Skip to content

Repository with sample TLS certificates in the format that are typically used by Certificate Authorities (PEM, PKCS7, PKCS12)

License

Notifications You must be signed in to change notification settings

plavjanik/acme-certificates

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

acme-certificates

A repository with sample TLS certificates in the format that are typically used by Certificate Authorities (PEM, PKCS7, PKCS12).

This repository provides a sample server certificate signed by a sample CA with two intermediary CAs in a fictional Acme corporation.

The certificate hierarchy is following:

  • CN=Acme Root CA
    • CN=Acme Internal CA
      • CN=Acme Signing CA
        • CN=Server

The purpose is to provide data for testing of server certificate import with different input formats.

Certificate Files

All the certificates are generated by the acme_cert.sh script. It requires Java 8 and openssl to be installed.

There are following files:

  1. server.cer - a signed server certificate in the PEM encoded X.509 format without the chain and without private key
  2. server_full_chain.cer - a signed server certificate with the full the chain in PEM encoded X.509 format without private key
  3. server_full_chain_private_key.cer - a signed server certificate with the full the chain and with private key in PEM encoded X.509 format
  4. server_full_chain.p7b - a signed server certificate with the full the chain in PEM encoded PKCS#7 format without private key
  5. server_signing_ca.p7b - a signed server certificate with with the signing certificate in PEM encoded PKCS#7 format without other certificates in the chain and without private key (this the format that you will get from Symantec™ Complete Website Security)
  6. server.pkcs8 - the private key in PEM encoded PKCS#8 format
  7. server_one_entry.p12 - a signed certificate with the full chain and private in one entry of a PKCS#12 keystore
  8. server.p12 - a signed certificate with the full chain and private in one entry of a PKCS#12 keystore and entries for the CAs in the chain
  9. signingca.cer, interca.cer, rootca.cer - public certificates of the intermediate and root CAs in the chain in the PEM encoded X.509 format

What is necessary for a server:

  • public server certificate
  • the full chain of public CA certificates to the root CA
  • private key of the server certificate

This can be achieved with following files:

  1. server_one_entry.p12

  2. or server.p12

  3. or server.cer + signingca.cer + interca.cer + rootca.cer + server.pkcs8

  4. or server_full_chain.cer + server.pkcs8

  5. or server_full_chain_private_key.cer

  6. or server_signing_ca.p7b + interca.cer + rootca.cer + server.pkcs8

  7. other combinations that have all required parts (e.g. the private key can be provided in a PKCS#12 keystore)

Why the full chain is required on the server? The server is required to provide enough information for certificate validation. Clients are expected to know and trust only the root CA. The public certificates of all CAs in the chain needs to available to the client and its the server that needs to provide them.

Note: KeyStore Explorer is a useful tool for examining certificates and working with keystores.

This repository is using same extensions as the KeyStore Explorer in export actions:

  • .cer - PEM encoded X.509 format with one or more certificates
  • .p12 - PKCS#12 keystore
  • .p7b - PEM encoded PKCS#7 format with certificate and possibly their certificate chain
  • .pkcs8 - PEM encoded PKCS#8 format with a private key

Working with Certificates

z/OS

Copy keystore to z/OS using Zowe CLI

zowe files upload ftu "server_one_entry.p12" "/zaas1/sdkbld1/server_one_entry.p12" --binary
zowe files upload ftu "server_one_entry.p12" "/zaas1/sdkbld1/server_one_entry.pfx" --binary
zowe files upload ftu "server.p12" "/zaas1/sdkbld1/server.p12" --binary

Unknown format

zowe uss issue ssh "/usr/lpp/java/J8.0_64/bin/keytool -v -list -keystore server_one_entry.pfx -storepass password"
keytool error (likely untranslated): java.io.IOException: Invalid keystore format

You need to use -storetype pkcs12 parameter for PKCS-12 keystores.

Short list

zowe uss issue ssh "/usr/lpp/java/J8.0_64/bin/keytool -list -storetype pkcs12 -keystore server_one_entry.p12 -storepass password"
server_one_entry.p12
Keystore type: pkcs12
Keystore provider: IBMJCE

Your keystore contains 1 entry

server, Oct 24, 2019, keyEntry,
Certificate fingerprint (SHA1): 06:40:A2:DE:6F:AE:19:ED:86:4E:07:1B:28:B2:E5:0A:35:F9:6F:C1
server.p12
Keystore type: pkcs12
Keystore provider: IBMJCE

Your keystore contains 4 entries

server, Oct 24, 2019, keyEntry,
Certificate fingerprint (SHA1): 06:40:A2:DE:6F:AE:19:ED:86:4E:07:1B:28:B2:E5:0A:35:F9:6F:C1
acme root ca, Oct 28, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 1B:E0:06:39:0D:AF:21:D3:E3:07:B3:DF:1E:23:07:27:1B:3F:27:BB
acme internal ca, Oct 28, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): ED:76:A0:DF:E5:39:06:A1:25:DC:CD:36:F5:70:13:C9:D8:B0:00:7D
acme signing ca, Oct 28, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): E2:74:4E:77:B8:BC:DA:19:98:D4:C9:06:DD:8B:80:DB:39:46:92:98

Verbose list

server_one_entry.p12
zowe uss issue ssh "/usr/lpp/java/J8.0_64/bin/keytool -v -list -storetype pkcs12 -keystore server_one_entry.p12 -storepass password"
Keystore type: pkcs12
Keystore provider: IBMJCE

Your keystore contains 1 entry

Alias name: server
Creation date: Oct 24, 2019
Entry type: keyEntry
Certificate chain length: 4
Certificate[1]:
Owner: CN=Server, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Issuer: CN=Acme Signing CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Serial number: 32410270
Valid from: 10/24/19 3:00 AM until: 10/23/20 3:00 AM
Certificate fingerprints:
         MD5:  05:37:C8:39:71:5D:73:E4:F8:DE:70:8F:42:EF:26:72
         SHA1: 06:40:A2:DE:6F:AE:19:ED:86:4E:07:1B:28:B2:E5:0A:35:F9:6F:C1
         SHA256: E2:4A:9F:13:C4:08:43:58:4B:46:E2:5F:4B:B4:49:5E:A0:CD:3D:3D:A3:1A:AC:8D:D4:BF:5D:51:C7:DC:73:2F
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: c7 73 19 0c 6b 28 0f 50  2c 1d 33 53 81 58 fd 85  .s..k..P..3S.X..
0010: 98 33 e7 34                                        .3.4
]
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: e6 2b 3c a5 e4 75 c6 25  f8 64 af f9 81 9e a8 c5  .....u...d......
0010: 10 d9 c6 7a                                        ...z
]
]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
        1.3.6.1.5.5.7.3.2       1.3.6.1.5.5.7.3.1]

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[DNSName: acme.example.com, DNSName: localhost.localdomain, DNSName: localhost]]

Certificate[2]:
Owner: CN=Acme Signing CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Issuer: CN=Acme Internal CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Serial number: 7a91184c
Valid from: 10/24/19 3:00 AM until: 10/23/20 3:00 AM
Certificate fingerprints:
         MD5:  31:20:15:6F:95:16:49:AD:6B:34:76:DE:72:5A:4B:CD
         SHA1: E2:74:4E:77:B8:BC:DA:19:98:D4:C9:06:DD:8B:80:DB:39:46:92:98
         SHA256: 9B:F9:E7:7B:39:01:10:62:27:3C:32:BC:0D:51:6F:57:8D:8C:57:CD:63:ED:C8:79:EC:5F:54:2E:A8:07:94:8A
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: be 64 51 02 7b 4c 79 13  2d d7 05 7a a4 a9 c6 24  .dQ..Ly....z....
0010: 8e e3 5c 91                                        ....
]
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: c7 73 19 0c 6b 28 0f 50  2c 1d 33 53 81 58 fd 85  .s..k..P..3S.X..
0010: 98 33 e7 34                                        .3.4
]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

Certificate[3]:
Owner: CN=Acme Internal CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Issuer: CN=Acme Root CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Serial number: 7fbbe401
Valid from: 10/24/19 3:00 AM until: 10/23/20 3:00 AM
Certificate fingerprints:
         MD5:  F9:BD:BB:84:4D:20:5B:12:D5:85:BB:FF:2D:7A:11:95
         SHA1: ED:76:A0:DF:E5:39:06:A1:25:DC:CD:36:F5:70:13:C9:D8:B0:00:7D
         SHA256: 13:4B:47:2A:2A:E6:4D:EE:E1:22:C1:1E:AF:EC:00:C9:BE:DC:61:8C:BC:A4:52:F8:1A:C1:4F:B6:36:47:B4:59
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 08 9f 03 75 e6 54 e2 a3  31 61 82 05 18 20 0f 13  ...u.T..1a......
0010: b7 96 ae 53                                        ...S
]
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: be 64 51 02 7b 4c 79 13  2d d7 05 7a a4 a9 c6 24  .dQ..Ly....z....
0010: 8e e3 5c 91                                        ....
]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

Certificate[4]:
Owner: CN=Acme Root CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Issuer: CN=Acme Root CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Serial number: 34a97a8e
Valid from: 10/24/19 3:00 AM until: 10/21/29 3:00 AM
Certificate fingerprints:
         MD5:  FF:15:5E:9C:FB:EC:1B:0A:44:24:A1:A1:99:21:F9:CE
         SHA1: 1B:E0:06:39:0D:AF:21:D3:E3:07:B3:DF:1E:23:07:27:1B:3F:27:BB
         SHA256: 9B:6C:97:E7:AA:D1:59:3D:20:4F:4C:BE:BE:28:DA:75:5C:0E:B1:F9:7D:3C:3C:0D:C7:69:2B:58:00:F8:F7:8E
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 9f 03 75 e6 54 e2 a3  31 61 82 05 18 20 0f 13  ...u.T..1a......
0010: b7 96 ae 53                                        ...S
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]



*******************************************
*******************************************
server.p12
Keystore type: pkcs12
Keystore provider: IBMJCE

Your keystore contains 4 entries

Alias name: server
Creation date: Oct 24, 2019
Entry type: keyEntry
Certificate chain length: 4
Certificate[1]:
Owner: CN=Server, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Issuer: CN=Acme Signing CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Serial number: 32410270
Valid from: 10/24/19 3:00 AM until: 10/23/20 3:00 AM
Certificate fingerprints:
         MD5:  05:37:C8:39:71:5D:73:E4:F8:DE:70:8F:42:EF:26:72
         SHA1: 06:40:A2:DE:6F:AE:19:ED:86:4E:07:1B:28:B2:E5:0A:35:F9:6F:C1
         SHA256: E2:4A:9F:13:C4:08:43:58:4B:46:E2:5F:4B:B4:49:5E:A0:CD:3D:3D:A3:1A:AC:8D:D4:BF:5D:51:C7:DC:73:2F
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: c7 73 19 0c 6b 28 0f 50  2c 1d 33 53 81 58 fd 85  .s..k..P..3S.X..
0010: 98 33 e7 34                                        .3.4
]
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: e6 2b 3c a5 e4 75 c6 25  f8 64 af f9 81 9e a8 c5  .....u...d......
0010: 10 d9 c6 7a                                        ...z
]
]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
        1.3.6.1.5.5.7.3.2       1.3.6.1.5.5.7.3.1]

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[DNSName: acme.example.com, DNSName: localhost.localdomain, DNSName: localhost]]

Certificate[2]:
Owner: CN=Acme Signing CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Issuer: CN=Acme Internal CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Serial number: 7a91184c
Valid from: 10/24/19 3:00 AM until: 10/23/20 3:00 AM
Certificate fingerprints:
         MD5:  31:20:15:6F:95:16:49:AD:6B:34:76:DE:72:5A:4B:CD
         SHA1: E2:74:4E:77:B8:BC:DA:19:98:D4:C9:06:DD:8B:80:DB:39:46:92:98
         SHA256: 9B:F9:E7:7B:39:01:10:62:27:3C:32:BC:0D:51:6F:57:8D:8C:57:CD:63:ED:C8:79:EC:5F:54:2E:A8:07:94:8A
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: be 64 51 02 7b 4c 79 13  2d d7 05 7a a4 a9 c6 24  .dQ..Ly....z....
0010: 8e e3 5c 91                                        ....
]
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: c7 73 19 0c 6b 28 0f 50  2c 1d 33 53 81 58 fd 85  .s..k..P..3S.X..
0010: 98 33 e7 34                                        .3.4
]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

Certificate[3]:
Owner: CN=Acme Internal CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Issuer: CN=Acme Root CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Serial number: 7fbbe401
Valid from: 10/24/19 3:00 AM until: 10/23/20 3:00 AM
Certificate fingerprints:
         MD5:  F9:BD:BB:84:4D:20:5B:12:D5:85:BB:FF:2D:7A:11:95
         SHA1: ED:76:A0:DF:E5:39:06:A1:25:DC:CD:36:F5:70:13:C9:D8:B0:00:7D
         SHA256: 13:4B:47:2A:2A:E6:4D:EE:E1:22:C1:1E:AF:EC:00:C9:BE:DC:61:8C:BC:A4:52:F8:1A:C1:4F:B6:36:47:B4:59
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 08 9f 03 75 e6 54 e2 a3  31 61 82 05 18 20 0f 13  ...u.T..1a......
0010: b7 96 ae 53                                        ...S
]
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: be 64 51 02 7b 4c 79 13  2d d7 05 7a a4 a9 c6 24  .dQ..Ly....z....
0010: 8e e3 5c 91                                        ....
]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

Certificate[4]:
Owner: CN=Acme Root CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Issuer: CN=Acme Root CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Serial number: 34a97a8e
Valid from: 10/24/19 3:00 AM until: 10/21/29 3:00 AM
Certificate fingerprints:
         MD5:  FF:15:5E:9C:FB:EC:1B:0A:44:24:A1:A1:99:21:F9:CE
         SHA1: 1B:E0:06:39:0D:AF:21:D3:E3:07:B3:DF:1E:23:07:27:1B:3F:27:BB
         SHA256: 9B:6C:97:E7:AA:D1:59:3D:20:4F:4C:BE:BE:28:DA:75:5C:0E:B1:F9:7D:3C:3C:0D:C7:69:2B:58:00:F8:F7:8E
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 9f 03 75 e6 54 e2 a3  31 61 82 05 18 20 0f 13  ...u.T..1a......
0010: b7 96 ae 53                                        ...S
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]



*******************************************
*******************************************


Alias name: acme root ca
Creation date: Oct 28, 2019
Entry type: trustedCertEntry

Owner: CN=Acme Root CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Issuer: CN=Acme Root CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Serial number: 34a97a8e
Valid from: 10/24/19 3:00 AM until: 10/21/29 3:00 AM
Certificate fingerprints:
         MD5:  FF:15:5E:9C:FB:EC:1B:0A:44:24:A1:A1:99:21:F9:CE
         SHA1: 1B:E0:06:39:0D:AF:21:D3:E3:07:B3:DF:1E:23:07:27:1B:3F:27:BB
         SHA256: 9B:6C:97:E7:AA:D1:59:3D:20:4F:4C:BE:BE:28:DA:75:5C:0E:B1:F9:7D:3C:3C:0D:C7:69:2B:58:00:F8:F7:8E
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 9f 03 75 e6 54 e2 a3  31 61 82 05 18 20 0f 13  ...u.T..1a......
0010: b7 96 ae 53                                        ...S
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]



*******************************************
*******************************************


Alias name: acme internal ca
Creation date: Oct 28, 2019
Entry type: trustedCertEntry

Owner: CN=Acme Internal CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Issuer: CN=Acme Root CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Serial number: 7fbbe401
Valid from: 10/24/19 3:00 AM until: 10/23/20 3:00 AM
Certificate fingerprints:
         MD5:  F9:BD:BB:84:4D:20:5B:12:D5:85:BB:FF:2D:7A:11:95
         SHA1: ED:76:A0:DF:E5:39:06:A1:25:DC:CD:36:F5:70:13:C9:D8:B0:00:7D
         SHA256: 13:4B:47:2A:2A:E6:4D:EE:E1:22:C1:1E:AF:EC:00:C9:BE:DC:61:8C:BC:A4:52:F8:1A:C1:4F:B6:36:47:B4:59
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 08 9f 03 75 e6 54 e2 a3  31 61 82 05 18 20 0f 13  ...u.T..1a......
0010: b7 96 ae 53                                        ...S
]
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: be 64 51 02 7b 4c 79 13  2d d7 05 7a a4 a9 c6 24  .dQ..Ly....z....
0010: 8e e3 5c 91                                        ....
]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]



*******************************************
*******************************************


Alias name: acme signing ca
Creation date: Oct 28, 2019
Entry type: trustedCertEntry

Owner: CN=Acme Signing CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Issuer: CN=Acme Internal CA, OU=Mainframe Department, O=Acme, L=Fairfield, ST=New Jersey, C=US
Serial number: 7a91184c
Valid from: 10/24/19 3:00 AM until: 10/23/20 3:00 AM
Certificate fingerprints:
         MD5:  31:20:15:6F:95:16:49:AD:6B:34:76:DE:72:5A:4B:CD
         SHA1: E2:74:4E:77:B8:BC:DA:19:98:D4:C9:06:DD:8B:80:DB:39:46:92:98
         SHA256: 9B:F9:E7:7B:39:01:10:62:27:3C:32:BC:0D:51:6F:57:8D:8C:57:CD:63:ED:C8:79:EC:5F:54:2E:A8:07:94:8A
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: be 64 51 02 7b 4c 79 13  2d d7 05 7a a4 a9 c6 24  .dQ..Ly....z....
0010: 8e e3 5c 91                                        ....
]
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: c7 73 19 0c 6b 28 0f 50  2c 1d 33 53 81 58 fd 85  .s..k..P..3S.X..
0010: 98 33 e7 34                                        .3.4
]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]



*******************************************
*******************************************

Export whole certificate chain

server_one_entry.p12
zowe uss issue ssh '/usr/lpp/java/J8.0_64/bin/keytool -J-Dfile.encoding=UTF-8 -list -storetype pkcs12 -keystore server_one_entry.p12 -storepass password -alias "server" -rfc > chain.cer; cat chain.cer'
Alias name: server
Creation date: Oct 24, 2019
Entry type: keyEntry
Certificate chain length: 4
Certificate[1]:
-----BEGIN CERTIFICATE-----
MIIEIzCCAwugAwIBAgIEMkECcDANBgkqhkiG9w0BAQsFADB+MQswCQYDVQQGEwJVUzETMBEGA1UE
CBMKTmV3IEplcnNleTESMBAGA1UEBxMJRmFpcmZpZWxkMQ0wCwYDVQQKEwRBY21lMR0wGwYDVQQL
ExRNYWluZnJhbWUgRGVwYXJ0bWVudDEYMBYGA1UEAxMPQWNtZSBTaWduaW5nIENBMB4XDTE5MTAy
NDA4MDAyN1oXDTIwMTAyMzA4MDAyN1owdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJz
ZXkxEjAQBgNVBAcTCUZhaXJmaWVsZDENMAsGA1UEChMEQWNtZTEdMBsGA1UECxMUTWFpbmZyYW1l
IERlcGFydG1lbnQxDzANBgNVBAMTBlNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALW4N26eRjzN9Uuua1+SR5uIJZG+PmoIPjUWTt77TOoXXVsjbHAKD+bDq584IjFKHeP0q8eZ
4Rpp0cnnuOxpn0/SnTiKE5Lkf+rEBmL+cLloDUUvtXoU0Zee66f7dklh76pvfMg6ibCt0SlK7LST
2mdHb9PK3w6oWxHbZzqctLYggLdJFSz5cQSatAVdbk/vXvsIAMl52S18G7fEt7IvbXyUsEn762dK
Rz/LE48IqlUYRGSCBuq0bYifhZVH727XQX4yB6mykNl7k2DwJKLGsLHdukySdDILd1ECnZzEvi43
6p7IECbmaJyXI5cWkw+NS6dNU87WO7nXumlsUeechDcCAwEAAaOBsTCBrjAfBgNVHSMEGDAWgBTH
cxkMaygPUCwdM1OBWP2FmDPnNDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0P
AQH/BAQDAgTwMD0GA1UdEQQ2MDSCEGFjbWUuZXhhbXBsZS5jb22CFWxvY2FsaG9zdC5sb2NhbGRv
bWFpboIJbG9jYWxob3N0MB0GA1UdDgQWBBTmKzyl5HXGJfhkr/mBnqjFENnGejANBgkqhkiG9w0B
AQsFAAOCAQEAJjhm+wLoYx4Af2HM3OYJCu1b3q3aABS/a6YaAweTvquS900Ya6PlveJVQ6e5cudz
s4ztCGmPbISXQ2Gxcc8IC/QB+ZEAToaFhg1P9pQ5elrdNX8CzMfz8KoHE9zd+/c4dvTkSzOeOXE+
S511wopQlvph4gAWj68eYS+/BLg1lsxoyP2OnLfShSgem+8LZ8itKXUIsAhk9AZapEsmEzEKgLPZ
TZDdXtytm1nhVxu+pVTX8UFkBku4Xbg51yNYErm9xHf7+hhKBAY8j33ye+MktQ8XGPdgYUuZER8q
9unaVXgmsJxhLonBAexXwt734SAZLXhH6BJ7PG4nwuCQKiLctA==
-----END CERTIFICATE-----
Certificate[2]:
-----BEGIN CERTIFICATE-----
MIID2zCCAsOgAwIBAgIEepEYTDANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJVUzETMBEGA1UE
CBMKTmV3IEplcnNleTESMBAGA1UEBxMJRmFpcmZpZWxkMQ0wCwYDVQQKEwRBY21lMR0wGwYDVQQL
ExRNYWluZnJhbWUgRGVwYXJ0bWVudDEZMBcGA1UEAxMQQWNtZSBJbnRlcm5hbCBDQTAeFw0xOTEw
MjQwODAwMjNaFw0yMDEwMjMwODAwMjNaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVy
c2V5MRIwEAYDVQQHEwlGYWlyZmllbGQxDTALBgNVBAoTBEFjbWUxHTAbBgNVBAsTFE1haW5mcmFt
ZSBEZXBhcnRtZW50MRgwFgYDVQQDEw9BY21lIFNpZ25pbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCPf06ZSEDfZkxtGzCW/eBCh+ugy1qKJsxaEew1Us/tPRglaWg4x/yW1LeT
trZ25FIFEn28ga2SGun6dKcnFkfLYCyTIvO594PhM8pJwtlSK+JS0qKBbHL33H/0kRV8JANw1lGZ
ZnVcEMf+s0AOej/F8pyFnNeBtusNO5YzGZZ5GuU8Cu6BloE6rV8foy4506Vs5+75C1NO/AtPBKcD
dYDc1i2pMEep/oy5yPjjpOqp7TomTCZ6hpUpIDvqUFC6b3Dg707mToCqAWbfZY6cMH8cSAuRtwWp
JxSkD8KLcJJHWiPwykJglh9QGlC2/1vfK4O4NiqCMqhRNar+hzUQzuq9AgMBAAGjYDBeMB8GA1Ud
IwQYMBaAFL5kUQJ7THkTLdcFeqSpxiSO41yRMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIE
MB0GA1UdDgQWBBTHcxkMaygPUCwdM1OBWP2FmDPnNDANBgkqhkiG9w0BAQsFAAOCAQEAGTEjjdL/
xKpq6sdKASxTM/ZWT6Gpu29JNE8X0rXs3fWnsQN7p17LEmQoT932Axwc6ocIExP7v21mM2+Uq9/d
Bn1Gfaw5SMvR8UWWaW9mglXUavycgKhzRRzXmhT88XCwxkjvRNJNsNiv15EDTVEdBhk5But/Kr76
361qnjtic16INyaneFXk/lb+kVbUw016OzTFDGWoKhuY0ulKTJvG0jVXw0jCFd5yOz+oP5HiirmF
HGrpZOUwhyyDO4oC3shQCEsqcEMryMsoZp5URvlkpNZw0/KjCGjhko23krnmnQ14VHCqn0/LJKyu
LVxJWjTIwx4oAPPKdm5voww/2LuTQg==
-----END CERTIFICATE-----
Certificate[3]:
-----BEGIN CERTIFICATE-----
MIID2DCCAsCgAwIBAgIEf7vkATANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJVUzETMBEGA1UE
CBMKTmV3IEplcnNleTESMBAGA1UEBxMJRmFpcmZpZWxkMQ0wCwYDVQQKEwRBY21lMR0wGwYDVQQL
ExRNYWluZnJhbWUgRGVwYXJ0bWVudDEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE5MTAyNDA4
MDAxOVoXDTIwMTAyMzA4MDAxOVowfzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkx
EjAQBgNVBAcTCUZhaXJmaWVsZDENMAsGA1UEChMEQWNtZTEdMBsGA1UECxMUTWFpbmZyYW1lIERl
cGFydG1lbnQxGTAXBgNVBAMTEEFjbWUgSW50ZXJuYWwgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCu9Wh85z/EqB0rT0Kc+3ER2or3nm6uiPTNI4+4HFNKTDocT6ipydVZOJDIYUxW
/rBhxmfDE8eBolO5fQYYetNy6VWjEEexuUywggKW0Q/j52AC70z7eKBN6pzXfdid18pURxI5n1hJ
kwaR4Aj5+LhQsXwkteyd1Ch5Xs4EvzXnVmLwcZLBHiC0MI2Yk36kXET2rvNTDDeWNRxMf6dECkQD
McfhsL8OyykdgXtQl4+rSEupb8ztU24QwiHKAtQR4nrPk/3e4uAyUbRkOttHGSqL8Vz6tigCgAoh
w17yjARyhkEBI8mxBLGFjSGJpa75RW0mFP6J+Q//k2/K4CExhbjLAgMBAAGjYDBeMB8GA1UdIwQY
MBaAFAifA3XmVOKjMWGCBRggDxO3lq5TMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMB0G
A1UdDgQWBBS+ZFECe0x5Ey3XBXqkqcYkjuNckTANBgkqhkiG9w0BAQsFAAOCAQEABWUsuKLr//2l
T3CJ4LZzexBQ83QOL6sDAi64PQzMmRwxEbNAqtE4SmtRbzikYL71fSyQN8156lDaAWal73Nht21x
xpIkt/NeZSxnLQvDbNIKJ1jLKscIeqYGJ1nb3jdh+XMBjIzodnYBYw9mjbLdn+hledFcj+/VA8dR
Hwn6v9pJHHpC7pay7wveynDI4OLPqBS2l8bghZwrYJ2DcgsDUkT4DIJxCbg7ikElcXCeBIE/gWcF
yAFmyjWaPI+/Nxy1+fZo6XsOKxZLSZoDTciFi6Xyj8NDkgKojjHVPgC0SSbtGXNyomWJHsjLRRNN
YUvPLFHmZGvSRR1aEBHaR1sFNg==
-----END CERTIFICATE-----
Certificate[4]:
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIENKl6jjANBgkqhkiG9w0BAQsFADB7MQswCQYDVQQGEwJVUzETMBEGA1UE
CBMKTmV3IEplcnNleTESMBAGA1UEBxMJRmFpcmZpZWxkMQ0wCwYDVQQKEwRBY21lMR0wGwYDVQQL
ExRNYWluZnJhbWUgRGVwYXJ0bWVudDEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE5MTAyNDA4
MDAxN1oXDTI5MTAyMTA4MDAxN1owezELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkx
EjAQBgNVBAcTCUZhaXJmaWVsZDENMAsGA1UEChMEQWNtZTEdMBsGA1UECxMUTWFpbmZyYW1lIERl
cGFydG1lbnQxFTATBgNVBAMTDEFjbWUgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJxHbr4vlTWw2RIxeD+HK7FftftST3P2yS4wQTUdgJk4wKBeBvorSVJT40fAcWSlGWMC
oEBfZZiYsrdPMGtQJ2bfj3xUak2mviwJpK/UaeKVPMSlmnb9fGums3R2ilWpQesWKY7QNB42F2Wr
dEPFTrkAzprlS6DMZfWpKjSrLID4fPdGg9jR6yl4Es41mivDZheKB2Qvej+yOOHyE0estZVQvKeP
MtLKdG4oFIKYl1O5k8IsG5frMxVeO30FqZtkiQMAyL00lzmv834rRJHGw2tJAw1c2jRdCmGEguSF
GViy6VKZF5ZCrVsvjGuY8O5VMOsjnoSDfZO5ebR46TUK2dcCAwEAAaM/MD0wDwYDVR0TAQH/BAUw
AwEB/zALBgNVHQ8EBAMCAgQwHQYDVR0OBBYEFAifA3XmVOKjMWGCBRggDxO3lq5TMA0GCSqGSIb3
DQEBCwUAA4IBAQBhvSfAPh8EVn3XW4kISrWvs1xjwIxU3asnjj1wdbb9mWecB7rFAYNgmG5pHfsp
lOfYYgRT2SH6Y+RbeD09HoIiRIEBmDMF7Dohye5quGRAYsWD/oW4apc7zCwKl9kO/Xec9skI/KUb
fhE+46ubnNoC7jVgxZN+7TjMF38jpkSoe8pooT9WoEyCL9ehlJ/f4J4Qbks5+BtaxO0+dQ9iv5xW
i06mS2git4VWHzQgt1UYvc0MvTrcXwz0c1mJxa+tAIWP22QAY2LIQQ449KsQlKYz3XlpssqAgF7X
LBKK0VaiWrSpjviHj7voGlvZrlj0MQ2hjtmrAYZKGAzfr79SN/ZY
-----END CERTIFICATE-----
zowe uss issue ssh "csplit -f cert- chain.cer '/-----BEGIN CERTIFICATE-----/' '{3}'; rm cert-00; ls -lET cert-*"
112
1530
1432
1428
1358
t IBM-1047    T=on  -rw-r--r--  --s-  1 SDKBLD1  SYS1        1530 Oct 28 15:59 cert-01
t IBM-1047    T=on  -rw-r--r--  --s-  1 SDKBLD1  SYS1        1432 Oct 28 15:59 cert-02
t IBM-1047    T=on  -rw-r--r--  --s-  1 SDKBLD1  SYS1        1428 Oct 28 15:59 cert-03
t IBM-1047    T=on  -rw-r--r--  --s-  1 SDKBLD1  SYS1        1358 Oct 28 15:59 cert-04

Each file cert-* contains a certificate. The last one cert-04 is the root CA.

Change password

To change password of the keystore:

keytool -storepasswd -keystore server.p12 -storetype pkcs12
Enter keystore password: <old password>
New keystore password: <new password>
Re-enter new keystore password: <new password>
Password change successful for alias <server>

About

Repository with sample TLS certificates in the format that are typically used by Certificate Authorities (PEM, PKCS7, PKCS12)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages