signature=c7c7ed81692d4e3c05de541c6f6662cd,[Security] How to use keytool and openssl

[Security] How to use keytool and openssl

certificate security cryptography

I. How to know if a certificate has private key or not

Open the crt or cre file, if in the Property window you see "This certificate has a private key", it has a PK within.

Or, import it into certmgr, if it has a key icon along with the certificate icon, it has PK.

Certificate without PK cannot authenticate users.

II. Import root certificate into java keystore:

keytool-import-keystore"path to default keystore, like '$JAVA_HOME/jre/lib/security/cacerts' "-file'root certificate path, if has space, must quote with " "'

and in the prompt, type yes/si, depending on the keytool language.

The root path has extensions like .crt, which only has public key. .p12 or .pks is not allowed.

III. List keys in a keystore

keytool-list-keystore"path to your keystore file"-storepass

if you want more info, after -list you can put -v or --verbose to show details.

By default it accepts .jks type keystore. If the keystore is of type pkcs12(with extension .p12 or .pks, you cannot list it without -storetype. Add this to the line above:

-storetype pkcs12

If it's of type PKCS11, it is more complicated.

First, when loading a PKCS11 type keystore, we must specify:

keytool-storetype PKCS11-keystore NONE

These two parameters must be together and NONE is upper-cased.

Then, I don't know how to specify a provider with name, and I can only do it with -providerclass. And, if a provider is SunPKCS11, it must come with a config file, set in -providerarg path/to/file. This path is better without space. I cannot make it work with space.

The config file is like:

name=SunPKCS11

library=C:\ProgramFiles\OpenSCProject\PKCS11-Spy\pkcs11-spy.dll

showInfo=true

The DLL used here must be that of OpenSC for TAFU card, and Bit4ID for Izenpe card. I cannot use Bit4Id for TAFU. bit4xpki.dll won't do.

At last, there may be some bugs around this:

According to my comment and the answer, showInfo=true, or solt=-1 may be necessary in the config file. And, use Oracle JDK, not Open JDK. And, add -J-Djava.security.debug=sunpkcs11 at last to avoid the bug.

And, -v gives more information for debug.

So, the command that is working is:

keytool-list-providerclass sun.security.pkcs11.SunPKCS11-providerArg C:\Users\99GU6879\Desktop\sunpkcs11.cfg-keystore NONE-storetype PKCS11-storepass a11r1sed-v-J-Djava.security.debug=sunpkcs11

The config file:

name=SunPKCS11

library=C:\ProgramFiles\OpenSCProject\PKCS11-Spy\pkcs11-spy.dll

showInfo=true

Still, I got error for TAFU card and FNMT card. So, maybe it only works with Linux .so files. I think DLL files in Windows is not gonna work.

IV. Export certificate into file

First, we need to find the alias of this certificate. Use keytool -list -keystore -storepass | grep "keyword" to find it.

What you can see will be like:

ancert-raiznotariales,22-oct-2010,trustedCertEntry,

ancert_pubv2,03-feb-2012,trustedCertEntry,

ancert_cnpv2,03-feb-2012,trustedCertEntry,

ancert_cgn,02-feb-2012,trustedCertEntry,

ancert_notv2,03-feb-2012,trustedCertEntry,

ancert_cpe,02-feb-2012,trustedCertEntry,

ancert_fernv2,03-feb-2012,trustedCertEntry,

ancert_cdppv2,03-feb-2012,trustedCertEntry,

ancert_cgnv2,03-feb-2012,trustedCertEntry,

ancert_fern,02-feb-2012,trustedCertEntry,

ancert-subnotcorporativos,22-oct-2010,trustedCertEntry,

ancert-raizderechopublico,22-oct-2010,trustedCertEntry,

ancert_cncv2,03-feb-2012,trustedCertEntry,

ancertcnc_v1_2011,15-ene-2014,trustedCertEntry,

ancertce_v1_2011,15-ene-2014,trustedCertEntry,

ancert-subnotapersonales,22-oct-2010,trustedCertEntry,

ancert_cev2,03-feb-2012,trustedCertEntry,

ancert-subderechopublico,22-oct-2010,trustedCertEntry,

ancert-subnotsistemas,22-oct-2010,trustedCertEntry,

If you know the alias, you can print like this:

keytool-list-keystoreCAs.jks-storepass giss08-aliasancert_cev2

ancert_cev2,03-feb-2012,trustedCertEntry,

HuellaDigitaldeCertificado(SHA1):E1:EA:3C:39:32:3D:C2:1B:FB:D3:51:1E:6E:4F:95:EF:A9:94:F9:CF

Next, use keytool -exportcert to export it. Here I have a root cert so the extension is .crt. For personal certs, we have p12 or pfx.

keytool-exportcert-keystoreCAs.jks-storepass giss08-v-aliasancert_cev2>>ancert.crt

(At first I exported it as txt, and opening it I found it is encoded hexdecimally, so I think it is a binary file, and change its extension.)

keytool -printcert is for files, not for exporting cert. After getting this file, we can print it to get a verbose/readable form:

keytool-printcert-file ancert.crt

What we have is:

Propietario:CN=ANCERTCertificadospara empleados V2,O=AgenciaNotarialdeCertificacionS.L.U.-CIF B83395988,L=PaseodelGeneralMartinezCampos466aplanta28010Madrid,C=ES

Emisor:CN=ANCERTCertificadosCGN V2,O=AgenciaNotarialdeCertificacionS.L.U.-CIF B83395988,C=ES

Número de serie:7d41e17d7b2008d0bd1693ef4d1b56c9

Válido desde:ThuMay2711:10:29CEST2010hasta:WedMay2711:10:30CEST2020

HuellasdigitalesdelCertificado:

MD5:CA:02:A5:E2:43:65:FC:60:6F:87:F2:AB:30:0C:AB:4F

SHA1:E1:EA:3C:39:32:3D:C2:1B:FB:D3:51:1E:6E:4F:95:EF:A9:94:F9:CF

SHA256:67:FA:A8:8F:B7:69:E3:E1:F4:2E:D7:CD:2E:13:DE:45:8B:94:7D:F4:69:22:99:C2:EA:64:8A:7D:62:23:96:04

NombredelAlgoritmodeFirma:SHA1withRSA

Versión:3

Extensiones:

#1: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier[

KeyIdentifier[

0000:056EE1 A19AEE07AF CE F5 B4 D3653D0450.n..........e=.P

0010:E2 D09B44...D

]

]

#2: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

CA:true

PathLen:0

]

#3: ObjectId: 2.5.29.31 Criticality=false

CRLDistributionPoints[

[DistributionPoint:

[URIName:http://www.ancert.com/crl/ANCERTCGN_V2.crl, URIName: http://www2.ancert.com/crl/ANCERTCGN_V2.crl, URIName: http://www3.ancert.com/crl/ANCERTCGN_V2.crl]

]]

#4: ObjectId: 2.5.29.32 Criticality=false

CertificatePolicies[

[CertificatePolicyId:[1.3.6.1.4.1.18920.4.2]

[PolicyQualifierInfo:[

qualifierID:1.3.6.1.5.5.7.2.1

qualifier:0000:161A68747470733A2F2F7777772E616E..https://www.an

0010:636572742E636F6D2F637073cert.com/cps

]]]

]

#5: ObjectId: 2.5.29.15 Criticality=true

KeyUsage[

DigitalSignature

Key_CertSign

Crl_Sign

]

#6: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName[

RFC822Name:pki.explotacion@ancert.com

]

#7: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier[

KeyIdentifier[

0000:749A498DDA48C68028D3489BCE577291t.I..H..(.H..Wr.

0010:2AEB0393*...

]

]

We can also export it to a pem file with:keytool -exportcert -alias ancert_cev2 -keypass giss08 -keystore CAs_163_org.jks -rfc -file ancert-cert-para-empleados-v2.pem

What we get is a trusted entry, not a root neither a personal certificate.

Then, to read what we have in the pem file, we have openssl:openssl x509 -in ancert-cert-para-empleados-v2.pem -text -noout

We can get something like:Certificate:

Data:

Version: 3 (0x2)

Serial Number:

7d:41:e1:7d:7b:20:08:d0:bd:16:93:ef:4d:1b:56:c9

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=ES, O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988, CN=ANCERT Certificados CGN V2

Validity

Not Before: May 27 09:10:29 2010 GMT

Not After : May 27 09:10:30 2020 GMT

Subject: C=ES, L=Paseo del General Martinez Campos 46 6a planta 28010 Madrid, O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988, CN=ANCERT Certificados para empleados V2

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (4096 bit)

Modulus:

00:c0:ff:c5:1b:06:ce:8b:cc:c7:81:ea:8c:55:b8:

50:f3:7d:03:c8:0b:a2:02:b6:50:10:ab:5e:b3:b1:

7f:e1:d1:ef:a2:47:0e:34:97:26:06:bf:64:6c:f6:

02:c4:14:c6:8f:39:f7:ed:5e:ca:69:71:78:c0:ad:

4f:d7:25:c7:03:34:cb:8c:ba:51:d0:72:e1:44:fa:

f9:e2:1e:5c:95:30:df:85:a6:ee:75:03:cc:09:b7:

b8:b8:2d:34:45:5e:30:6f:0b:78:76:6e:51:68:67:

26:17:98:8d:c5:61:45:f5:d0:e2:65:06:2c:8a:f0:

1c:ef:d5:30:75:9b:70:10:f6:a1:11:a9:ca:29:ff:

aa:ba:08:c7:2b:0a:01:1e:cc:53:20:33:45:a7:d9:

34:4d:69:13:14:5c:bd:c9:02:92:90:95:0e:6b:35:

e2:9c:44:f7:c2:0c:4e:eb:a3:4b:76:b4:e5:c5:9c:

b9:e9:51:b7:eb:8e:1d:de:69:6b:68:2b:06:dd:1e:

31:24:dd:5c:fa:da:4e:8a:a2:b4:a1:dd:a0:f0:c8:

fd:02:7f:12:c6:2b:6e:c1:45:73:1d:f8:9f:68:b4:

be:33:04:8b:70:1d:c9:8b:10:ec:a4:9f:00:b0:41:

22:95:7b:e7:72:50:05:06:87:c2:5d:b1:35:d6:3f:

3f:b8:1d:31:e5:32:cb:3a:1d:fb:3f:dc:63:ef:55:

cd:5e:55:ed:3c:b1:31:ae:02:ef:5e:cf:c3:71:a2:

92:65:30:47:45:ca:31:9e:2f:8c:6d:76:5f:5f:ce:

7b:d0:41:f8:87:f8:89:12:f4:13:70:87:fc:f0:e5:

a4:9f:a2:d0:35:32:e9:07:b3:50:54:77:57:3d:e6:

71:da:8f:da:66:e4:e6:af:57:04:e9:ff:0e:93:0e:

89:6a:9f:61:86:c5:46:0d:23:09:00:0f:4f:3c:26:

31:e4:54:c5:a4:72:c6:d1:fb:da:73:b8:30:f0:d5:

2c:3a:f1:0f:ed:09:46:2f:83:1c:5f:74:42:b1:be:

15:c2:4d:b8:d4:c1:97:1b:38:5f:47:07:d2:73:2a:

35:60:54:1b:57:83:e7:3e:26:95:b3:8d:f0:62:d5:

bf:94:3e:e5:4b:11:6f:f8:1c:a3:a1:15:6b:6c:ca:

72:d1:0a:92:0c:34:51:33:27:6a:e2:5c:d6:25:52:

55:d8:8c:a2:79:47:ed:c1:9d:33:e9:03:78:de:f3:

d7:01:b9:9d:69:81:e0:67:5c:c6:9f:34:a7:60:db:

8a:6f:5e:25:14:a6:c4:cf:c4:ad:fb:07:db:6a:af:

67:0c:18:a2:e2:16:67:36:e2:0a:23:03:81:22:6b:

a2:5a:5b

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature, Certificate Sign, CRL Sign

X509v3 Basic Constraints: critical

CA:TRUE, pathlen:0

X509v3 Subject Key Identifier:

74:9A:49:8D:DA:48:C6:80:28:D3:48:9B:CE:57:72:91:2A:EB:03:93

X509v3 Certificate Policies:

Policy: 1.3.6.1.4.1.18920.4.2

CPS: https://www.ancert.com/cps

X509v3 CRL Distribution Points:

Full Name:

URI:http://www.ancert.com/crl/ANCERTCGN_V2.crl

URI:http://www2.ancert.com/crl/ANCERTCGN_V2.crl

URI:http://www3.ancert.com/crl/ANCERTCGN_V2.crl

X509v3 Subject Alternative Name:

email:pki.explotacion@ancert.com

X509v3 Authority Key Identifier:

keyid:05:6E:E1:A1:9A:EE:07:AF:CE:F5:B4:D3:65:3D:04:50:E2:D0:9B:44

Signature Algorithm: sha1WithRSAEncryption

95:80:48:d6:21:16:5a:5a:e9:ae:a5:cc:b2:52:0f:93:39:fa:

f3:66:6b:e1:5b:44:72:48:f3:91:3a:f7:04:15:09:90:70:6f:

1c:b1:40:a7:0f:4d:e2:6b:fd:f1:cd:77:e9:4c:d7:4f:92:bf:

b2:84:24:c5:ed:b0:8e:0a:86:fb:b5:c0:f1:b1:29:2a:04:73:

b5:9c:9a:4d:5a:1f:fd:c1:5e:49:e7:74:36:2e:1e:c1:b4:e5:

ba:a7:0a:92:cf:aa:e8:43:73:ff:49:e9:6c:61:00:f0:59:da:

7c:48:5e:70:da:99:e5:b5:9d:7e:51:d1:9e:26:7e:f6:f4:70:

cb:f7:b8:31:fb:2b:ab:cf:2d:f4:f0:05:c9:15:18:9d:e2:24:

fc:08:c0:1d:07:4d:6b:9e:d0:ed:13:22:40:0a:de:f2:6c:61:

4b:b1:5f:d7:6b:09:95:dc:43:46:c4:23:20:08:1f:26:4c:dc:

37:fe:66:4b:cb:bc:ed:c9:94:7a:1b:bb:b3:cb:34:d6:72:70:

22:e8:4b:9d:d5:a1:32:60:b5:67:64:a5:8c:2e:22:75:8e:dc:

c4:1a:dc:2e:33:9e:06:ce:5e:b4:c5:18:c3:65:4e:0c:c7:7f:

52:19:0a:8b:b3:e7:b9:1a:3c:51:46:68:af:f5:a4:87:9b:00:

fe:16:26:19:f1:5e:f5:19:d4:f9:00:c3:6e:9f:f8:21:ad:23:

66:1d:79:32:da:9f:09:a7:05:7b:90:df:7d:03:f6:8f:0f:0c:

31:f5:b7:2b:84:65:8b:f0:f0:18:9f:90:03:a3:fb:5e:82:d1:

d3:86:00:f8:33:cd:7c:50:9a:07:b3:06:e0:ec:0d:a1:98:54:

00:75:e6:17:9f:fa:ad:a3:1a:67:42:00:cd:5f:ab:f5:a6:8f:

1b:1f:c8:bd:f7:21:c8:0b:b3:cc:09:3f:eb:c8:30:86:c5:26:

fc:af:28:b3:f4:d9:7a:7b:91:ef:c4:11:60:f3:4d:44:fe:da:

90:e8:42:5d:c5:52:77:74:16:e6:eb:ee:2c:bd:c0:7b:b1:a3:

96:68:c4:46:81:2a:4d:08:b2:4d:1a:d1:aa:37:cc:61:11:bb:

60:1a:e2:5b:bb:88:5d:07:6d:18:25:9a:ec:c6:8a:be:17:c3:

4d:5c:34:cc:7f:82:20:4c:58:c8:af:80:cf:0c:03:e3:57:0c:

94:ce:06:33:9d:37:fe:4c:a0:5e:85:32:ca:7e:67:4d:1c:95:

2f:d1:b4:b6:cd:18:3d:cc:ad:33:a0:0f:02:e7:8a:4e:51:24:

65:9b:fd:58:02:3c:c9:15:46:9c:f3:e7:55:ef:c4:78:37:0d:

3d:52:20:7e:03:5d:ff:11

We cannot read crt file with this command. It will say:unable to load certificate

4294956672:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

By this way, we get only certificate info, and no private key info is exported. And it works only with trusted entries. Normally, we use:keytool -importkeystore -srckeystore foo.jks \

-destkeystore foo.p12 \

-srcstoretype jks \

-deststoretype pkcs12

openssl pkcs12 -in foo.p12 -out foo.pem

This does not work with trusted entries, is a limitation of PKCS 12 format.

See this question for more info:

V. Connect to site with openssl

We have:openssl s_client -connect redp.seg-social.es:443 -cert ancert.pem

This pem file must contain private key info.

When we connect, we can see the certificate chain:---

Certificate chain

0 s:/C=ES/L=MADRID/O=GERENCIA DE INFORMATICA DE LA SEGURIDAD SOCIAL/OU=GERENCIA DE INFORMATICA DE LA SEGURIDAD SOCIAL/serialNumber=Q2827003A/CN=*.seg-social.es

i:/C=ES/O=FNMT-RCM/OU=AC Componentes Inform\xC3\xA1ticos

1 s:/C=ES/O=FNMT-RCM/OU=AC Componentes Inform\xC3\xA1ticos

i:/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM

2 s:/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM

i:/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM

---