Help - WebSphere MQ
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas.doc%2Fsy10600_.htmIllustrates a certification path from the certificate owner to the root CA, where the chain of trust begins
Intel(R) AMT SDK Implementation and Reference Guide
http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fcertificatechainsforhostbasedconfiguration.htmCertificate chains may be included with a public key by simply including the rfc blocks in pem format. Their inclusion order is important, though. Consider using cat so that no extra whitespace gets introduced.
-----BEGIN CERTIFICATE----- Body of the leaf certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Body of the first intermediate certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Body of the second intermediate certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Body of the root certificate -----END CERTIFICATE-----
OpenSSL - User - check certificate chain in a pem file
http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43871.htmlIt is highly recommended that you convert to and from .pfx files on your own machine using OpenSSL so you can keep the private key there. Use the following OpenSSL commands to convert SSL certificate to different formats on your own machine:
#Convert PEM to P7B openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer #see html reference for more
check certificate chain in a pem file
https://www.sslshopper.com/ssl-converter.htmlConcatenate all the previous certificates and the root certificate to one temporary file (This example is for when you are checking the third certifate from the bottom, having already checked cert1.pem and cert2.pem
Thus for the first round through the commands would be Unix: cat root.pem > root-chain.pem Windows: copy /A root.pem root-chain.pem Both: openssl verify -CAfile root-chain.pem cert1.pem And the second round would be Unix: cat cert1.pem root.pem > cert1-chain.pem Windows: copy /A cert1.pem+root.pem cert1-chain.pem Both: openssl verify -CAfile cert1-chain.pem cert2.pem Etc.
"keytool -export/import" - Exporting and Importing Certificates
http://www.herongyang.com/JDK/keytool-export-import-Certificates.html- The "-export" command option exports the self-signed certificate of my public key into a file, my_home.crt.
- The "-printcert" command option prints out summary information of a certificate stored in a file in X.509 format. As you can see from the print out, I am the issuer and the owner of this certificate.
- The "-import" command option imports the certificate from the certificate file back into the keystore under different alias, my_home_crt.
TechStump.com: How to Rearrange a Certificate Chain using OpenSSL
http://www.techstump.com/2012/10/how-to-rearrange-certificate-chain.html..you do need to know the correct certificate order. The first two are easy, the key should be first and the Server Certificate should be second. Generally the third certificate will be an intermediate and the last will be a root. If you look at each section, you’ll see a -------Begin Certificate------ and -------End Certificate------ section preceded by a header. In the header you’ll see what certificate is what.
keytool-Key and Certificate Management Tool
http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html
-importcert {-alias alias} {-file cert_file} [-keypass keypass] {-noprompt} {-trustcacerts} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg</pre>
{-v} {-protected} {-Jjavaoption}
Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply or a sequence of X.509 certificates) from the file cert_file, and stores it in the keystore entry identified by alias. If no file is given, the certificate or certificate chain is read from stdin.
.. keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format, or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard. In the latter case, the encoding must be bounded at the beginning by a string that starts with "-----BEGIN", and bounded at the end by a string that starts with "-----END".
Option defaults for keytool
-storetype the value of the "keystore.type" property in the security properties file,
which is returned by the static getDefaultType method in
java.security.KeyStore
Help - IBM SDK and Runtime Environment Java Technology Edition Version 6
http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=%2Fcom.ibm.java.security.component.doc%2Fsecurity-component%2FkeytoolDocs%2Fsupportedkeystoretypes.htmlSupported Key Store Types
- JKS
- JCEKS . This keystore implementation employs a much stronger protection of private keys (using password-based encryption with Triple DES) than JKS. You can upgrade your keystore of type "JKS" to type "JCEKS" by changing the password of a private-key entry in your keystore.
- PKCS12. There is a difference between PKCS12 type keystore created on the keytool provided in the IBM JVM and the keytool provided in an Oracle JVM. The keytool in an IBM JVM uses a PKCS12 keystore to store both key entries and certificate entries.The keytool in an Oracle JVM uses a PKCS12 keystore to store key entries. The keytool program in IBM's JVM can read the keystore created by the keytool program provided by an Oracle JVM, but not the other way around.
- PKCS12S2. This is a second version of PKCS12 type keystore. It can be read by the keytool program in an Oracle JVM.
- JCERACFKS. This is a RACF® keyring keystore. This type is available only on z/OS® systems with RACF installed.
OpenSSL: Documents, pkcs7(1)
http://www.openssl.org/docs/apps/pkcs7.htmlA different way to package a keystore. Like JKS, only different format.
Creating a PKCS7 (P7B) Using OpenSSL
https://langui.sh/2009/03/20/creating-a-pkcs7-p7b-using-openssl/This example assumes that you have 2 different certificate files, each in PEM (Base64) format. You can add as many -certfile elements as you want to package in the file. Additionally, concatenated certificate chains are supported.
openssl crl2pkcs7 -nocrl -certfile cert1.cer -certfile cert2.cer -out outfile.p7b
OpenSSL: Documents, verify(1)
http://www.openssl.org/docs/apps/verify.htmlThe verify command verifies certificate chains.
No comments:
Post a Comment