Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Wait, which certificate expired? If it was theirs, there shouldn't have been any need to send you a new file (after all, you don't have to update your browser when, say, stackoverflow.com's SSL certificate expires and they install a new one). If you're doing mutual authentication (client certificate authentication), then there are four certificates involved: your certificate, their certificate, the certificate of the authority that signed your certificate, and the certificate of the authority that signed their certificate. They send you their certificate and you check to see that it was properly signed by a certificate authority that you trust (that's what the truststore is for - it's a list of the certificate authorities that you trust to sign certificates from their side). Subsequently, you send your certificate and they check to see that it was properly signed by a certificate authority that they trust. (Of course, all of this is automatically done for you behind the scenes in JSSE by the SSL handshake procedure)</p> <p>Remember, a certificate is a (signed) assertion that such-and-such name is identified by a particular public key. So if their certificate expired, they'll generate a new one, get it signed by a CA that you already trust, and replace the old one with this one. When your software (automatically, as part of the behind-the-scenes SSL handshake) gets the new one, it will check to see who the signer ("issuer") was and if it's in your list of trusted authorities (and properly signed). If this checks out, you'll accept it automatically. They don't need to send you anything out-of-band to make this happen, unless they're changing certificate authorities and you don't already trust the new one. If so, you can use</p> <pre><code>keytool -import -keystore &lt;truststore&gt; -file &lt;certificate file&gt; -alias &lt;someca&gt; </code></pre> <p>If, on the other hand, your certificate is the one that expired, then they shouldn't be sending you anything unrequested. Instead, you should be generating a CSR via:</p> <pre><code>keytool -genkey -alias &lt;myalias&gt; -keystore &lt;keystore&gt;.p12 -storetype pkcs12 keytool -certreq -alias &lt;myalias&gt; -file request.csr -keystore &lt;keystore&gt;.p12 -storetype pkcs12 </code></pre> <p>This will update the keystore with a new private key and create a file named "request.csr" which you should then send to <em>them</em> (or to a CA that's in their truststore) for a signature. They will respond with a signed certificate which you will then import back into your keystore using:</p> <pre><code>keytool -import -alias &lt;myalias&gt; -file &lt;signed certificate&gt;.cer </code></pre> <p>If I had to guess, it looks like they tried to perform these three steps for you, and tried to send you the certificate and the corresponding private key, which is invalid - Java will (rightly!) try its best to stop you from importing that because the private key itself was tainted when they sent it over an untrusted channel (e-mail, I presume?) This defeats the purpose of PKI - nobody should ever have access to your private key except for you.</p>
    singulars
    1. This table or related slice is empty.
    1. POUpdating/generating new .p12/.jks from .der
      singulars
      1. PTQuestion
    1. PTAnswer
    1. This table or related slice is empty.
    1. USJoshua Davies
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POUpdating/generating new .p12/.jks from .der
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COI see, that cleared some stuff up. What I understand so far: **Their** certificate expired and they sent all clients 3 things: a public key certificate, intermediate CA cert and root CA cert. I have no idea if they changed anything on CA-level. They also told me that my private key did not change... So to be safe, I add the new CA certs to my (pre-existing) jks file?
      singulars
      1. PO
      1. USB.T.
    2. COYes, all you should need to do is to add the intermediate cert to the truststore (which I believe you said was a JKS file). You can add the root cert, too, but you shouldn't need to, since their cert will have been signed with the intermediate (if the intermediate is trusted, the certificate is trusted).
      singulars
      1. PO
      1. USJoshua Davies
    3. COSo I added the intermed cert to my existing jks keystore (aka truststore) using: `keytool -trustcacerts -import -keystore existing.jks -file intemed_ca.der -alias servercert`. I'll test this today or tomorrow and post the followup info.
      singulars
      1. PO
      1. USB.T.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload