In the example below, we will be downloading a certificate from an Amazon MQ Broker. In most cases, the latest Java version has the Amazon certificates so you don’t need to do this.
Updating to the latest Java RunTime is sufficient and you will have Amazon certificates in the default Java keystore.
However, the following example showcases how you would go about it, if needed.
Requirements:
- Download Certificate from a Website/Service
- Create a P12 Certificate
- Convert the P12 Certificate into a JKS trust store .
Amazon MQ Broker DNS: https://b-8c0d3f9e-5d8a-4962-a82d-2e46e87a9a63-1.mq.us-east-1.amazonaws.com:8162
Use openssl to connect to the service to retrieve the certificate. This generates a *.pem file.
OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit for the Transport Layer Security (TLS) protocol formerly known as the Secure Sockets Layer (SSL) protocol. The protocol implementation is based on a full-strength general purpose cryptographic library, which can also be used stand-alone.
OpenSSL is descended from the SSLeay library developed by Eric A. Young and Tim J. Hudson.
https://github.com/openssl/openssl
ezsusmu@SE-00018098 ~
$ openssl s_client -connect b-8c0d3f9e-5d8a-4962-a82d-2e46e87a9a63-1.mq.us-east-1.amazonaws.com:8162 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > aws-certificates.pem
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = *.mq.us-east-1.amazonaws.com
verify return:1
DONE
If you open aws-certificates.pem, you should see a certificate with BEGIN/END tags.
Convert the pem (aws-certificates.pem) into a .p12 file using keytool.
Keytool manages a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates.
https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
Check if keytool is added to our PATH, if not add it, or use its absolute path location.
ezsusmu@SE-00018098 ~
$ where keytool
C:\Program Files\Java\jdk1.8.0_201\bin\keytool.exe
Using keytool -import, we will import the aws-certificates.pem generated earlier into a keystore called truststore.p12. The keystore type will be PKCS12 and the password for this keystore will be changeit
ezsusmu@SE-00018098 ~
$ keytool -import -file aws-certificates.pem -keystore truststore.p12 -storetype PKCS12 -storepass changeit
Owner: CN=*.mq.us-east-1.amazonaws.com
Issuer: CN=Amazon, OU=Server CA 1B, O=Amazon, C=US
Serial number: e016779c8d26d8a85401f7edecac5da
Valid from: Sat Sep 26 02:00:00 CEST 2020 until: Thu Oct 28 02:00:00 CEST 2021
Certificate fingerprints:
MD5: 6A:0D:0D:78:BE:AD:26:BD:E6:09:89:0A:BB:76:F8:EA
SHA1: 4F:75:27:A0:9B:E2:23:85:5E:B0:63:DA:40:73:51:D8:0E:7B:70:2E
SHA256: C5:E0:A9:A6:FD:C2:A1:0C:47:4A:3F:42:D3:20:7C:E3:C8:8C:A1:12:7C:FE:8A:B5:98:9E:BE:12:67:9B:80:3C
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
0000: 04 81 F1 00 EF 00 76 00 F6 5C 94 2F D1 77 30 22 ......v..\./.w0"
0010: 14 54 18 08 30 94 56 8E E3 4D 13 19 33 BF DF 0C .T..0.V..M..3...
0020: 2F 20 0B CC 4E F1 64 E3 00 00 01 74 CA 71 51 9F / ..N.d....t.qQ.
0030: 00 00 04 03 00 47 30 45 02 21 00 FB BE 27 95 60 .....G0E.!...'.`
0040: 20 EA 02 63 E3 F7 01 D0 01 12 51 1A 33 50 75 08 ..c......Q.3Pu.
0050: FF 91 18 2B C6 8B 06 10 0B FE 43 02 20 30 21 49 ...+......C. 0!I
0060: 2E 88 91 90 B7 01 FC 5B 51 FD B8 C3 42 7B 61 08 .......[Q...B.a.
0070: 22 85 19 D1 0F 03 BB B8 B9 75 25 F6 18 00 75 00 "........u%...u.
0080: 5C DC 43 92 FE E6 AB 45 44 B1 5E 9A D4 56 E6 10 \.C....ED.^..V..
0090: 37 FB D5 FA 47 DC A1 73 94 B2 5E E6 F6 C7 0E CA 7...G..s..^.....
00A0: 00 00 01 74 CA 71 51 F9 00 00 04 03 00 46 30 44 ...t.qQ......F0D
00B0: 02 20 2C 9F 1D 0D 94 69 79 C7 0F 91 74 18 A7 E3 . ,....iy...t...
00C0: B7 E9 7E 76 6A 9C 9C 4B 10 6C 16 97 B4 AF 46 08 ...vj..K.l....F.
00D0: BD 3A 02 20 67 29 06 0E 7D 43 C6 0A 67 A2 C4 E9 .:. g)...C..g...
00E0: 01 55 6D 0A E4 A5 42 3A 89 9D 62 36 C0 30 4B 64 .Um...B:..b6.0Kd
00F0: 75 27 C2 D6 u'..
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.sca1b.amazontrust.com
,
accessMethod: caIssuers
accessLocation: URIName: http://crt.sca1b.amazontrust.com/sca1b.crt
]
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 59 A4 66 06 52 A0 7B 95 92 3C A3 94 07 27 96 74 Y.f.R....<...'.t
0010: 5B F9 3D D0 [.=.
]
]
#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.sca1b.amazontrust.com/sca1b.crl]
]]
#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.2]
[] ]
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
]
#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.mq.us-east-1.amazonaws.com
]
#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1F 95 08 53 53 59 04 E2 1C D7 A6 9C 06 C0 F2 07 ...SSY..........
0010: EA 82 D5 ED ....
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
To convert into JKS, you can use keytool -importkeystore providing the -srckeystore (Your source truststore.p12), and -destkeystore (What you want to generate).
This will request that you enter the previously chosen password, which was changeit
ezsusmu@SE-00018098 ~
$ keytool -importkeystore -srckeystore truststore.p12 -srcstoretype pkcs12 -destkeystore truststore.jks -deststoretype jks -deststorepass changeitImporting keystore truststore.p12 to truststore.jks...
Enter source keystore password:
Entry for alias mykey successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
The generated trust store can be used in your application, if for example you require to create a custom SSL authentication.
JCompetence AB 