1

I am trying to secure my private docker registry using SSL encryption. According to this, I need to copy a .crt and .key to a /certs directory and it will work.

What I have now is a .csr, .keystore and .cer and a root ca, intermediate certificate.

I used Java Keytool to generate .csr and keystore and CA gave me .cer, root ca and intermediate certificate.

Now according to link mentioned above, I specifically need .crt and .key.

What I did that

  1. I imported root certificate (root ca), intermediate certificat and received signed certificate (.cer) into keystore

    keytool -import -trustcacerts -alias rootca -file Primary.pem -keystore hostname.keystore

    keytool -import -trustcacerts -alias intermediate -file Secondary.pem -keystore hostname.keystore

    keytool -import -trustcacerts -alias hostname -file cert.cer -keystore hostname.keystore

    where Primary.pem and Secondary.pem are Root and Intermediate certificates respectively and cert.cer is received signed certificate and hostname.keystore is keystore used.

  2. Then I tried to generate .key and .crt from hostname.keystore by first converting it into PKCS12 as described here but after the first step, I got following error

    Problem importing entry for alias rootca: java.security.KeyStoreException: TrustedCertEntry not supported

    See below for command and error:

    keytool -importkeystore -srckeystore hostname.keystore -destkeystore hostname.p12 -deststoretype PKCS12

    Enter destination keystore password: Enter source keystore password:

    Problem importing entry for alias rootca: java.security.KeyStoreException: TrustedCertEntry not supported. Entry for alias rootca not imported. Do you want to quit the import process? [no]: no

    Problem importing entry for alias intermediate: java.security.KeyStoreException: TrustedCertEntry not supported. Entry for alias intermediate not imported. Do you want to quit the import process? [no]: no

    Existing entry alias domain exists, overwrite? [no]: yes Entry for alias domain successfully imported.

    Problem importing entry for alias hostname: java.security.KeyStoreException: TrustedCertEntry not supported. Entry for alias hostname not imported. Do you want to quit the import process? [no]: no

    Import command completed: 1 entries successfully imported, 3 entries failed or cancelled

  3. How to solve this issue and secure the registry? Is it related to Java version?

Platform: RHEL 4.1

Java Version: 1.7.0_75

Community
  • 1
saurg
  • 113
  • 1
  • 2
  • 4
  • (updated) First `keytool -importcert` the server (EE) cert `cert.cer` to the **same alias** that you used to generate the **keypair and the CSR** (certreq); `hostname` is apparently NOT the correct alias. It should say `Certificate reply was installed` and NOT `Certificate was added`. Second specify that alias in the `keytool -importkeystore` like `-srcalias foo`. – dave_thompson_085 Oct 18 '16 at 09:09
  • I changed the alias as you said and it said `Certificate reply was installed` and then checked the content of my keystore `keytool -list -keystore hostname.keystore`. Output was `Your keystore contains 3 entries rootca, Oct 17, 2016, trustedCertEntry, intermediate, Oct 17, 2016, trustedCertEntry, hostname, Oct 18, 2016, PrivateKeyEntry` But the error is still same when I convert it into `PKCS12` – saurg Oct 18 '16 at 09:47
  • Also, when I again do `keytool -importcert` the `cert.cer` using same alias, it says `keytool error: java.lang.Exception: Certificate reply and certificate in keystore are identical`. Also instead of three, keystore should have four entries, one private key and three certificates (rootca, intermediate and cert.cer). Isn't it? – saurg Oct 18 '16 at 09:49
  • Java 7 does not allow a trustedCert entry in a PKCS12 keystore, see http://stackoverflow.com/questions/3614239/pkcs12-java-keystore-from-ca-and-user-certificate-in-java. You can try with OpenSSL `openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt` – Federico Sierra Oct 18 '16 at 17:55
  • No, you don't need or want a trustedCertEntry for the server cert; the server cert is PART OF the PrivateKeyEntry which apparently is named `hostname` in spite of your posted log identifying that as a trustedCert. In fact rereading your log I see it says `domain` _was_ converted. Are these the actual aliases or are you redacting them for posting? If so, it looks like you've messed them up. If the PrivateKeyEntry is in fact named `hostname` then `-importkeystore ... -deststoretype pkcs12` !!WITH `-srcalias hostname`!! should work. – dave_thompson_085 Oct 19 '16 at 03:56
  • Adding for completeness: you don't really need trustedCert entries for root and intermediate either; they are _copied_ into the privatekey entry, which you can see with `-list -v`. However, that approach is a little more complicated, and you're having enough trouble with the simple method I didn't want to confuse you. – dave_thompson_085 Oct 19 '16 at 04:36
  • Yes, I imported `cert.cer` with correct alias and output of `keytool -list -keystore hostname.keystore` is `Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries rootcaca, Oct 17, 2016, trustedCertEntry, Certificate fingerprint (SHA1): intermediate, Oct 17, 2016, trustedCertEntry, Certificate fingerprint (SHA1): hostname, Oct 18, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1):` – saurg Oct 19 '16 at 05:11
  • I think now it is correctly imported and should work. – saurg Oct 19 '16 at 05:14
  • @dave_thompson_085 thanks a lot!! I appreciate your help very much. It is working fine now. :) – saurg Oct 19 '16 at 06:49

0 Answers0