Two certificate stores, two certificates, one host

Question

I have an application (Cognos) which delivers web pages through two mechanisms: via IIS, and via a Java application. We need to enable SSL for both of these. IIS has been done. We are working on the Java applet now.

The IIS cert was generated by creating a cert request in IIS, sending that to the CA. They returned a certificate which we installed into IIS and thats fine - we can access these pages in the browser using HTTPS.

I tried importing this same certificate into the java applications certificate store. However I received an application specific errors.

This was done using the applications special command line tool.

But basically it looks like it's trying to replace the existing unsigned certificate under the alias encryption with a signed certificate.

Here's the page that shows the process using the provided GUI tool

http://www-01.ibm.com/support/docview.wss?uid=swg22004239

My problem is that the certificate has already been returned from the CA and I didn't not generate a request in this tool.

I have a valid certificate, but I can't follow these instructions because they assume the request was generated from this keystore.

Going through the process, it seems like we need to generate a CSR from the Cognos certificate store, send that to the CA and get another certificate for the same host, but different originating CSR.

This would mean we have two certificates for the same host, which doesn't make sense to me.

Primarily:

Is it OK to have two or more active certificates for the same host?
If I have a certificate generated from a CSR from keystore A, is there any way I can import and use it in keystore B on the same server? Do I need anything from the original request to do this?

EDIT:

As I continue to research this I realise that when the request is generated it saves a private key in the keystore. So I think the problem isn't really that I have two keystores, the problem is that I don't know how reuse the private key from the original keystore in the second keystore

score 1 · Answer 1 · answered Nov 29 '17 at 22:58

1

A CA can approve a request for multiple client accesses or a single certificate for each domain on a single host (demonstrates how to assign each using virtual hosts)

To answer your second question, see this response to another similar question with how to export and import certificates.

answered Nov 29 '17 at 22:58

Ian

71
5

Thanks for your answer. I _think_ your first two links are for different hostnames, same IP, same certificate, which is not my issue right now - please correct me if I'm wrong. With regards to your second link. It appears the certificates can be imported into keystores without requiring an initial CSR beforehand. – Nick.McDermaid Nov 29 '17 at 23:40

BillThor · Answer 2 · 2017-11-30T02:26:03.223

1

You will need to export both the key and certificate from IIS. You should be able to export this into a PKCS7 file. Use keytool to import this into your java keystore. (It is also possible to use the PKCS7 file if you wish.)

If IIS is delivering the applet, you don't need a server certificate for the applet. If you are using a different server to deliver the applet you will need to import the key into that server.

I expect your issue is with signing the applet. Your key may not be flagged as usable for code signing. Use a tool like keytool or a browser to display the flags on the certificate. It is possible to have a certificate that is useful for both a server and code signing.

EDIT: It appears you have a certificate that is good for both signing code. (You should sign your applet.) And it also appears to be valid for encryption (HTTTPS). If you wish to use it for HTTPS, it should have a Subject Alternate Name for every domain you wish to use it with. This will allow validation that the certificate is for the domain.

Normally, you would not use a applet to as a server. It may open connections to the server from which it was loaded to look for additional classes. It could also be opening additional connections to other servers. Modern browsers will want you specify the access the applet needs so that the user can verify whether or no to grant them.

edited Nov 30 '17 at 02:26

answered Nov 30 '17 at 01:09

BillThor

27,354
3
35
69

Thanks for your comments. When I use `keytool` I get "Invalid keystore format". So in my journey of discovery it seems like the keystore i'm using is special vendor one (IBM) that doesn't work with normal Java tools >: Sorry that wasn't clear to me at the start. – Nick.McDermaid Nov 30 '17 at 02:10
Browsing the cert in windows; it has _key usage = Digital Signature, Key Encipherment (a0)_. However the purpose of this is purely for HTTPS, not for signing code (Sorry if I didn't make this clear). This is a bit of a journey of discovery for me at this point. As I understand it, the applet picks up the key from the keystore and uses it to serve HTTPS – Nick.McDermaid Nov 30 '17 at 02:14
I apologise for not giving the full story (and for my bad java terminology) - I said it was an applet but it's not. It's a java program that runs inside a JRE that we connect to from a browser. (It's Cognos). – Nick.McDermaid Nov 30 '17 at 02:47
Cognos has a a certificate store that apparently can't be used with Keytool. But it does store certificates (I can export existing certificates from it using the client tool they provide). My confusion is: if a certificate was generated with a request from a different keystore (the windows one), should I be able to import and use this certificate into a different keystore? It seems like the original request generates a key and that key needs to be used when using the subsequent certificate – Nick.McDermaid Nov 30 '17 at 02:49
Ive updated the original question with a bit more info that I should've had in the first place – Nick.McDermaid Nov 30 '17 at 03:50
PKCS7 cannot contain (private)key; it can contain multiple certs and p7b or p7c is often used for a cert chain. PKCS12, called PFX by Microsoft, is the format that contains privatekey _and_ cert/chain -- which is indeed what SSL/TLS server needs. – dave_thompson_085 Nov 30 '17 at 07:00
OK I think it's slowly coming together. I've already found that I can export the PFX file from IIS but I couldn't work out how to import it into my keystore. I've since found that `keytool` does work against it. So me let me pursue that avenue – Nick.McDermaid Nov 30 '17 at 07:46

score 0 · Answer 3 · answered Nov 30 '17 at 08:33

0

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 
-destkeystore clientcert.jks -deststoretype JKS

This should import your pfx to the keystore. It was what i used the last time i had to import pfx

answered Nov 30 '17 at 08:33

BANJOSA

350
1
3
15

Thanks. I need to import it against a specific alias. I used this cmd line: I tried this: `keytool -importkeystore -srckeystore "C:\Cognos\SSL Certificate\FromIIS.pfx" -destkeystore "C:\Program Files\IBM\Cognos\TM1_64\configuration\certs\CAMKeystore" -srcstoretype pkcs12 -deststoretype PKCS12 -srcstorepass zzz -deststorepass NoPassWordSet -alias encryption` and I got _keytool error: java.lang.Exception: Alias does not exist_ – Nick.McDermaid Nov 30 '17 at 10:22
can you try to use -destalias to defined the alias of the certificate that you are importing please? – BANJOSA Nov 30 '17 at 10:43
I actually tried that first but I got `keytool error: java.lang.Exception: if -alias not specified, -destalias, -srckeypass, and -destkeypass must not be specified` – Nick.McDermaid Nov 30 '17 at 11:03
I have edited my original question with some links which might make it clearer. – Nick.McDermaid Nov 30 '17 at 11:13

Two certificate stores, two certificates, one host

3 Answers3