Skip to content

/ apostille

No description, website, or topics provided.
Java Dockerfile
  1. Java 99.2%
  2. Dockerfile 0.8%
Branch: master
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio

If nothing happens, download the GitHub extension for Visual Studio and try again.

@RoganDawes
RoganDawes Merge pull request #2 from Cablethief/patch-1 
Dockerfile
Latest commit d78960b Jan 31, 2020
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src Fix failing test Sep 25, 2019
.gitignore Add git ignore file Jun 20, 2019
Dockerfile Dockerfile Jan 31, 2020
LICENSE.txt Make release v1.1 Jun 20, 2019
README.md Read certificates from a PEM file Feb 8, 2019
pom.xml Make release v1.1 Jun 20, 2019

README.md

This is a tool to clone X509 certificate chains.

Call it with a host:port that will present an SSL certificate chain, and Apostille will retrieve the chain, and output a key, and a chain of certificates that matches the certs that were retrieved.

Obviously, we are not breaking RSA/DSA/EC here, so the PrivateKey will be freshly generated, along with its PublicKey, and an X509Certificate[] chain that matches the source chain in every respect EXCEPT the key values.

If you provide a keystore and passwords, all private keys and certificates generated will be stored in the keystore, as well as being output in PEM form on stdout. This will include the keys for all the intermediate certificates, which would not otherwise be output or saved.

Automatically generated "parents" of the chain will be named by their CN.

Run it like:

mvn package
java -jar target/apostille-1.0-SNAPSHOT.jar example.com:443 > example.com.key+chain

Or

java -jar target/apostille-1.0-SNAPSHOT.jar example.com:443 keystore.jks password password > example.com.key+chain

Alternatively, you can provide a file containing the certificate chain, which will be cloned. This supports the case where the certificate is not directly reachable via a socket connection, or is not TLS.

Provide a certificate chain similar to what is generated by:

openssl s_client -connect example.com:443 -showcerts < /dev/null > example.com.pem

NB: The certificate chain must either contain a complete chain right up to the last certificate authority, or the certificate authority must be available in the Java trust store, or the provided keystore. There is no special alias required for the CA certificate in the keystore, all trusted certificates are checked for a matching CN. Note that if the CA certificate is installed using an alias of its CN, it will be overwritten with the cloned CA certificate and key.

Then clone it using:

java -jar target/apostille-1.0-SNAPSHOT.jar example.com.pem > example.com.key+chain

Or

java -jar target/apostille-1.0-SNAPSHOT.jar example.com.pem keystore password password > example.com.key+chain
You can’t perform that action at this time.