[Security] How to use keytool and openssl
certificate security cryptography
I. How to know if a certificate has private key or not
Open the crt or cre file, if in the Property window you see "This certificate has a private key", it has a PK within.
Or, import it into certmgr, if it has a key icon along with the certificate icon, it has PK.
Certificate without PK cannot authenticate users.
II. Import root certificate into java keystore:
keytool-import-keystore"path to default keystore, like '$JAVA_HOME/jre/lib/security/cacerts' "-file'root certificate path, if has space, must quote with " "'
and in the prompt, type yes/si, depending on the keytool language.
The root path has extensions like .crt, which only has public key. .p12 or .pks is not allowed.
III. List keys in a keystore
keytool-list-keystore"path to your keystore file"-storepass
if you want more info, after -list you can put -v or --verbose to show details.
By default it accepts .jks type keystore. If the keystore is of type pkcs12(with extension .p12 or .pks, you cannot list it without -storetype. Add this to the line above:
-storetype pkcs12
If it's of type PKCS11, it is more complicated.
First, when loading a PKCS11 type keystore, we must specify:
keytool-storetype PKCS11-keystore NONE
These two parameters must be together and NONE is upper-cased.
Then, I don't know how to specify a provider with name, and I can only do it with -providerclass. And, if a provider is SunPKCS11, it must come with a config file, set in -providerarg path/to/file. This path is better without space. I cannot make it work with space.
The config file is like:
name=SunPKCS11
library=C:\ProgramFiles\OpenSCProject\PKCS11-Spy\pkcs11-spy.dll
showInfo=true
The DLL used here must be that of OpenSC for TAFU card, and Bit4ID for Izenpe card. I cannot use Bit4Id for TAFU. bit4xpki.dll won't do.
At last, there may be some bugs around this:
According to my comment and the answer, showInfo=true, or solt=-1 may be necessary in the config file. And, use Oracle JDK, not Open JDK. And, add -J-Djava.security.debug=sunpkcs11 at last to avoid the bug.
And, -v gives more information for debug.
So, the command that is working is:
keytool-list-providerclass sun.security.pkcs11.SunPKCS11-providerArg C:\Users\99GU6879\Desktop\sunpkcs11.cfg-keystore NONE-storetype PKCS11-storepass a11r1sed-v-J-Djava.security.debug=sunpkcs11
The config file:
name=SunPKCS11
library=C:\ProgramFiles\OpenSCProject\PKCS11-Spy\pkcs11-spy.dll
showInfo=true
Still, I got error for TAFU card and FNMT card. So, maybe it only works with Linux .so files. I think DLL files in Windows is not gonna work.
IV. Export certificate into file
First, we need to find the alias of this certificate. Use keytool -list -keystore -storepass | grep "keyword" to find it.
What you can see will be like:
ancert-raiznotariales,22-oct-2010,trustedCertEntry,
ancert_pubv2,03-feb-2012,trustedCertEntry,
ancert_cnpv2,03-feb-2012,trustedCertEntry,
ancert_cgn,02-feb-2012,trustedCertEntry,
ancert_notv2,03-feb-2012,trustedCertEntry,
ancert_cpe,02-feb-2012,trustedCertEntry,
ancert_fernv2,03-feb-2012,trustedCertEntry,
ancert_cdppv2,03-feb-2012,trustedCertEntry,
ancert_cgnv2,03-feb-2012,trustedCertEntry,
ancert_fern,02-feb-2012,trustedCertEntry,
ancert-subnotcorporativos,22-oct-2010,trustedCertEntry,
ancert-raizderechopublico,22-oct-2010,trustedCertEntry,
ancert_cncv2,03-feb-2012,trustedCertEntry,
ancertcnc_v1_2011,15-ene-2014,trustedCertEntry,
ancertce_v1_2011,15-ene-2014,trustedCertEntry,
ancert-subnotapersonales,22-oct-2010,trustedCertEntry,
ancert_cev2,03-feb-2012,trustedCertEntry,
ancert-subderechopublico,22-oct-2010,trustedCertEntry,
ancert-subnotsistemas,22-oct-2010,trustedCertEntry,
If you know the alias, you can print like this:
keytool-list-keystoreCAs.jks-storepass giss08-aliasancert_cev2
ancert_cev2,03-feb-2012,trustedCertEntry,
HuellaDigitaldeCertificado(SHA1):E1:EA:3C:39:32:3D:C2:1B:FB:D3:51:1E:6E:4F:95:EF:A9:94:F9:CF
Next, use keytool -exportcert to export it. Here I have a root cert so the extension is .crt. For personal certs, we have p12 or pfx.
keytool-exportcert-keystoreCAs.jks-storepass giss08-v-aliasancert_cev2>>ancert.crt
(At first I exported it as txt, and opening it I found it is encoded hexdecimally, so I think it is a binary file, and change its extension.)
keytool -printcert is for files, not for exporting cert. After getting this file, we can print it to get a verbose/readable form:
keytool-printcert-file ancert.crt
What we have is:
Propietario:CN=ANCERTCertificadospara empleados V2,O=AgenciaNotarialdeCertificacionS.L.U.-CIF B83395988,L=PaseodelGeneralMartinezCampos466aplanta28010Madrid,C=ES
Emisor:CN=ANCERTCertificadosCGN V2,O=AgenciaNotarialdeCertificacionS.L.U.-CIF B83395988,C=ES
Número de serie:7d41e17d7b2008d0bd1693ef4d1b56c9
Válido desde:ThuMay2711:10:29CEST2010hasta:WedMay2711:10:30CEST2020
HuellasdigitalesdelCertificado:
MD5:CA:02:A5:E2:43:65:FC:60:6F:87:F2:AB:30:0C:AB:4F
SHA1:E1:EA:3C:39:32:3D:C2:1B:FB:D3:51:1E:6E:4F:95:EF:A9:94:F9:CF
SHA256:67:FA:A8:8F:B7:69:E3:E1:F4:2E:D7:CD:2E:13:DE:45:8B:94:7D:F4:69:22:99:C2:EA:64:8A:7D:62:23:96:04
NombredelAlgoritmodeFirma:SHA1withRSA
Versión:3
Extensiones:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier[
KeyIdentifier[
0000:056EE1 A19AEE07AF CE F5 B4 D3653D0450.n..........e=.P
0010:E2 D09B44...D
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#3: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints[
[DistributionPoint:
[URIName:http://www.ancert.com/crl/ANCERTCGN_V2.crl, URIName: http://www2.ancert.com/crl/ANCERTCGN_V2.crl, URIName: http://www3.ancert.com/crl/ANCERTCGN_V2.crl]
]]
#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies[
[CertificatePolicyId:[1.3.6.1.4.1.18920.4.2]
[PolicyQualifierInfo:[
qualifierID:1.3.6.1.5.5.7.2.1
qualifier:0000:161A68747470733A2F2F7777772E616E..https://www.an
0010:636572742E636F6D2F637073cert.com/cps
]]]
]
#5: ObjectId: 2.5.29.15 Criticality=true
KeyUsage[
DigitalSignature
Key_CertSign
Crl_Sign
]
#6: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName[
RFC822Name:pki.explotacion@ancert.com
]
#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier[
KeyIdentifier[
0000:749A498DDA48C68028D3489BCE577291t.I..H..(.H..Wr.
0010:2AEB0393*...
]
]
We can also export it to a pem file with:keytool -exportcert -alias ancert_cev2 -keypass giss08 -keystore CAs_163_org.jks -rfc -file ancert-cert-para-empleados-v2.pem
What we get is a trusted entry, not a root neither a personal certificate.
Then, to read what we have in the pem file, we have openssl:openssl x509 -in ancert-cert-para-empleados-v2.pem -text -noout
We can get something like:Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7d:41:e1:7d:7b:20:08:d0:bd:16:93:ef:4d:1b:56:c9
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ES, O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988, CN=ANCERT Certificados CGN V2
Validity
Not Before: May 27 09:10:29 2010 GMT
Not After : May 27 09:10:30 2020 GMT
Subject: C=ES, L=Paseo del General Martinez Campos 46 6a planta 28010 Madrid, O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988, CN=ANCERT Certificados para empleados V2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c0:ff:c5:1b:06:ce:8b:cc:c7:81:ea:8c:55:b8:
50:f3:7d:03:c8:0b:a2:02:b6:50:10:ab:5e:b3:b1:
7f:e1:d1:ef:a2:47:0e:34:97:26:06:bf:64:6c:f6:
02:c4:14:c6:8f:39:f7:ed:5e:ca:69:71:78:c0:ad:
4f:d7:25:c7:03:34:cb:8c:ba:51:d0:72:e1:44:fa:
f9:e2:1e:5c:95:30:df:85:a6:ee:75:03:cc:09:b7:
b8:b8:2d:34:45:5e:30:6f:0b:78:76:6e:51:68:67:
26:17:98:8d:c5:61:45:f5:d0:e2:65:06:2c:8a:f0:
1c:ef:d5:30:75:9b:70:10:f6:a1:11:a9:ca:29:ff:
aa:ba:08:c7:2b:0a:01:1e:cc:53:20:33:45:a7:d9:
34:4d:69:13:14:5c:bd:c9:02:92:90:95:0e:6b:35:
e2:9c:44:f7:c2:0c:4e:eb:a3:4b:76:b4:e5:c5:9c:
b9:e9:51:b7:eb:8e:1d:de:69:6b:68:2b:06:dd:1e:
31:24:dd:5c:fa:da:4e:8a:a2:b4:a1:dd:a0:f0:c8:
fd:02:7f:12:c6:2b:6e:c1:45:73:1d:f8:9f:68:b4:
be:33:04:8b:70:1d:c9:8b:10:ec:a4:9f:00:b0:41:
22:95:7b:e7:72:50:05:06:87:c2:5d:b1:35:d6:3f:
3f:b8:1d:31:e5:32:cb:3a:1d:fb:3f:dc:63:ef:55:
cd:5e:55:ed:3c:b1:31:ae:02:ef:5e:cf:c3:71:a2:
92:65:30:47:45:ca:31:9e:2f:8c:6d:76:5f:5f:ce:
7b:d0:41:f8:87:f8:89:12:f4:13:70:87:fc:f0:e5:
a4:9f:a2:d0:35:32:e9:07:b3:50:54:77:57:3d:e6:
71:da:8f:da:66:e4:e6:af:57:04:e9:ff:0e:93:0e:
89:6a:9f:61:86:c5:46:0d:23:09:00:0f:4f:3c:26:
31:e4:54:c5:a4:72:c6:d1:fb:da:73:b8:30:f0:d5:
2c:3a:f1:0f:ed:09:46:2f:83:1c:5f:74:42:b1:be:
15:c2:4d:b8:d4:c1:97:1b:38:5f:47:07:d2:73:2a:
35:60:54:1b:57:83:e7:3e:26:95:b3:8d:f0:62:d5:
bf:94:3e:e5:4b:11:6f:f8:1c:a3:a1:15:6b:6c:ca:
72:d1:0a:92:0c:34:51:33:27:6a:e2:5c:d6:25:52:
55:d8:8c:a2:79:47:ed:c1:9d:33:e9:03:78:de:f3:
d7:01:b9:9d:69:81:e0:67:5c:c6:9f:34:a7:60:db:
8a:6f:5e:25:14:a6:c4:cf:c4:ad:fb:07:db:6a:af:
67:0c:18:a2:e2:16:67:36:e2:0a:23:03:81:22:6b:
a2:5a:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
74:9A:49:8D:DA:48:C6:80:28:D3:48:9B:CE:57:72:91:2A:EB:03:93
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.18920.4.2
CPS: https://www.ancert.com/cps
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.ancert.com/crl/ANCERTCGN_V2.crl
URI:http://www2.ancert.com/crl/ANCERTCGN_V2.crl
URI:http://www3.ancert.com/crl/ANCERTCGN_V2.crl
X509v3 Subject Alternative Name:
email:pki.explotacion@ancert.com
X509v3 Authority Key Identifier:
keyid:05:6E:E1:A1:9A:EE:07:AF:CE:F5:B4:D3:65:3D:04:50:E2:D0:9B:44
Signature Algorithm: sha1WithRSAEncryption
95:80:48:d6:21:16:5a:5a:e9:ae:a5:cc:b2:52:0f:93:39:fa:
f3:66:6b:e1:5b:44:72:48:f3:91:3a:f7:04:15:09:90:70:6f:
1c:b1:40:a7:0f:4d:e2:6b:fd:f1:cd:77:e9:4c:d7:4f:92:bf:
b2:84:24:c5:ed:b0:8e:0a:86:fb:b5:c0:f1:b1:29:2a:04:73:
b5:9c:9a:4d:5a:1f:fd:c1:5e:49:e7:74:36:2e:1e:c1:b4:e5:
ba:a7:0a:92:cf:aa:e8:43:73:ff:49:e9:6c:61:00:f0:59:da:
7c:48:5e:70:da:99:e5:b5:9d:7e:51:d1:9e:26:7e:f6:f4:70:
cb:f7:b8:31:fb:2b:ab:cf:2d:f4:f0:05:c9:15:18:9d:e2:24:
fc:08:c0:1d:07:4d:6b:9e:d0:ed:13:22:40:0a:de:f2:6c:61:
4b:b1:5f:d7:6b:09:95:dc:43:46:c4:23:20:08:1f:26:4c:dc:
37:fe:66:4b:cb:bc:ed:c9:94:7a:1b:bb:b3:cb:34:d6:72:70:
22:e8:4b:9d:d5:a1:32:60:b5:67:64:a5:8c:2e:22:75:8e:dc:
c4:1a:dc:2e:33:9e:06:ce:5e:b4:c5:18:c3:65:4e:0c:c7:7f:
52:19:0a:8b:b3:e7:b9:1a:3c:51:46:68:af:f5:a4:87:9b:00:
fe:16:26:19:f1:5e:f5:19:d4:f9:00:c3:6e:9f:f8:21:ad:23:
66:1d:79:32:da:9f:09:a7:05:7b:90:df:7d:03:f6:8f:0f:0c:
31:f5:b7:2b:84:65:8b:f0:f0:18:9f:90:03:a3:fb:5e:82:d1:
d3:86:00:f8:33:cd:7c:50:9a:07:b3:06:e0:ec:0d:a1:98:54:
00:75:e6:17:9f:fa:ad:a3:1a:67:42:00:cd:5f:ab:f5:a6:8f:
1b:1f:c8:bd:f7:21:c8:0b:b3:cc:09:3f:eb:c8:30:86:c5:26:
fc:af:28:b3:f4:d9:7a:7b:91:ef:c4:11:60:f3:4d:44:fe:da:
90:e8:42:5d:c5:52:77:74:16:e6:eb:ee:2c:bd:c0:7b:b1:a3:
96:68:c4:46:81:2a:4d:08:b2:4d:1a:d1:aa:37:cc:61:11:bb:
60:1a:e2:5b:bb:88:5d:07:6d:18:25:9a:ec:c6:8a:be:17:c3:
4d:5c:34:cc:7f:82:20:4c:58:c8:af:80:cf:0c:03:e3:57:0c:
94:ce:06:33:9d:37:fe:4c:a0:5e:85:32:ca:7e:67:4d:1c:95:
2f:d1:b4:b6:cd:18:3d:cc:ad:33:a0:0f:02:e7:8a:4e:51:24:
65:9b:fd:58:02:3c:c9:15:46:9c:f3:e7:55:ef:c4:78:37:0d:
3d:52:20:7e:03:5d:ff:11
We cannot read crt file with this command. It will say:unable to load certificate
4294956672:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
By this way, we get only certificate info, and no private key info is exported. And it works only with trusted entries. Normally, we use:keytool -importkeystore -srckeystore foo.jks \
-destkeystore foo.p12 \
-srcstoretype jks \
-deststoretype pkcs12
openssl pkcs12 -in foo.p12 -out foo.pem
This does not work with trusted entries, is a limitation of PKCS 12 format.
See this question for more info:
V. Connect to site with openssl
We have:openssl s_client -connect redp.seg-social.es:443 -cert ancert.pem
This pem file must contain private key info.
When we connect, we can see the certificate chain:---
Certificate chain
0 s:/C=ES/L=MADRID/O=GERENCIA DE INFORMATICA DE LA SEGURIDAD SOCIAL/OU=GERENCIA DE INFORMATICA DE LA SEGURIDAD SOCIAL/serialNumber=Q2827003A/CN=*.seg-social.es
i:/C=ES/O=FNMT-RCM/OU=AC Componentes Inform\xC3\xA1ticos
1 s:/C=ES/O=FNMT-RCM/OU=AC Componentes Inform\xC3\xA1ticos
i:/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
2 s:/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
i:/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
---
扫一扫
8494
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
