Java keytool easy way to add server cert from url/port (for Windows)












1















I want to import CA certificate into a Java keystore.
I found this answer with some Unix commands.



I understand that keytool works in Windows the same way as in Linux, doesn't it?



But what about openssl?



I installed openssl in Windows, then ran it and it works normally. But how can I replace a code below?



</dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert


Or can I replace openssl with something else?










share|improve this question



























    1















    I want to import CA certificate into a Java keystore.
    I found this answer with some Unix commands.



    I understand that keytool works in Windows the same way as in Linux, doesn't it?



    But what about openssl?



    I installed openssl in Windows, then ran it and it works normally. But how can I replace a code below?



    </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert


    Or can I replace openssl with something else?










    share|improve this question

























      1












      1








      1








      I want to import CA certificate into a Java keystore.
      I found this answer with some Unix commands.



      I understand that keytool works in Windows the same way as in Linux, doesn't it?



      But what about openssl?



      I installed openssl in Windows, then ran it and it works normally. But how can I replace a code below?



      </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert


      Or can I replace openssl with something else?










      share|improve this question














      I want to import CA certificate into a Java keystore.
      I found this answer with some Unix commands.



      I understand that keytool works in Windows the same way as in Linux, doesn't it?



      But what about openssl?



      I installed openssl in Windows, then ran it and it works normally. But how can I replace a code below?



      </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert


      Or can I replace openssl with something else?







      windows openssl keytool






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 19 '18 at 14:29









      Daria PydorenkoDaria Pydorenko

      9092530




      9092530
























          1 Answer
          1






          active

          oldest

          votes


















          1














          Probably the easiest way is to use KeyStore Explorer. Just use the "Examine SSL" feature and then click on "Import":



          enter image description here



          Alternatively you can replace </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert with manual steps. If you execute



          openssl s_client -connect -connect www.google.com:443


          it will output something like this:



          depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
          verify return:1
          depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
          verify return:1
          depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
          verify return:1
          ---
          Certificate chain
          0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
          i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
          1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
          i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
          ---
          Server certificate
          -----BEGIN CERTIFICATE-----
          MIIEgjCCA2qgAwIBAgIIZ20sUt50wGgwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
          BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
          ...
          htkxJVFaLUXScpkNQagWzehkj9BGdV4oztKMgTU8hcZEsiDKF0aZmaMfAXAF6u0r
          0n9sKu3Ap0uSR0+G4PVDcJkJzw2UiUsu8IkkHy3HjKt4zCCrATjZ4FPgtFHSWv8d
          ZmUdWJhgJ30s/EvOKn1uQ6QlPWaCJKc9W6JaJQTX6PjPDMs0sK90ss9vCIJ0dDw5
          ud+EC4cT
          -----END CERTIFICATE-----
          subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
          issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
          ---
          No client certificate CA names sent


          Mark the lines starting with -----BEGIN CERTIFICATE----- up to -----END CERTIFICATE----- and copy them into a text editor. Save it as [host].crt. Then execute the keytool command.



          If you want to automate these steps in a script, you'll have to install Cygwin or one of the suggestions in this answer here.






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53376771%2fjava-keytool-easy-way-to-add-server-cert-from-url-port-for-windows%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            1














            Probably the easiest way is to use KeyStore Explorer. Just use the "Examine SSL" feature and then click on "Import":



            enter image description here



            Alternatively you can replace </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert with manual steps. If you execute



            openssl s_client -connect -connect www.google.com:443


            it will output something like this:



            depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
            verify return:1
            depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
            verify return:1
            depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
            verify return:1
            ---
            Certificate chain
            0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
            i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
            1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
            i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
            ---
            Server certificate
            -----BEGIN CERTIFICATE-----
            MIIEgjCCA2qgAwIBAgIIZ20sUt50wGgwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
            BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
            ...
            htkxJVFaLUXScpkNQagWzehkj9BGdV4oztKMgTU8hcZEsiDKF0aZmaMfAXAF6u0r
            0n9sKu3Ap0uSR0+G4PVDcJkJzw2UiUsu8IkkHy3HjKt4zCCrATjZ4FPgtFHSWv8d
            ZmUdWJhgJ30s/EvOKn1uQ6QlPWaCJKc9W6JaJQTX6PjPDMs0sK90ss9vCIJ0dDw5
            ud+EC4cT
            -----END CERTIFICATE-----
            subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
            issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
            ---
            No client certificate CA names sent


            Mark the lines starting with -----BEGIN CERTIFICATE----- up to -----END CERTIFICATE----- and copy them into a text editor. Save it as [host].crt. Then execute the keytool command.



            If you want to automate these steps in a script, you'll have to install Cygwin or one of the suggestions in this answer here.






            share|improve this answer




























              1














              Probably the easiest way is to use KeyStore Explorer. Just use the "Examine SSL" feature and then click on "Import":



              enter image description here



              Alternatively you can replace </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert with manual steps. If you execute



              openssl s_client -connect -connect www.google.com:443


              it will output something like this:



              depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
              verify return:1
              depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
              verify return:1
              depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
              verify return:1
              ---
              Certificate chain
              0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
              i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
              1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
              i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
              ---
              Server certificate
              -----BEGIN CERTIFICATE-----
              MIIEgjCCA2qgAwIBAgIIZ20sUt50wGgwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
              BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
              ...
              htkxJVFaLUXScpkNQagWzehkj9BGdV4oztKMgTU8hcZEsiDKF0aZmaMfAXAF6u0r
              0n9sKu3Ap0uSR0+G4PVDcJkJzw2UiUsu8IkkHy3HjKt4zCCrATjZ4FPgtFHSWv8d
              ZmUdWJhgJ30s/EvOKn1uQ6QlPWaCJKc9W6JaJQTX6PjPDMs0sK90ss9vCIJ0dDw5
              ud+EC4cT
              -----END CERTIFICATE-----
              subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
              issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
              ---
              No client certificate CA names sent


              Mark the lines starting with -----BEGIN CERTIFICATE----- up to -----END CERTIFICATE----- and copy them into a text editor. Save it as [host].crt. Then execute the keytool command.



              If you want to automate these steps in a script, you'll have to install Cygwin or one of the suggestions in this answer here.






              share|improve this answer


























                1












                1








                1







                Probably the easiest way is to use KeyStore Explorer. Just use the "Examine SSL" feature and then click on "Import":



                enter image description here



                Alternatively you can replace </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert with manual steps. If you execute



                openssl s_client -connect -connect www.google.com:443


                it will output something like this:



                depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
                verify return:1
                depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
                verify return:1
                depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
                verify return:1
                ---
                Certificate chain
                0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
                i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
                1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
                i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
                ---
                Server certificate
                -----BEGIN CERTIFICATE-----
                MIIEgjCCA2qgAwIBAgIIZ20sUt50wGgwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
                BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
                ...
                htkxJVFaLUXScpkNQagWzehkj9BGdV4oztKMgTU8hcZEsiDKF0aZmaMfAXAF6u0r
                0n9sKu3Ap0uSR0+G4PVDcJkJzw2UiUsu8IkkHy3HjKt4zCCrATjZ4FPgtFHSWv8d
                ZmUdWJhgJ30s/EvOKn1uQ6QlPWaCJKc9W6JaJQTX6PjPDMs0sK90ss9vCIJ0dDw5
                ud+EC4cT
                -----END CERTIFICATE-----
                subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
                issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
                ---
                No client certificate CA names sent


                Mark the lines starting with -----BEGIN CERTIFICATE----- up to -----END CERTIFICATE----- and copy them into a text editor. Save it as [host].crt. Then execute the keytool command.



                If you want to automate these steps in a script, you'll have to install Cygwin or one of the suggestions in this answer here.






                share|improve this answer













                Probably the easiest way is to use KeyStore Explorer. Just use the "Examine SSL" feature and then click on "Import":



                enter image description here



                Alternatively you can replace </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert with manual steps. If you execute



                openssl s_client -connect -connect www.google.com:443


                it will output something like this:



                depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
                verify return:1
                depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
                verify return:1
                depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
                verify return:1
                ---
                Certificate chain
                0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
                i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
                1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
                i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
                ---
                Server certificate
                -----BEGIN CERTIFICATE-----
                MIIEgjCCA2qgAwIBAgIIZ20sUt50wGgwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
                BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
                ...
                htkxJVFaLUXScpkNQagWzehkj9BGdV4oztKMgTU8hcZEsiDKF0aZmaMfAXAF6u0r
                0n9sKu3Ap0uSR0+G4PVDcJkJzw2UiUsu8IkkHy3HjKt4zCCrATjZ4FPgtFHSWv8d
                ZmUdWJhgJ30s/EvOKn1uQ6QlPWaCJKc9W6JaJQTX6PjPDMs0sK90ss9vCIJ0dDw5
                ud+EC4cT
                -----END CERTIFICATE-----
                subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
                issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
                ---
                No client certificate CA names sent


                Mark the lines starting with -----BEGIN CERTIFICATE----- up to -----END CERTIFICATE----- and copy them into a text editor. Save it as [host].crt. Then execute the keytool command.



                If you want to automate these steps in a script, you'll have to install Cygwin or one of the suggestions in this answer here.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 19 '18 at 22:04









                OmikronOmikron

                2,89011622




                2,89011622
































                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53376771%2fjava-keytool-easy-way-to-add-server-cert-from-url-port-for-windows%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    這個網誌中的熱門文章

                    Xamarin.form Move up view when keyboard appear

                    Post-Redirect-Get with Spring WebFlux and Thymeleaf

                    Anylogic : not able to use stopDelay()