0

Short Question

I have a working crt file imported into tomcat keystore and I need a certificate file and private key file in pem to uplaod to aws cloudfront.

Long Question

Our SSL cert issued by go-daddy to use the cert for tomcat, hence I have the following files :

  • mydomain.crt
  • gd_intermediate.crt
  • gd_bundle.crt
  • mydomain.csr
  • tomcat.keystore

tomcat keystore works fine when configured properly. However the cert is a wildcard cert and we also need to upload it aws to be used in cloudfront. aws cli upload method needs pem cert file. I have tried converting this to pem using openssl . However my first problem is jdk error in converting the cert. Secondly whatever part I am able to convert was not verified by openssl .

What I have in my keystore

    $ keytool -list -keystore tomcat.keystore
    Enter keystore password:

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 3 entries

    mydomain, Oct 24, 2013, PrivateKeyEntry,
    Certificate fingerprint (MD5): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    root, Oct 24, 2013, trustedCertEntry,
    Certificate fingerprint (MD5): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    intermed, Oct 24, 2013, trustedCertEntry,
    Certificate fingerprint (MD5): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Converting keystore to pem

    $ keytool -importkeystore -srckeystore tomcat.keystore -destkeystore intermediate.p12 -deststoretype PKCS12
    Enter destination keystore password:
    Re-enter new password:
    Enter source keystore password:
    Entry for alias mydomain successfully imported.
    Problem importing entry for alias root: java.security.KeyStoreException: TrustedCertEntry not supported.
    Entry for alias root not imported.
    Do you want to quit the import process? [no]:  no
    Problem importing entry for alias intermed: java.security.KeyStoreException: TrustedCertEntry not supported.
    Entry for alias intermed not imported.
    Do you want to quit the import process? [no]:  no
    Import command completed:  1 entries successfully imported, 2 entries failed or cancelled

    $ openssl pkcs12 -in intermediate.p12 -out mydomain.pem -nodes
    Enter Import Password:
    MAC verified OK

    $ openssl verify mydomain.pem
    mydomain.pem: OU = Domain Control Validated, CN = *.mydomain.com
    error 20 at 0 depth lookup:unable to get local issuer certificate

Looks like that I first need to get past the jdk error.

    java -version
    java version "1.6.0_24"
    OpenJDK Runtime Environment (IcedTea6 1.11.11.90) (amazon-62.1.11.11.90.55.amzn1-x86_64)
    OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
user192788
  • 1
  • 1
  • That verify error is almost certainly not a problem. You aren't giving in the intermediate or root certificates to verify with and your system probably just doesn't have them installed already. openssl verify is a complicated command to use correctly but the pem file itself is valid or openssl would have screamed at you about encoding issues. – Etan Reisner Nov 01 '13 at 16:16
  • What format are the original crt files in? They are probably already pem files. If they are text with lines that look like '-----BEGIN ...-----' in them then they are already pem formatted files. – Etan Reisner Nov 01 '13 at 16:17
  • Thanks - I got confirmation that crt files are pem files, but this does not help so far ... $ aws iam upload-server-certificate --server-certificate-name MyDomainWildCardCert --certificate-body file://mydomain.crt --private-key file://mydomain_private_key.pem A client error (MalformedCertificate) occurred: Invalid Private Key. – user192788 Nov 01 '13 at 17:25
  • 1
    What does `openssl rsa -noout -check -in mydomain_private_key.pem` return? Does the key have a passphrase? – Etan Reisner Nov 01 '13 at 17:48
  • It returns : openssl rsa -noout -check -in mydomain_private_key.pem RSA key ok – user192788 Nov 01 '13 at 19:55
  • Then that file should be fine if you didn't need to supply a passphrase for that openssl command to work. That certificate and key may not match I suppose. Or the problem may have been with the certificate since the error said `MalformedCertificate`. You'll have to check the other pieces and possibly consult the aws docs. – Etan Reisner Nov 01 '13 at 19:58

0 Answers0