certificate


How to convert certificate of Let’s encrypt to jks

To convert a Let’s Encrypt SSL certificate (issued as PEM files) into a Java Keystore (JKS), follow these steps:

Step-by-step guide:

Step 1: Get the files ready

After obtaining your certificate from Let’s Encrypt, you’ll typically have the following files:

  • cert.pem (your domain certificate)
  • privkey.pem (private key)
  • chain.pem (CA intermediate certificates)
  • fullchain.pem (combined certificate with intermediate)

Ensure these files are available on your machine.


Step 2: Combine your certificate and private key into PKCS12 format

Use OpenSSL to create a PKCS12 (.p12) file:

1
2
3
4
5
openssl pkcs12 -export \
  -in fullchain.pem \
  -inkey privkey.pem \
  -out certificate.p12 \
  -name your_alias

Replace your_alias with a meaningful alias, such as your domain name.

You’ll be asked to set a password. Remember this password, as you’ll need it to import into the keystore.


Step 3: Import PKCS12 file into JKS Keystore

Now, convert the PKCS12 file (certificate.p12) into a JKS keystore:

1
2
3
4
5
6
7
8
keytool -importkeystore \
  -deststorepass YOUR_KEYSTORE_PASSWORD \
  -destkeypass YOUR_KEYSTORE_PASSWORD \
  -destkeystore keystore.jks \
  -srckeystore certificate.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass YOUR_PKCS12_PASSWORD \
  -alias your_alias
  • Replace YOUR_KEYSTORE_PASSWORD with the password you want for your new Java keystore.
  • Replace YOUR_PKCS12_PASSWORD with the password you set when creating the .p12 file in Step 2.

Step 4: Verify your JKS Keystore

To ensure your certificate is correctly imported, use:

1
keytool -list -v -keystore keystore.jks

You should see your imported certificate details listed.


Step 5: Use your JKS Keystore

Now you can use keystore.jks in your Java application or server (like Tomcat, Jetty, Spring Boot applications, etc.).

Example configuration (Tomcat server.xml):

1
2
3
4
5
6
<Connector port="8443" protocol="HTTP/1.1"
           SSLEnabled="true"
           scheme="https" secure="true"
           keystoreFile="/path/to/keystore.jks"
           keystorePass="YOUR_KEYSTORE_PASSWORD"
           clientAuth="false" sslProtocol="TLS" />

Replace paths/passwords with your details.


Important notes:

  • Store your keystore securely and protect the passwords.
  • Let’s Encrypt certificates expire every 90 days, so automate renewal and conversion into JKS if possible.

That’s it! Your Let’s Encrypt certificate is now in JKS format, ready for Java applications.

A sophisticated logo design for a Cypriot ethical hacker team, featuring a 3D metallic shield that incorporates the outline of Cyprus. Overlaid on the shield is a digital phoenix, symbolizing rebirth and resilience in the cybersecurity realm. The colors of the flag are present in the form of dynamic streaks across the shield. The team's name, 'Cyber Guardians CY', is embossed in bold, digital font along the lower part of the shield.

Create an HTTPS server in Python 3

To create an HTTPS server in Python 3 and serve a specific directory, you can use the http.server module along with the http.server.SimpleHTTPRequestHandler class. However, you’ll need to generate SSL/TLS certificates to make it an HTTPS server. You can use the http.server module in combination with the ssl module to achieve this. Here’s a step-by-step guide:

Generate SSL/TLS certificates (self-signed in this example):

You can use the openssl command-line tool to generate self-signed certificates for testing purposes:

1
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365;

Create a Python script to serve a directory via HTTPS:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import http.server
import socketserver
import ssl
 
# Set the path to the directory you want to serve
directory_to_serve = "/path/to/your/directory"
 
# Set the port for your HTTPS server
port = 443
 
# Specify the SSL/TLS certificate and key files
certfile = "cert.pem"
keyfile = "key.pem"
 
# Create a custom handler to use the SSL context
class MyHandler(http.server.SimpleHTTPRequestHandler):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, directory=directory_to_serve, **kwargs)
 
# Create an SSL context
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ssl_context.load_cert_chain(certfile=certfile, keyfile=keyfile)
 
# Create the HTTPS server
with socketserver.TCPServer(("0.0.0.0", port), MyHandler) as httpd:
    httpd.socket = ssl_context.wrap_socket(httpd.socket, server_side=True)
    print(f"Serving directory at https://localhost:{port}")
    httpd.serve_forever()

Replace /path/to/your/directory with the absolute path to the directory you want to serve, and adjust the port, certfile, and keyfile variables as needed.

Run this Python script to create an HTTPS server that serves files from the specified directory over HTTPS on the specified port. Access it in your web browser using https://localhost:443 (or any other IP your machine is configured to use).

Remember that this example uses a self-signed certificate, suitable for testing but not recommended for production use. In a production environment, you should obtain a valid SSL/TLS certificate from a certificate authority. If we were serving certificates from LetsEncrypt, then the respective variables in the file above would be as follows:

1
2
certfile = "/certificates/api.bytefreaks.net/fullchain.pem"
keyfile = "/certificates/api.bytefreaks.net/privkey.pem"

In this example, we used port 443. This port requires elevated rights, so you should execute the above script with sudo. If you use another port like 8443, then sudo is not required.


Create a PKCS#12 file that contains both the certificate and the private key

In today’s world, security is a significant concern for everyone. Securing sensitive information such as passwords, certificates, and private keys is important. OpenSSL is a widely used tool for encrypting, decrypting, and managing digital certificates and keys. In this blog, we will explain the following command:

1
openssl pkcs12 -export -out certificate.p12 -in certificate.pem -inkey key.pem -passin pass:bytefreaks -passout pass:bytefreaks;

This command creates a PKCS#12 file containing the certificate and the private key. PKCS#12 (Public-Key Cryptography Standards #12) is a file format that stores cryptographic objects such as private keys, certificates, and intermediate certificates.

Let’s break down this command and explain what each option does:

1
openssl pkcs12

This is the OpenSSL command for PKCS#12.

1
-export

This option tells OpenSSL to export the certificate and private key.

1
-out certificate.p12

This option specifies the output file name and format. In this case, the output file will be named certificate.p12.

1
-in certificate.pem

This option specifies the input file name and format. In this case, the input file is the certificate file named certificate.pem.

1
-inkey key.pem

This option specifies the private key file name and format. In this case, the private key file is named key.pem.

1
-passin pass:bytefreaks

This option specifies the password to decrypt the private key. In this case, the password is “bytefreaks”.

1
-passout pass:bytefreaks

This option specifies the password to encrypt the PKCS#12 file. In this case, the password is “bytefreaks”

1
;

This symbol indicates the end of the command.

When you run this command, OpenSSL will prompt you to enter the password for the private key. Once you enter the correct password, OpenSSL will create a PKCS#12 file named certificate.p12 that contains both the certificate and the private key encrypted with the password “bytefreaks”.

In conclusion, the openssl pkcs12 -export -out certificate.p12 -in certificate.pem -inkey key.pem -passin pass:bytefreaks -passout pass:bytefreaks; command is used to create a PKCS#12 file that contains both the certificate and the private key. This file is encrypted with the password “bytefreaks” to ensure security.


How to retrieve the SSL cert expiration date from a PEM encoded certificate?

We use the following command to get the ending date of PEM encoded certificates that are generated using certbot and Let's Encrypt:

1
openssl x509 -enddate -noout -in fullchain.pem;

To get a list of all certificates and their expiration dates, we issue the following find command that executes the above snippet on each result while printing the name of the file first.

1
find ~/certificates/ -name "fullchain.pem" -print -exec openssl x509 -enddate -noout -in '{}' \;

In this example, the certificates are in our home folder under the name ‘certificates’. The results will look like the following sample:

/home/tux/certificates/example.com/fullchain.pem
notAfter=Aug 22 10:12:55 2021 GMT
/home/tux/certificates/site2.example.com/fullchain.pem
notAfter=Nov 22 03:22:44 2021 GMT