keytool in JAVA

As part of my exploration into JAVA, I have had to learn how JAVA uses certificates. I wrote a script to help me create a signed, trusted certificate for a client program.

The keys generated are not secure:

1. We generated the keypass and storepass in public at the command line.
2. The same keys were used for keypass and storepass for both certificate authority and the
   trusted certificate.
3. The Certificate Authoritie's key should be protected.
   

#!/bin/bash
#
# $1 self-signed - certificate
# $2 password
# $3 dn (e.g. cn=localhost)
#
#
# Create a self-signed certificate authority and issue a trusted certificate for a client
#
if (( $# != 3 )) ; then
echo "**************** Wrong Number of Arguments ***************"
echo usage $0 "[certname]" "[passwd]" "\"[distinct name]\""
echo
echo "$0 creates a self-signed, trusted certificate in"
echo " $1.keystore the trusted, self-signed certificate"
echo " $1_ca.keystore holds the private key"
echo
echo " $2 is used for both key and store passwords"
echo
echo " should be enclosed in quotes(\") and"
echo " should follow usual practices. E.G. \"cn=localhost\""

exit 1
fi

# remove old certificate fles
rm -rf ${1}_ca.keystore ${1}_ca.cert ${1}.keystore

############################################# CERTIFICATE AUTH $1_ca.keystore
# generate self-sign certificate
keytool -noprompt -alias ${1}_ca \

-genkey -validity 3650 \
-keyalg RSA -keysize 1024 \
-storepass $2 -keypass $2 \
-dname "$3" \
-keystore ${1}_ca.keystore


############################################# List CA Keystore $1_ca.keystore
# get basic certificate information
echo "***************** CERTIFICATE AUTHORITY LIST **********************"
keytool -list -v -storepass $2 -noprompt -keystore ${1}_ca.keystore

############################################# Client Keystore $1.keystore
# Create a client keystore that trusts our certificate $1.keystore
#
# export so that we can later import it as trusted $1_ca.cert
keytool -noprompt -export -rfc -alias ${1}_ca \

-storepass $2 -keypass $2 \
-keystore ${1}_ca.keystore \
-file ${1}_ca.cert


# create trusted certificate for use by a client program in $1 store
keytool -import -noprompt -alias ${1}_ca \

-trustcacerts -file ${1}_ca.cert \
-keystore ${1}.keystore \
-keypass $2 -storepass $2


############################################# List Client Keystore $1.keystore
# get basic certificate information
echo "***************** TRUSTED CERTIFICATE **********************"
keytool -list -v -storepass $2 -noprompt -keystore ${1}.keystore

echo "Passwords were provided as command arguments and may have been"
echo "viewed by others."

It's A Small World

I've been watching my site to see how many countries have visited. The following picture represents visits as of 26. January 2009.



The number of visiting countries:

date	number of countries
26. Jan 2009	126
11. March 2009	132
24. March 2009	134

The current visiting countries are:

(not set)
Albania
Algeria
Andorra
Antigua and Barbuda
Argentina
Armenia
Australia
Austria
Bahrain
Bangladesh
Barbados
Belgium
Benin
Bolivia
Bosnia and Herzegovina
Brazil
Brunei
Bulgaria
Canada
Chile
China
Colombia
Costa Rica
Croatia
Cyprus
Czech Republic
Denmark
Djibouti
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Estonia
Ethiopia
Faroe Islands
Fiji
Finland
France
Gabon
Georgia
Germany
Ghana
Greece
Guatemala
Guyana
Haiti
Honduras
Hong Kong
Hungary
Iceland
India
Indonesia
Iran
Iraq
Ireland
Israel
Italy
Jamaica
Japan
Jersey
Jordan
Kenya
Kuwait
Latvia
Lebanon
Libya
Liechtenstein
Lithuania
Luxembourg
Macau SAR China
Macedonia
Malaysia
Malta
Mauritius
Mexico
Moldova
Mongolia
Montenegro
Morocco
Mozambique
Myanmar
Nepal
Netherlands
New Zealand
Nicaragua
Nigeria
Niue
Norway
Oman
Pakistan
Palestinian Territory
Panama
Paraguay
Peru
Philippines
Poland
Portugal
Puerto Rico
Qatar
Romania
Russia
Saint Kitts and Nevis
Saudi Arabia
Serbia
Serbia and Montenegro
Singapore
Slovakia
Slovenia
South Africa
South Korea
Spain
Sri Lanka
Swaziland
Sweden
Switzerland
Syria
Taiwan
Tajikistan
Tanzania
Thailand
Trinidad and Tobago
Tunisia
Turkey
Ukraine
United Arab Emirates
United Kingdom
United States
Venezuela
Vietnam
Yemen
Zambia
Zimbabwe

keytool/certificate/encryption woes with Java

I just finished fighting several hours of trying to figure out why I could not access the cacerts in lib/security.

The documentation was clear, but my results kept failing. To view the current certificate authorities in a Java keystore you are supposed to be able to do:

keytool -list -v -keystore $JDK_HOME/jre/library/cacerts

However, I kept on being ask for a password and "changeit" was not being accepted as documented by Sun and other sources.

Even after doing "which keytool" a few times, I still did not notice that I was not running Sun's key tool program because I was seeing a symbolic link in /usr/bin. Finally, I noticed the symbolic link from /usr/bin/keytools was to /etc/alternatives/keytool!

Once I figured that I was running the wrong version, I did an

ls -ld /etc/alternatives grep java

and removed all of the Java files plus keytool and rmiregistry.

I then removed the corresponding symbolic links in /usr/bin. Everything now works because I removed the false Java files from the earlier directories in my path.

I could have avoided the problem if I had just put the Java bin files first. In any case, I have chosen to leave them at the end of my path. I put the Java setup code for my CentOS system in /etc/profile.d/java.sh so that everyone would get the standard Java setup.

[root@anthos ~]# cat /etc/profile.d/java.sh
PATH=$PATH:/usr/local/jdk/latest/jre/bin:/usr/local/jdk/latest/bin:/usr/local/netbeans/latest/bin
export PATH
export JDK_HOME=/usr/local/jdk/latest
export JAVA_HOME=/usr/local/jdk/latest
export CLASSPATH=$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib/rt.jar

It is just amazing how much time you can waste on such stupid things!