2016年7月21日 星期四

Import SSL certificate into JAVA keystore

 General speaking, when you want to apply SSL to web server, you will have below files in hand:
  • private key for SSL certificate sign request 
  • signed SSL certificate
  • Root CA certificate 
  • Intermediate CA certificate (optional)
For importing a trusted certificate into JAVA keystore, I think create a new keystore and replace the original one seems like a good practice. 

I believe you will know how to import Root CA and intermediate CA as trustcacerts into keystore.

However, if you only import the signed SSL certificate without the private key, then the entry will treat as "TrustCertEntry" instead of a "PrivateKeyEntry".

The tomcat server will start and listen to 443 but will refuse to serve connection.

Therefore we need to use openssl to combine the signed SSL certificate and private key as PKCS12 format.

Then import the PKCS12 format entry into the keystore.


openssl pkcs12 -export -in FQDN.crt -inkey private-ssl.key -certfile FQDN.crt -out FQDN.p12 -name tomcat
keytool -importkeystore -srckeystore FQDN.p12 -srcstoretype pkcs12 -destkeystore mynew_keystore -destalias tomcat -alias tomcat

The check point is, this signed SSL certificate and private key should be shown as "PrivateKeyEntry" instead of "TrustCertEntry" in the keystore.

You can use below command to check if certificates entry are correct.
keytool -list keystore


Is there any other better ways to import your signed SSL certificate more easily?
Let's see if there are further updates later. :p


automation testing




我覺得想想自動化測試-開始(一)的論點很不錯....

原則1: 針對重點業務,進行回歸的自動化測試原則2:針對穩定的業務(或接口),在環境比較穩定的情況,前期投入腳本開發,有利於減少後期維護成本原則3:自動化測試主要是為了保證主要功能完整可用,而不是為了多發現缺陷原則4:自動化測試並不能減少測試的人力成本,而是為了加快測試反饋,提升測試質量原則5:不要對錄制回放抱有幻想了,可視化也不是一個好的想法原則6:開發參與自動化測試,讓開發和測試融合在一起


什麼都想做,就什麼都做不好。

確保主功能沒問題,就可以釋放出人力在其他事情上,
也可以控制意外的損害範圍…

千萬不要期待 automation 可以發現新問題…