate to Settings > Server.
From the action menu, select Dump Database.

Step 2: Import your keystore to your Code42 server

In the administration console, select Settings > Security > Keys.
At SSL, check Require SSL to access console.
Click Import Keystore.
Select your Java keytore file, <your.domain.com>.jks, and provide <yourpassword>.
Return to the system command line and stop and restart the Code42 server:

Certificate Use Cases

Client and Server SSL encryption of messages using PKI concept

Client and server each have their own private key and matching public key
Client and server exchange public keys as certificates
For each message sent, the source system encrypts the message with the private key
For each message received, the receiver uses the public key to decrypt the message

Server setup for PKI certificates approved by a CA

Typically a server is setup by a Certificate Authority administrator in a very secure environment.
The CA is often an intermediate CA with a trust chain back to a root CA ( Verisign, Thawte or other root CA )
Certificate files will often use a user, domain name or server name depending on planned usage
Private keys are generated and usually well protected in a secure key store.
A CSR ( Certificate Signing Request ) is generated for root CA authentication ( vs self signed certs )
the server CA reviews and approves the CSR providing a complete trust chain to a root CA
The public key is generated from the private key as a certificate PEM file normally.
If needed, a PKCS12 file can be generated from the private key as a format to send the certificate to the client

Client setup for PKI certificates

Key management and distribution concepts

private keys can have a pass phrase to protect access

better use an encrypted wrapper with a password for key distribution via sftp or secure email

Document signing with the Private key

Use Java JCA to sign documents

java-security-sign-documents-JCA-baeldung.com-Digital Signatures in Java.pdf

In this tutorial, we're going to learn about the Digital Signature mechanism and how we can implement it using the Java Cryptography Architecture (JCA). We'll explore the KeyPair, MessageDigest, Cipher, KeyStore, Certificate, and Signature JCA APIs.

We'll start by understanding what is Digital Signature, how to generate a key pair, and how to certify the public key from a certificate authority (CA). After that, we'll see how to implement Digital Signature using the low-level and high-level JCA APIs.

Digital Signature

Digital Signature is a technique for ensuring:

Integrity: the message hasn't been altered in transit
Authenticity: the author of the message is really who they claim to be
Non-repudiation: the author of the message can't later deny that they were the source

Send message with digital signature

Technically speaking, a digital signature is the encrypted hash (digest, checksum) of a message. That means we generate a hash from a message and encrypt it with a private key according to a chosen algorithm.

The message, the encrypted hash, the corresponding public key, and the algorithm are all then sent. This is classified as a message with its digital signature.

Digital Certificate and Public Key

A certificate is a document that associates an identity to a given public key. Certificates are signed by a third-party entity called a Certificate Authority (CA).

We know that if the hash we decrypt with the published public key matches the actual hash, then the message is signed. However, how do we know that the public key really came from the right entity? This is solved by the use of digital certificates.

A Digital Certificate contains a public key and is itself signed by another entity. A chain of trust.

The most top-level entity is self-signed, which means that his public key is signed by his own private key.

Load a private key from a keystore

Using the KeyStore API, and the previous Keystore file, sender_keystore.p12, we can get a PrivateKey object:

KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("sender_keystore.p12"), "changeit");
PrivateKey privateKey =
(PrivateKey) keyStore.getKey("senderKeyPair", "changeit");

If CA needs to sign the certificate first

if we're going to work with a CA-signed certificate, then we need to create a certificate signing request (CSR). We do this with the certreq command:

keytool -certreq -alias senderKeyPair -storetype PKCS12 \
-keystore sender_keystore.p12 -file -rfc \
-storepass changeit > sender_certificate.csr

The CSR file, sender_certificate.csr, is then sent to a Certificate Authority for the purpose of signing. When this is done, we'll receive a signed public key wrapped in an X.509 certificate, either in binary (DER) or text (PEM) format. Here, we've used the rfc option for a PEM format.

Create personal certificate for shared SSL

use a personal name or identity or a proxy name

Setup a Web Server with SSL

to configure and run a web server that supports SSL. That process consists of three steps:

(1) generate a strong private key,

(2) create a Certificate Signing Request (CSR) and send it to a CA, and

(3) install the CA-provided certificate in your web server.

Java Keystore Types

https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----Overview

Keystore is a storage facility to store cryptographic keys and certificates. They are most frequently used in SSL communications to prove the identity of servers and clients. A keystore can be a file or a hardware device. Three are three kinds of entries can be stored in a keystore depending on the types of keystores.

The three types of entries are:

PrivateKey : This is a type of keys which are used in asymmetric cryptography. It is usually protected with password because of its sensitivity. It can also be used to sign a digital signature.

Certificate : A certificate contains a public key which can identify the subject claimed in the certificate. It is usually used to verify the identity of a server. Sometimes it is also used to identify a client when requested.

SecretKey : A key entry which is used in symmetric cryptography.

Depending on what entries the keystore can store and how the keystore can store the entries, there are a few different types of keystores in Java: JKS, JCEKS, PKCS12, PKCS11 and DKS. You can find the introduction of these keystore on Oracle's Java Cryptography Architecture description.

Next, we will have an overview of these keystore types.

JKS, Java Key Store. You can find this file at sun.security.provider.JavaKeyStore. This keystore is Java specific, it usually has an extension of jks. This type of keystore can contain private keys and certificates, but it cannot be used to store secret keys. Since it's a Java specific keystore, so it cannot be used in other programming languages. The private keys stored in JKS cannot be extracted in Java.

JCEKS, JCE key store(Java Cryptography Extension KeyStore). It is a super set of JKS with more algorithms supported. It is an enhanced standard added later by Sun. You can find this file at com.sun.crypto.provider.JceKeyStore. This keystore has an extension of jceks. The entries which can be put in the JCEKS keystore are private keys, secret keys and certificates. This keystore provides much stronger protection for stored private keys by using Triple DES encryption.

The provider of JCEKS is SunJCE, it was introduced in Java 1.4. Hence prior to Java 1.4, only JKS can be used.

PKCS12, this is a standard keystore type which can be used in Java and other languages. You can find this keystore implementation at sun.security.pkcs12.PKCS12KeyStore. It usually has an extension of p12 or pfx. You can store private keys, secret keys and certificates on this type. Unlike JKS, the private keys on PKCS12 keystore can be extracted in Java. This type is portable and can be operated with other libraries written in other languages such as C, C++ or C#.

The pkcs12 command allows PKCS#12 files (sometimes referred to as PFX files) to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook.

Currently the default keystore type in Java is JKS, i.e the keystore format will be JKS if you don't specify the -storetype while creating keystore with keytool. However, the default keystore type will be changed to PKCS12 in Java 9 because its enhanced compatibility compared to JKS. You can check the default keystore type at $JRE/lib/security/java.security file:

PKCS11, this is a hardware keystore type. It provides an interface for the Java library to connect with hardware keystore devices such as SafeNet's Luna, nCipher or Smart cards. You can find this implementation at sun.security.pkcs11.P11KeyStore. When you load the keystore, you no need to create a specific provider with specific configuration. This keystore can store private keys, secret keys and certificates. When loading the keystore, the entries will be retrieved from the keystore and then converted into software entries.

DKS, Domain KeyStore is a keystore of keystore. It abstracts a collection of keystores that are presented as a single logical keystore. Itself is actually not a keystore. This new keystore type is introduced in Java 8. There is a new class DomainLoadStoreParameter which closely relates to DKS.

This keystore is located at sun.security.provider.DomainKeyStore.java.

Windows-MY, this is a type of keystore on Windows which is managed by the Windows operating system. It stores the user private keys and certificates which can be used to perform cryptographic operations such as signature verification, data encryption etc. Since it's a kind of native keystore, Java doesn't have a general API to access it. Oracle provides a separate API to access the Windows-MY keystore -- SunMSCAPI. The provider class for this API is sun.security.mscapi.SunMSCAPI.

BKS, BoucyCastle keystore, is a keystore format provided the popular third party Java cryptographic library provider -- BouncyCastle. It is a keystore similar to the JKS provided by Oracle JDK. But it supports storing secret key, private key and certificate. It is frequently used in mobile application developments.

In Java, there are a few choices on how a keystore can be processed. Writing the Java code is apparently a choice. Apart from this, a tool comes along with the JDK can also be used, it is called keytool.

keytool is a command line tool. It can be used to create keystore, generate keys, import and export certificates etc. For a full list of commands keytool supports, you can refer to Oracle keytool guideline.

If you are using IBM JDK, there is one more tool which can be used, it is ikeyman. ikeyman is a GUI tool which can provide a straightforward view of the keystore. The entries in the keystore. Keys and certificates can be created using ikeyman as well. It is a tool used frequently by system administrators.

Below are the details of each keystore supported in Java.

Certificate administration options

Java keytool

https://docs.oracle.com/javase/9/tools/keytool.htm#JSWOR-GUID-5990A2E4-78E3-47B7-AE75-6D1826259549

Openssl command line on any platform

Free CA admin tools including Fabric

Task - Add SSL cert into Java keystore jks and cacerts file from download

https://better-coding.com/how-to-add-ssl-certificate-into-java-cacerts-file-and-jks-keystore/

This simple guide shows how to download a certificate and how to add it into Java trust store.

1. Downloading certificate

You can download the certificate in a few ways. Using openssl tool or using browser

1.1. Download SSL certificate using openssl

openssl s_client -showcerts -connect better-coding.com:443 /dev/null|openssl x509 -outform PEM >mycertfile.pem

1.2 Downloading SSL certificate using browser

You can download the certificate using Chrome by going to certificate details and then clicking “Copy to file” button.

2.1 Importing certificate into cacert

Go to the JAVA_HOME\bin directory and run:

keytool -importcert -file mycertfile.pem -keystore cacerts -alias "Alias"

2.2 Importing certificate into jks keystore

keytool -importcert -file mycertfile.pem -keystore keystore.jks -alias "Alias" -storepass <PASSWORD>

Openssl certficate adminisration

Use Linux default openssl if possible

includes default trust store for certificates

Openssl on Windows

install a valid Openssl binary from

Compile Openssl for Windows or get a binary package

only if needed ( usually on Windows if a binary not available )

add a trust store

Use or Create a Trust Store

either use system trust store or get Mozilla trust store

Windows Certificates Trust Store via mmc

Mozilla Root Certificate trust store text file

https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Unfortunately, their certificate collection is in a proprietary format, which is not of much

use to others as is. If you don’t mind getting the collection via a third party, the Curl project

provides a regularly-updated conversion in Privacy-Enhanced Mail (PEM) format, which you

can use directly:

http://curl.haxx.se/docs/caextract.html

But you don’t have to write a conversion script if you’d rather download directly from Mozilla.

Conversion scripts are available in Perl or Go. I describe both in the following sections.

Download & Install Windows Openssl binary

https://slproweb.com/products/Win32OpenSSL.html

For Windows, create openssl_start.bat

sets up openssl environment in Windows

openssl_start.bat.txt

WARNING: can't open config file: /usr/local/ssl/openssl.cnf

This can be solved as following:

Close OpenSSL.
Open a Command Prompt (CMD) as Administrator
Run the following command: SET OPENSSL_CONF=<<my openssl bin path>>\openssl.cnf

Create Keystore, Admin key, User key & cert

use pkcs12 keystore

all key types and portable to any language

Generate a private key for the admin

if using a protected passfile, store in protected zip w option name + dddd

D:\dsfw\files\keyhome>

openssl genrsa -aes256 -passout file:passfile.txt -out jemason1.key 2048

Generating RSA private key, 2048 bit long modulus

..............+++++

.........................................................................................................+++++

e is 65537 (0x010001)

The password file ideally is in UTF-8 encoding for openssl

type or cat the key file to see the encrypted text for the private key generated

type jemason1-pub.pem | more

-----BEGIN PUBLIC KEY-----
.... << more >> ...
-----END PUBLIC KEY-----

create the public key from the private key file

openssl rsa -in jemason1.key -out jemason1-pub.key -pubout

key files output:

jemason1-pub.key jemason1.key passfile.txt

OpenSSL on Linux

error - unknown option on openssl command - can't copy dashes

Search Results
Web results

openssl keeps giving me "unknown option" errors - Server Fault
https://serverfault.com › questions › openssl-keeps-giving-me-unknown-o...
2 answers
Aug 13, 2011 - Delete all of your dashes and re-type them on the command line. when you wish to copy and paste! the - in the out so use arrows to get there and remove - and then type - and press enter, the - near the out is the only - you need to delete and type then it works :D.

CSR - Certificate Signing Request

http://pdfviewer.softgateon.net/?state=%7B%22ids%22:%5B%2211xXUkWZp59faRNh_jjCvXjM1XvQ7R4e9%22%5D,%22action%22:%22open%22,%22userId%22:%22106992337469837643773%22%7D

Once you have a private key, you can proceed to create a Certificate Signing Request

(CSR).

This is a formal request asking a CA to sign a certificate, and it contains the public key of the

entity requesting the certificate and some information about the entity. This data will all be

part of the certificate. A CSR is always signed with the private key corresponding to the public

key it carries.

CSR creation is usually an interactive process during which you’ll be providing the elements

of the certificate distinguished name. Read the instructions given by the openssl tool careful-

ly; if you want a field to be empty, you must enter a single dot (.)

Get details from the site admin for OU, Cname, email, challenge password etc first

 openssl req -new -key fd.key -out fd.cs

Create a pkcs12 file store for certificates

PKCS 12. In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. ... The filename extension for PKCS #12 files is .p12 or .pfx .

The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys

https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs12.html

For PKCS#12 file parsing only -in and -out need to be used for PKCS#12 file creation -export and -name are also used.

Controlling order of keys in pkcs12 file

If none of the -clcerts, -cacerts or -nocerts options are present then all certificates will be output in the order they appear in the input PKCS#12 files. There is no guarantee that the first certificate present is the one corresponding to the private key. Certain software which requires a private key and certificate and assumes the first certificate in the file is the one corresponding to the private key: this may not always be the case. Using the -clcerts option will solve this problem by only outputting the certificate corresponding to the private key. If the CA certificates are required then they can be output to a separate file using the -nokeys -cacerts options to just output CA certificates.

creates a pkcs12 file from a public key

 openssl pkcs12 -export -in jemason1-pub.key -out jemason1.p12 -name "jmason Certificate"

jemfebapr

Tutorial - Create SSL certificates with OpenSSL

https://phoenixnap.com/kb/openssl-tutorial-ssl-certificates-private-keys-csrs

On Ubuntu

ssl folder /usr/lib/ssl is a link to

/etc/ssl

which contains /certs openssl.cnf /private

openssl.cnf has default values for a CSR otherwise they must be entered on CLI

openssl req –out certificatesigningrequest.csr -new -newkey rsa:2048 -nodes -keyout privatekey.key

create the new key and csr request

openssl req –out jmason1.csr -new -newkey rsa:2048 -nodes -keyout jmason1.key

read the key

openssl req -in jmason1.csr -noout -text

Create a public key as a PEM file from private key

openssl rsa -in jmason1.key -outform PEM -pubout -out jmason1-pub.PEM

Create a PKCS12 format file that can be imported into a Windows keystore

Create self-signed certificate with openssl req

openssl-req, req - PKCS#10 certificate request and certificate generating utility

The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.

openssl-x509, x509 - Certificate display and signing utility

https://www.openssl.org/docs/man1.1.1/

example 1 - create new self-signed root CA certificate, private and public key files and a password file

openssl req -x509 -sha256 -outform PEM -days 1000 -out jmason2-crt.pem -new -newkey rsa:2048 -nodes 
-keyout jmason2-key.pem -passin file:passfile.txt

Generating a RSA private key
...........................................................+++++
.....................................................................................+++++
writing new private key to 'jmason2-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [MA]:MA
Locality Name (eg, city) []:North Attleboro
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paramount Software Solutions
Organizational Unit Name (eg, section) []:software
Common Name (e.g. server FQDN or YOUR name) []:Jim Mason
Email Address []:.

openssl req options

-outform DER|PEM

This specifies the output format, the options have the same meaning and default as the -inform option.

-in filename

This specifies the input filename to read a request from or standard input if this option is not specified. A request is only read if the creation options (-new and -newkey) are not specified.

-x509

This option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA. The extensions added to the certificate (if any) are specified in the configuration file. Unless specified using the set_serial option, a large random number will be used for the serial number.

If existing request is specified with the -in option, it is converted to the self signed certificate otherwise new request is created.

Openssl simple CA app to sign requests

https://www.openssl.org/docs/man1.1.0/man1/ca.html

openssl.org-ca.pdf

Potential Value Opportunities

Potential Challenges

Java app accesses web site with invalid certificate

https://www.infopackets.com/news/10023/how-fix-java-expired-or-not-yet-valid-certificate-error

whenever I try to access my work's website (which uses a Java applet), I receive an error message that says: 'Your security settings have blocked an application with an expired or not-yet-valid certificate from running.' I cannot proceed past that, and am therefore unable to access the website

Analysis steps

By clicking on the padlock with the (!) warning, the browser reported "Connection not secure"; I then clicked to view "More information" and then on the "View certificate" page, I could clearly see that the HTTPS certificate had in fact expired some time last year. This was the reason that the Java applet was reporting an error and would not proceed.

For Google Chrome try

Edit Settings > Privacy & Security > Web site exceptions > not secure connection = allow

How to Fix Java Expired or not-yet-valid Certificate Error.pdf

Candidate Solutions

Step-by-step guide for Example

sample code block

sample code block