Extract .key and .crt files from JKS file

JKS file is a Java keystore. Using the Java keytool program, run the following commands

Export the .der file

keytool -export -alias sample -file sample.der -keystore my.jks

Convert the .der file to unencrypted PEM (crt file)

openssl x509 -inform der -in sample.der -out sample.crt

Export the .p12 file

keytool -importkeystore -srckeystore my.jks -destkeystore keystore.p12 -deststoretype PKCS12

Convert the .p12 file to unencrypted PEM (key file)

openssl pkcs12 -in keystore.p12 -nodes -nocerts -out server.key

 

More info here: http://www.gtopia.org/blog/2010/02/der-vs-crt-vs-cer-vs-pem-certificates/

Advertisements

Install SSL certificates on Nginx

This article show how the SSL certificates purchased from Comodo can be deployed on a server running Nginx

You must have the server.key file (Private Key that was generated with the CSR code that used to activate/purchase the certificate.

You also have these two files, *.crt and *.ca-bundle, that must have been sent to you as a zip archive from Comodo. Combine these file into a chain file

cat mydomain.crt mydomain.ca-bundle >> chain.crt

Now copy this chain.crt file and the server.key file to the nginx server in a folder that is readable by Nginx.

Edit nginx.conf file, and add the following 4 lines

server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/chain.crt;
ssl_certificate_key /etc/ssl/server.key;

.....
}

 

Uploading GoDaddy SSL cert on AWS Load Balancer

So you have purchased an SSL certificate from GoDaddy and now you want to deploy it on the Amazon Load Balancer. This article assumes you generated the CSR before buying the certificate following the steps described here

In the AWS web console, go the “Load Balancers” section. Select your ELB and click on the “Listeners” tab. Now add a new listener for HTTPS.

Screen Shot 2014-09-25 at 9.02.41 AM

Click on the “Change” link the “SSL Certificate” column. You will see the following screen.

Screen Shot 2014-09-25 at 9.07.06 AM

Certificate Name: Enter the name you want to give this certificate.

Private Key: This private key is the one you generated when generating the CSR. If you followed the steps here, it is called server.key. This file will now have to be altered to create an Amazon supported private key. This can be done using openssl as follows.

openssl rsa -in server.key -out decrypted-server-key.pem

Now copy the contents of the file decrypted-server-key.pem and paste them into the “Private Key” section.

Public Key Certificate: This is the file that you got from GoDaddy, it you look something like “yourdomain.crt”. You now must get it into the Amazon supported form. This can be done using openssl as follows.

openssl x509 -inform PEM -in yourdomain.crt

Copy the entire output of the command above and past it into the “Public Key Certificate” section.

Thats it. Click on “Save” and you are done.

Certificate Signing Request (CSR) using openssl

Used the following mechanism to generate a CSR needed to buy an SSL certificate. The server in this case was a Linux server and certificate was a “wildcard certificate” purchased at GoDaddy.com

# openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr

Generating a 2048 bit RSA private key
.............................................................................+++
...............................................................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Los Angeles
Organization Name (eg, company) [Default Company Ltd]:Acme
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:*.acme.com
Email Address []:admin@acme.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

At this point, two files were created.

# ll
total 8
-rw-r--r-- 1 root root 1054 Dec 28 03:31 server.csr
-rw-r--r-- 1 root root 1704 Dec 28 03:31 server.key

The csr file can be used to purchase the certificate.