lobiepi.blogg.se - Keystore explorer change entry name

KEYSTORE EXPLORER CHANGE ENTRY NAME INSTALL

KEYSTORE EXPLORER CHANGE ENTRY NAME INSTALL

If you are on Linux you most likely already have OpenSSL on other Unix you may need to install it, almost always from the vendor's normal repository/channel/etc on Windows (unless Windows10 with WSL) you will need to install the ShiningLight package.

You can also use OpenSSL to request a real CA cert with some options that keytool doesn't support. Otherwise: if you want to create a new selfsigned cert, keytool does not have an option for that you can write a program to do it, but it's easier, though a bit roundabout, to use OpenSSL instead. For public/Internet servers this is usually a Fully Qualified Domain Name aka FQDN or in rare cases an IP address, but some intranet or LAN environments use other names. If this cert (and key) will be for an SSL/TLS server, the Subject name should be or include 'CN=servername' where servername is not the name of a person as described in the manual, but instead the name, or a wildcard (in first component only) matching the name, of the server as it is accessed by client(s). General info about cert names is on the same page at the heading X.500 Distinguished Names. in step 2 keytool -certreq add the option -dname 'newnamefields' (use " on Windows) to specify the corrected requester/Subject name for the CSR.You effectively have already done step 1 but with the wrong subject name, and need to complete the remaining steps with one variation: The details of steps 3 and 4 vary depending on the CA you use, and all CAs I've ever seen have customized instructions for issuing a cert to a Java system, often listed under Tomcat as the 'typical' Java system, tailored to that CA.

keytool -importcert: install new cert and chain into keystore.

receive/fetch new cert from CA along with any applicable 'chain' or 'intermediate' certs.

send CSR to CA along with evidence of identity (often, especially for SSL/TLS server, an Internet domain name, but sometimes another kind of identity) and if applicable payment.

keytool -certreq: create Cert Signing Request aka CSR (for keypair in keystore).

keytool -genkeypair: create keypair and selfsigned cert (in keystore).

If you want to get a 'real' cert from an established, trusted Certificate Authority aka CA, you can do so with keytool in fact this is the normal process: No real CA issues a cert with either Owner (which is really Subject) or Issuer containing only 'unknown', much less both, so this is almost certainly the dummy (placeholder) self-signed cert created by keytool when it generates a keypair. However, you can get a new certificate for the same keypair but with new dates, different name(s), and possibly other changes.

You can't change anything within a certificate because it is digitally signed precisely to prevent anyone from changing anything in it. TLDR: You can't modify a cert you can and should replace it.