AnsweredAssumed Answered

AWI Create Keystore File: Questions about SHA-256 and PKSC12

Question asked by MartinZeise-Kaucic603598 on Oct 12, 2018
Latest reply on Oct 15, 2018 by Carsten_Schmitz

Hi,

 

in AWA-Help 12.2 

 

https://docs.automic.com/documentation/webhelp/english/AWA/12.2/DOCU/12.2/AWA%20Guides/help.htm#_Common/Security/Security_Hardening_HTTPS_SSL.htm?Highlight=https

 

under Securing Access with HTTPS in subchapter Create a Keystore File for Your Tomcat Installation is written, that I should use SHA-256 instead of SHA-1: 

 

"….Warning! SHA-1 certificates are considered to be unsafe by modern browsers. Use SHA-256 instead"

 

"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore tomcat-keystore.jks -storepass myTomcatKeystorePassword

 

Question 1:

- Which parameter  of the program keytool do I have to modify or add, that i use SHA-256? 

 

Question 2:

I have adopted the command "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore tomcat-keystore.jks -storepass myTomcatKeystorePassword I only changed the Password and the Java path. After the creation of the file tomcat-keystore.jks I got following message in mein CLI: 

 

DE:

Der JKS-Keystore verwendet ein proprietäres Format. Es wird empfohlen, auf PKSC12 zu migrieren, das ein Industriestandardformat mit "keytool -importkeystore -srckeystore tomcat-keystore.jks -destkeystore tomcat-keystore.jks -deststoretype pkcs12" ist.

 

UK/US (my own translation)

The JKS-Keystore use a proprietary format. It is recommended to migrate to PKSC12, that is an default industrial format with "keytool -importkeystore -srckeystore tomcat-keystore.jks -destkeystore tomcat-keystore.jks -deststoretype pkcs12".

 

Has this message anything got to do with my first question (Q1: SHA-256 instead of SHA-1)?

- What is PKCS12?

- Are there any secrutiy reasons to switch over to PKCS12?

- How do I switch over to  pkcs12?

 

In the same page it's something written about PKSC12, but I should skip this because "...Skip this step if you are using the self-signed certificate created in the previous step.". I skipped it, because I use a self-signed certificate.

 

Question 3

Can I see afterwards if I use SHA-256 and PKSC12 (where can I verify it?)

 

 

Yours sincerely/Mit freundlichen Grüßen

Martin Zeise-Kaucic

Outcomes