We want to get 2048 bit key length CSR requests. The browser based GUI provides us with a 1024 bit CSR and I don’t know how to change that. It seems that 1024 bit key lengths will no longer supported by SSL companies. (Lower cost options only support 2048 bit. Thawte who is much more … Read more
I’m trying to configure a jetty-distribution-9.3.1.v20150714 backend running on Java 1.8.0_45-b14 with a certificate signed by a self-signed CA certificate, for SSL pinning. Following Apple’s guide, I created a self signed CA certificate, then created a certificate based on that CA cert. Result is a ServerCertificate.p12 with server’s certificate and a private key and a … Read more
With the same url, this ends up giving a verify return code 20 (unable to get local issuer of certificate): openssl s_client -connect $URL:443 -showcerts -CAfile /etc/ssl/certs/java/cacerts This gives a verify return code of 0: openssl s_client -connect $URL:443 -showcerts -CApath /etc/ssl/certs As does … -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem. But that cert is already in the java … Read more
There seems to be a bit of a “chicken and egg” problem with the passwords to the password managers like Hashicorp Vault for Linux. While researching this for some Linux servers, someone clever asked, “If we’re storing all of our secrets in a secrets storage service, where do we store the access secret to that … Read more
I have a keystore on one machine (at /root/.keystore) and I want to move it to another machine at the same location. Currently, the second machine doesn’t have a keystore at /root/.keystore, is there a way I can export then create/import? Or do I need to create an empty one first? Answer Keystores are simply … Read more
There are plenty of resources out there about this topic, but none I found which covers this slightly special case. I have 4 files; privatekey.pem certificate.pem intermediate_rapidssl.pem ca_geotrust_global.pem And I wish to import them into a fresh keystore. Some site suggest to use DER-format, and import them one by one, but this failed because the … Read more
