[关闭]
@torresdyl 2017-08-23T18:07:11.000000Z 字数 11781 阅读 4319

[Security] How to use keytool and openssl

certificate security cryptography


I. How to know if a certificate has private key or not

Open the crt or cre file, if in the Property window you see "This certificate has a private key", it has a PK within.

Or, import it into certmgr, if it has a key icon along with the certificate icon, it has PK.

Certificate without PK cannot authenticate users.

II. Import root certificate into java keystore:

  1. keytool -import -keystore "path to default keystore, like '$JAVA_HOME/jre/lib/security/cacerts' " -file 'root certificate path, if has space, must quote with " "'

and in the prompt, type yes/si, depending on the keytool language.

The root path has extensions like .crt, which only has public key. .p12 or .pks is not allowed.

III. List keys in a keystore

  1. keytool -list -keystore "path to your keystore file" -storepass <password>

if you want more info, after -list you can put -v or --verbose to show details.

By default it accepts .jks type keystore. If the keystore is of type pkcs12(with extension .p12 or .pks, you cannot list it without -storetype. Add this to the line above:

  1. -storetype pkcs12

If it's of type PKCS11, it is more complicated.

First, when loading a PKCS11 type keystore, we must specify:

  1. keytool -storetype PKCS11 -keystore NONE

These two parameters must be together and NONE is upper-cased.

Then, I don't know how to specify a provider with name, and I can only do it with -providerclass. And, if a provider is SunPKCS11, it must come with a config file, set in -providerarg path/to/file. This path is better without space. I cannot make it work with space.
The config file is like:

  1. name = SunPKCS11
  2. library=C:\Program Files\OpenSC Project\PKCS11-Spy\pkcs11-spy.dll
  3. showInfo=true

The DLL used here must be that of OpenSC for TAFU card, and Bit4ID for Izenpe card. I cannot use Bit4Id for TAFU. bit4xpki.dll won't do.

At last, there may be some bugs around this:

https://stackoverflow.com/questions/8247115/java-keytool-with-opensc-pkcs11-provider-only-works-with-debug-option-enabled

According to my comment and the answer, showInfo=true, or solt=-1 may be necessary in the config file. And, use Oracle JDK, not Open JDK. And, add -J-Djava.security.debug=sunpkcs11 at last to avoid the bug.

And, -v gives more information for debug.

So, the command that is working is:

  1. keytool -list -providerclass sun.security.pkcs11.SunPKCS11 -providerArg C:\Users\99GU6879\Desktop\sunpkcs11.cfg -keystore NONE -storetype PKCS11 -storepass a11r1sed -v -J-Djava.security.debug=sunpkcs11

The config file:

  1. name = SunPKCS11
  2. library=C:\Program Files\OpenSC Project\PKCS11-Spy\pkcs11-spy.dll
  3. showInfo=true

Still, I got error for TAFU card and FNMT card. So, maybe it only works with Linux .so files. I think DLL files in Windows is not gonna work.

IV. Export certificate into file

First, we need to find the alias of this certificate. Use keytool -list -keystore <file-name> -storepass <password> | grep "keyword" to find it.

What you can see will be like:

  1. ancert-raiznotariales, 22-oct-2010, trustedCertEntry,
  2. ancert_pubv2, 03-feb-2012, trustedCertEntry,
  3. ancert_cnpv2, 03-feb-2012, trustedCertEntry,
  4. ancert_cgn, 02-feb-2012, trustedCertEntry,
  5. ancert_notv2, 03-feb-2012, trustedCertEntry,
  6. ancert_cpe, 02-feb-2012, trustedCertEntry,
  7. ancert_fernv2, 03-feb-2012, trustedCertEntry,
  8. ancert_cdppv2, 03-feb-2012, trustedCertEntry,
  9. ancert_cgnv2, 03-feb-2012, trustedCertEntry,
  10. ancert_fern, 02-feb-2012, trustedCertEntry,
  11. ancert-subnotcorporativos, 22-oct-2010, trustedCertEntry,
  12. ancert-raizderechopublico, 22-oct-2010, trustedCertEntry,
  13. ancert_cncv2, 03-feb-2012, trustedCertEntry,
  14. ancertcnc_v1_2011, 15-ene-2014, trustedCertEntry,
  15. ancertce_v1_2011, 15-ene-2014, trustedCertEntry,
  16. ancert-subnotapersonales, 22-oct-2010, trustedCertEntry,
  17. ancert_cev2, 03-feb-2012, trustedCertEntry,
  18. ancert-subderechopublico, 22-oct-2010, trustedCertEntry,
  19. ancert-subnotsistemas, 22-oct-2010, trustedCertEntry,

If you know the alias, you can print like this:

  1. keytool -list -keystore CAs.jks -storepass giss08 -alias ancert_cev2
  2. ancert_cev2, 03-feb-2012, trustedCertEntry,
  3. Huella Digital de Certificado (SHA1): E1:EA:3C:39:32:3D:C2:1B:FB:D3:51:1E:6E:4F:95:EF:A9:94:F9:CF

Next, use keytool -exportcert to export it. Here I have a root cert so the extension is .crt. For personal certs, we have p12 or pfx.

  1. keytool -exportcert -keystore CAs.jks -storepass giss08 -v -alias ancert_cev2 >> ancert.crt

(At first I exported it as txt, and opening it I found it is encoded hexdecimally, so I think it is a binary file, and change its extension.)

keytool -printcert is for files, not for exporting cert. After getting this file, we can print it to get a verbose/readable form:

  1. keytool -printcert -file ancert.crt

What we have is:

  1. Propietario: CN=ANCERT Certificados para empleados V2, O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988, L=Paseo del General Martinez Campos 46 6a planta 28010 Madrid, C=ES
  2. Emisor: CN=ANCERT Certificados CGN V2, O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988, C=ES
  3. Número de serie: 7d41e17d7b2008d0bd1693ef4d1b56c9
  4. Válido desde: Thu May 27 11:10:29 CEST 2010 hasta: Wed May 27 11:10:30 CEST 2020
  5. Huellas digitales del Certificado:
  6. MD5: CA:02:A5:E2:43:65:FC:60:6F:87:F2:AB:30:0C:AB:4F
  7. SHA1: E1:EA:3C:39:32:3D:C2:1B:FB:D3:51:1E:6E:4F:95:EF:A9:94:F9:CF
  8. SHA256: 67:FA:A8:8F:B7:69:E3:E1:F4:2E:D7:CD:2E:13:DE:45:8B:94:7D:F4:69:22:99:C2:EA:64:8A:7D:62:23:96:04
  9. Nombre del Algoritmo de Firma: SHA1withRSA
  10. Versión: 3
  11. Extensiones:
  12. #1: ObjectId: 2.5.29.35 Criticality=false
  13. AuthorityKeyIdentifier [
  14. KeyIdentifier [
  15. 0000: 05 6E E1 A1 9A EE 07 AF CE F5 B4 D3 65 3D 04 50 .n..........e=.P
  16. 0010: E2 D0 9B 44 ...D
  17. ]
  18. ]
  19. #2: ObjectId: 2.5.29.19 Criticality=true
  20. BasicConstraints:[
  21. CA:true
  22. PathLen:0
  23. ]
  24. #3: ObjectId: 2.5.29.31 Criticality=false
  25. CRLDistributionPoints [
  26. [DistributionPoint:
  27. [URIName: http://www.ancert.com/crl/ANCERTCGN_V2.crl, URIName: http://www2.ancert.com/crl/ANCERTCGN_V2.crl, URIName: http://www3.ancert.com/crl/ANCERTCGN_V2.crl]
  28. ]]
  29. #4: ObjectId: 2.5.29.32 Criticality=false
  30. CertificatePolicies [
  31. [CertificatePolicyId: [1.3.6.1.4.1.18920.4.2]
  32. [PolicyQualifierInfo: [
  33. qualifierID: 1.3.6.1.5.5.7.2.1
  34. qualifier: 0000: 16 1A 68 74 74 70 73 3A 2F 2F 77 77 77 2E 61 6E ..https://www.an
  35. 0010: 63 65 72 74 2E 63 6F 6D 2F 63 70 73 cert.com/cps
  36. ]] ]
  37. ]
  38. #5: ObjectId: 2.5.29.15 Criticality=true
  39. KeyUsage [
  40. DigitalSignature
  41. Key_CertSign
  42. Crl_Sign
  43. ]
  44. #6: ObjectId: 2.5.29.17 Criticality=false
  45. SubjectAlternativeName [
  46. RFC822Name: pki.explotacion@ancert.com
  47. ]
  48. #7: ObjectId: 2.5.29.14 Criticality=false
  49. SubjectKeyIdentifier [
  50. KeyIdentifier [
  51. 0000: 74 9A 49 8D DA 48 C6 80 28 D3 48 9B CE 57 72 91 t.I..H..(.H..Wr.
  52. 0010: 2A EB 03 93 *...
  53. ]
  54. ]

We can also export it to a pem file with:

keytool -exportcert -alias ancert_cev2 -keypass giss08 -keystore CAs_163_org.jks -rfc -file ancert-cert-para-empleados-v2.pem

What we get is a trusted entry, not a root neither a personal certificate.

Then, to read what we have in the pem file, we have openssl:

openssl x509 -in ancert-cert-para-empleados-v2.pem -text -noout

We can get something like:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        7d:41:e1:7d:7b:20:08:d0:bd:16:93:ef:4d:1b:56:c9
Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=ES, O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988, CN=ANCERT Certificados CGN V2
    Validity
        Not Before: May 27 09:10:29 2010 GMT
        Not After : May 27 09:10:30 2020 GMT
    Subject: C=ES, L=Paseo del General Martinez Campos 46 6a planta 28010 Madrid, O=Agencia Notarial de Certificacion S.L.U. - CIF B83395988, CN=ANCERT Certificados para empleados V2
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
                00:c0:ff:c5:1b:06:ce:8b:cc:c7:81:ea:8c:55:b8:
                50:f3:7d:03:c8:0b:a2:02:b6:50:10:ab:5e:b3:b1:
                7f:e1:d1:ef:a2:47:0e:34:97:26:06:bf:64:6c:f6:
                02:c4:14:c6:8f:39:f7:ed:5e:ca:69:71:78:c0:ad:
                4f:d7:25:c7:03:34:cb:8c:ba:51:d0:72:e1:44:fa:
                f9:e2:1e:5c:95:30:df:85:a6:ee:75:03:cc:09:b7:
                b8:b8:2d:34:45:5e:30:6f:0b:78:76:6e:51:68:67:
                26:17:98:8d:c5:61:45:f5:d0:e2:65:06:2c:8a:f0:
                1c:ef:d5:30:75:9b:70:10:f6:a1:11:a9:ca:29:ff:
                aa:ba:08:c7:2b:0a:01:1e:cc:53:20:33:45:a7:d9:
                34:4d:69:13:14:5c:bd:c9:02:92:90:95:0e:6b:35:
                e2:9c:44:f7:c2:0c:4e:eb:a3:4b:76:b4:e5:c5:9c:
                b9:e9:51:b7:eb:8e:1d:de:69:6b:68:2b:06:dd:1e:
                31:24:dd:5c:fa:da:4e:8a:a2:b4:a1:dd:a0:f0:c8:
                fd:02:7f:12:c6:2b:6e:c1:45:73:1d:f8:9f:68:b4:
                be:33:04:8b:70:1d:c9:8b:10:ec:a4:9f:00:b0:41:
                22:95:7b:e7:72:50:05:06:87:c2:5d:b1:35:d6:3f:
                3f:b8:1d:31:e5:32:cb:3a:1d:fb:3f:dc:63:ef:55:
                cd:5e:55:ed:3c:b1:31:ae:02:ef:5e:cf:c3:71:a2:
                92:65:30:47:45:ca:31:9e:2f:8c:6d:76:5f:5f:ce:
                7b:d0:41:f8:87:f8:89:12:f4:13:70:87:fc:f0:e5:
                a4:9f:a2:d0:35:32:e9:07:b3:50:54:77:57:3d:e6:
                71:da:8f:da:66:e4:e6:af:57:04:e9:ff:0e:93:0e:
                89:6a:9f:61:86:c5:46:0d:23:09:00:0f:4f:3c:26:
                31:e4:54:c5:a4:72:c6:d1:fb:da:73:b8:30:f0:d5:
                2c:3a:f1:0f:ed:09:46:2f:83:1c:5f:74:42:b1:be:
                15:c2:4d:b8:d4:c1:97:1b:38:5f:47:07:d2:73:2a:
                35:60:54:1b:57:83:e7:3e:26:95:b3:8d:f0:62:d5:
                bf:94:3e:e5:4b:11:6f:f8:1c:a3:a1:15:6b:6c:ca:
                72:d1:0a:92:0c:34:51:33:27:6a:e2:5c:d6:25:52:
                55:d8:8c:a2:79:47:ed:c1:9d:33:e9:03:78:de:f3:
                d7:01:b9:9d:69:81:e0:67:5c:c6:9f:34:a7:60:db:
                8a:6f:5e:25:14:a6:c4:cf:c4:ad:fb:07:db:6a:af:
                67:0c:18:a2:e2:16:67:36:e2:0a:23:03:81:22:6b:
                a2:5a:5b
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature, Certificate Sign, CRL Sign
        X509v3 Basic Constraints: critical
            CA:TRUE, pathlen:0
        X509v3 Subject Key Identifier:
            74:9A:49:8D:DA:48:C6:80:28:D3:48:9B:CE:57:72:91:2A:EB:03:93
        X509v3 Certificate Policies:
            Policy: 1.3.6.1.4.1.18920.4.2
              CPS: https://www.ancert.com/cps

        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://www.ancert.com/crl/ANCERTCGN_V2.crl
              URI:http://www2.ancert.com/crl/ANCERTCGN_V2.crl
              URI:http://www3.ancert.com/crl/ANCERTCGN_V2.crl

        X509v3 Subject Alternative Name:
            email:pki.explotacion@ancert.com
        X509v3 Authority Key Identifier:
            keyid:05:6E:E1:A1:9A:EE:07:AF:CE:F5:B4:D3:65:3D:04:50:E2:D0:9B:44

Signature Algorithm: sha1WithRSAEncryption
     95:80:48:d6:21:16:5a:5a:e9:ae:a5:cc:b2:52:0f:93:39:fa:
     f3:66:6b:e1:5b:44:72:48:f3:91:3a:f7:04:15:09:90:70:6f:
     1c:b1:40:a7:0f:4d:e2:6b:fd:f1:cd:77:e9:4c:d7:4f:92:bf:
     b2:84:24:c5:ed:b0:8e:0a:86:fb:b5:c0:f1:b1:29:2a:04:73:
     b5:9c:9a:4d:5a:1f:fd:c1:5e:49:e7:74:36:2e:1e:c1:b4:e5:
     ba:a7:0a:92:cf:aa:e8:43:73:ff:49:e9:6c:61:00:f0:59:da:
     7c:48:5e:70:da:99:e5:b5:9d:7e:51:d1:9e:26:7e:f6:f4:70:
     cb:f7:b8:31:fb:2b:ab:cf:2d:f4:f0:05:c9:15:18:9d:e2:24:
     fc:08:c0:1d:07:4d:6b:9e:d0:ed:13:22:40:0a:de:f2:6c:61:
     4b:b1:5f:d7:6b:09:95:dc:43:46:c4:23:20:08:1f:26:4c:dc:
     37:fe:66:4b:cb:bc:ed:c9:94:7a:1b:bb:b3:cb:34:d6:72:70:
     22:e8:4b:9d:d5:a1:32:60:b5:67:64:a5:8c:2e:22:75:8e:dc:
     c4:1a:dc:2e:33:9e:06:ce:5e:b4:c5:18:c3:65:4e:0c:c7:7f:
     52:19:0a:8b:b3:e7:b9:1a:3c:51:46:68:af:f5:a4:87:9b:00:
     fe:16:26:19:f1:5e:f5:19:d4:f9:00:c3:6e:9f:f8:21:ad:23:
     66:1d:79:32:da:9f:09:a7:05:7b:90:df:7d:03:f6:8f:0f:0c:
     31:f5:b7:2b:84:65:8b:f0:f0:18:9f:90:03:a3:fb:5e:82:d1:
     d3:86:00:f8:33:cd:7c:50:9a:07:b3:06:e0:ec:0d:a1:98:54:
     00:75:e6:17:9f:fa:ad:a3:1a:67:42:00:cd:5f:ab:f5:a6:8f:
     1b:1f:c8:bd:f7:21:c8:0b:b3:cc:09:3f:eb:c8:30:86:c5:26:
     fc:af:28:b3:f4:d9:7a:7b:91:ef:c4:11:60:f3:4d:44:fe:da:
     90:e8:42:5d:c5:52:77:74:16:e6:eb:ee:2c:bd:c0:7b:b1:a3:
     96:68:c4:46:81:2a:4d:08:b2:4d:1a:d1:aa:37:cc:61:11:bb:
     60:1a:e2:5b:bb:88:5d:07:6d:18:25:9a:ec:c6:8a:be:17:c3:
     4d:5c:34:cc:7f:82:20:4c:58:c8:af:80:cf:0c:03:e3:57:0c:
     94:ce:06:33:9d:37:fe:4c:a0:5e:85:32:ca:7e:67:4d:1c:95:
     2f:d1:b4:b6:cd:18:3d:cc:ad:33:a0:0f:02:e7:8a:4e:51:24:
     65:9b:fd:58:02:3c:c9:15:46:9c:f3:e7:55:ef:c4:78:37:0d:
     3d:52:20:7e:03:5d:ff:11

We cannot read crt file with this command. It will say:

unable to load certificate
4294956672:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

By this way, we get only certificate info, and no private key info is exported. And it works only with trusted entries. Normally, we use:

keytool -importkeystore -srckeystore foo.jks \
   -destkeystore foo.p12 \
   -srcstoretype jks \
   -deststoretype pkcs12

openssl pkcs12 -in foo.p12 -out foo.pem

This does not work with trusted entries, is a limitation of PKCS 12 format.

See this question for more info:

https://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format

V. Connect to site with openssl

We have:

openssl s_client -connect redp.seg-social.es:443 -cert ancert.pem

This pem file must contain private key info.

When we connect, we can see the certificate chain:

---
Certificate chain
 0 s:/C=ES/L=MADRID/O=GERENCIA DE INFORMATICA DE LA SEGURIDAD SOCIAL/OU=GERENCIA DE INFORMATICA DE LA SEGURIDAD SOCIAL/serialNumber=Q2827003A/CN=*.seg-social.es
   i:/C=ES/O=FNMT-RCM/OU=AC Componentes Inform\xC3\xA1ticos
 1 s:/C=ES/O=FNMT-RCM/OU=AC Componentes Inform\xC3\xA1ticos
   i:/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
 2 s:/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
   i:/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
---
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注