-
15. Re: PostgreSQL + SSL - sun.security.validator.ValidatorExcep
Scot,
sorry to be a pain, but is there any chance you could send me a zip of your openssl private folder:
/library/local/ssl/private
as mine has none of the files specified in the openssl.cnf file, and I haven't got a clue about how to create/obtain them.
most appreciated
Andrew -
16. Re: PostgreSQL + SSL - sun.security.validator.ValidatorExcep
Scot,
I managed to source the files I required. One point about the wiki. you mention, in the very last section, saving the client(unit-tests-client.cer) to the keystore but don't actualy create it anywhere. Is this an error?
Import the client certkeytool -import -keystore localhost.keystore -alias unit-tests-client -file unit-tests-client.cer
regards
Andrew -
17. Re: PostgreSQL + SSL - sun.security.validator.ValidatorExcep
Scot,
here is an alternative to the wiki version you pointed to. This version allows you to create a keystore certificate using keytool and also extract the private key from the keystore via the use of a java class.Create Keystore certificate: 1. keytool -genkey -keystore {keystore location} -keyalg RSA -alias postgresql -dname "cn=www.beyarecords.com, ou=Music, o=Urban Music, c=GB" -keystore ~/postgresql -validity 365 2. keytool -selfcert -keystore {keystore location} -alias postgresql 3. keytool -export -keystore {keystore location} -alias postgresql -rfc -file postgresql.cer 4. keytool -import -keystore {keystore location} -alias postgresql -file postgresql.cer Export private key from keystore alias: 1. java ExportPriv <keystore> <alias> <password> > exported-pkcs8.key 2. openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out postgresql.key Note: main keystore location on OS X is: /library/java/home/lib/security/cacerts ExportPriv class: import sun.misc.BASE64Encoder; import java.security.cert.Certificate; import java.security.*; import java.io.File; import java.io.FileInputStream; class ExportPriv { public static void main(String args[]) throws Exception{ for (int i = 0; i < args.length; i++) { System.out.println(i + ": "+ args); } if (args.length < 2) { //Yes I know this sucks (the password is visible to other users via ps // but this was a quick-n-dirty fix to export from a keystore to pkcs12 // someday I may fix, but for now it'll have to do. System.err.println("Usage: java ExportPriv <keystore> <alias> <password>"); System.exit(1); } ExportPriv myep = new ExportPriv(); myep.doit(args[0], args[1], args[2]); } public void doit(String fileName, String aliasName, String pass) throws Exception{ KeyStore ks = KeyStore.getInstance("JKS"); char[] passPhrase = pass.toCharArray(); BASE64Encoder myB64 = new BASE64Encoder(); File certificateFile = new File(fileName); ks.load(new FileInputStream(certificateFile), passPhrase); KeyPair kp = getPrivateKey(ks, aliasName, passPhrase); PrivateKey privKey = kp.getPrivate(); String b64 = myB64.encode(privKey.getEncoded()); System.out.println("-----BEGIN PRIVATE KEY-----"); System.out.println(b64); System.out.println("-----END PRIVATE KEY-----"); } // From http://javaalmanac.com/egs/java.security/GetKeyFromKs.html public KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password) { try { // Get private key Key key = keystore.getKey(alias, password); if (key instanceof PrivateKey) { // Get certificate of public key Certificate cert = keystore.getCertificate(alias); // Get public key PublicKey publicKey = cert.getPublicKey(); // Return a key pair return new KeyPair(publicKey, (PrivateKey)key); } } catch (UnrecoverableKeyException e) { } catch (NoSuchAlgorithmException e) { } catch (KeyStoreException e) { } return null; } }
Can we updata the wiki with this information as well?
regards
Andrew -
