Ssl – Creating an SSL keystore for bitbucket server

keystoresslssl-certificate

I'm getting quite frustrated trying to setup https access to our bitbucket server.

Following bitbuckets documentation isn't that helpful.

So far I have the executed the following commands

Firtly, I created a certificate signing request and sent that to my certificate provider and they have sent me a certificate.

openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

At this point I have 3 files, domain.key, domain.csr and a ssl certificate provided to mey, domain.cer

I then tried to create a keystore with the following command

keytool -genkey -alias tomcat -keyalg RSA -keystore ssl-keystore

I was prompted for a keystore password and I provided one.

I then tried to import the certificate provided to me.

keytool -import -alias tomcat -file domain.cer -keystore ssl-keystore

and got the following error.

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

I'm a complete ssl newbie and am relying on following website instructions and am at a loss now what to do.

Best Answer

Assuming you have 2 files below domain.key and domain.cer (private key and signed certificate) you can change tho format to pkcs12 like this

openssl pkcs12 -export -in domain.cer -inkey domain.key -name domain -out domain.p12

and then import in jkl with

keytool -importkeystore -deststorepass changeme1 -destkeystore domain.jks -srcstorepass changeme2 -srckeystore domain.p12 -srcstoretype pkcs12

where changeme1 is the new keystore password and changeme2 is the password specified during the export (first step)

now you can use domain.jks

Related Solutions

Tomcat – Exporting Private Key

Believe it or not, this functionality is not supported in keytool. The best solution I have found so far is the software and instructions available for download on this Web site.

I usually generate the key using openssl and then use this method to import the key, as that is not supported by keytool either.

To generate a 2048 bit key:

openssl genrsa -out host.domain.com.key 2048

To create a keystore from this key:

KEY=host.domain.com
openssl pkcs8 -topk8 -nocrypt -in $KEY.key -inform PEM -out key.der -outform DER
openssl x509 -in $KEY.crt -inform PEM -out cert.der -outform DER
wget http://www.agentbob.info/agentbob/81/version/default/part/AttachmentData/data/ImportKey.class
java ImportKey key.der cert.der

Tomcat – Import private key and certificate into Tomcat

All you need to do is this for a Tomcat server:

Start with the original keystore that you used to create your CSR. This keystore has on private key in it with the alias called "tomcat"
From your certificate reply you will have a reply-cert , a intermediate (probably) , and also a root cert that are 3 separate files.
use keytool -import root cert with alias "root"
use keytool -import intermediate cert with alias "intermediate"
finally use keytool -import cert-reply.crt into keystore with alias "tomcat". this action imports the cert reply into position on top of the cert you generated when you created the keystore. this action will generate a certificate chain of length 2 or 3
use keytool -list to see the contents and the chain

NOTE: for an Apache server, the steps are a bit different.

Best Answer

Related Solutions

Tomcat – Exporting Private Key

Tomcat – Import private key and certificate into Tomcat

Related Topic