Import a pfx certificate file or read its data to get Token for API

Hi Guys,

I have an API which is accessible by a individual token, in order to generate it I need to call other API which in its first step (GET) uses a certificate file information in my machine (pfx file)…using a postman app I just import the certificate file and it’s work perfectly …but in KNIME I guess there is no way to import this file…I was wodering if even is there a way to get the certificate information (token) in order to inform it in parameters.
Is it possible?

Tks.

Hi @rafaelfre1,

The easiest way would be to import the pfx certificate directly to the Java keystore of the KNIME Analytics Platform.

keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass PFX_P12_FILE -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass PASSWORD -destalias ALIAS_NAME

The keystore of the KNIME Analytics Platform is located at

<knime-folder>/plugins/org.knime.binary.jre.<..>/jre/lib/security/cacerts

The password to access the keystore file cacerts is “changeit”.

After adding the certificate to the cacerts you should be able to use the GET Request Node to access your API.

Please find more on the topic here under Client Configuration.

Best,
Michael

4 Likes

Tks Michael, I have done as you said, and looks like that certification importations works:

but I got a warning message above, even with this message I runed a certicate list from that cacerts file and my certificate is now there…

So I went to my AP and run my get request and I got this result in the body results:

“Error: error_outline
Could not get client certificate.”

shouldn’t I apply the command that the warning said?

tks.

Hi @rafaelfre1,

I am sorry, I have given you the instructions to add your certificate to the cacerts which acts as a truststore. But you have to add this to a new keystore (as there is no one present per default) instead, import your certificate and add this keystore to the knime.ini after the -vmargs line via the following lines:

-Djavax.net.ssl.keyStore=/path/to/keystore
-Djavax.net.ssl.keyStorePassword=MYPASSWORD

Then it should work.

Best,
Michael

2 Likes

Tks, Michael…just to clarify, I need to create a new keystore like cacerts and import my pfx certificate in it, right?
Then I need to appoint the first command line to the created key store not for my pfx certicate, right?

Yes, there is a difference between truststore (here: cacerts) and a keystore. The first is to store trusted server certificates, the latter contains your own certificates to authenticate yourself.

The right way would be creating a keystore, import of your pfx certificate and then configure the KNIME Analytics Platform to use the keystore with the mentioned two lines in the knime.ini.

Edit: The format of the keystore can be either jks or pkcs12.

Best,
Michael

2 Likes

Hi Michael,
Unfortunately, I have the same error: “Could not get client certificate.”

Just to describe what I did…I generate a empty Keystore using java keytool located at jre/bin folder of my KNIME AP installation with the follow code:

keytool -genkey -alias foo -keystore NAMEKEYSTORE.jks

then I import my pfx certificate file to this keystore using:

keytool -importkeystore -srckeystore MYPFXFILEPATH -srcstoretype pkcs12 -destkeystore NAMEKEYSTORE.jks -deststoretype JKS

then I setup knime.ini as follow:

get request parameters:

@rafaelfre1 Can you list the certificates within the keystore you created after importing the pfx?

keytool -v -list -keystore NAMEKEYSTORE.jks

I found another article/post about first converting the pfx to a JKS, then importing that jks into your create jks. Maybe the extra step is what is needed?

2 Likes

Hi @jeffgullick-knime,

below the list of certificates in my key store:

About your last question, I read in this article that is no possible “Direct conversion” so the sugestion is to import the pfx file into jks key store : How to convert PFX to JKS file using Keytool? (javahowtos.com) this another one also says the same: How to Convert a PFX keystore file to JKS using Java keytool? (broadcom.com)

I was think, in postman when we import a certificate we inform a host and a port in addition to the certificate file, while in this procedure in KNIME we are informing only the certificate within java keystore. Maybe is there some missing information in this procedure?

post man import certificate screen:

tks for the helping.

Have you tried point KNIME to use the rapKeystore.jks?

In the knime.ini you can add the following properties, with your information, which will tell KNIME to use your jkjs file, and not the included cacerts file.

-Djavax.net.ssl.trustStore=
-Djavax.net.ssl.trustStorePassword=
****optional
-Djavax.net.ssl.trustStoreType=

You can test if this works for you, and if so, then merging the keystore may be beneficial, as we provide a bunch of trusted certs and CA’s in the default cacerts file.

-Jeff

2 Likes

Hi Jeff, sorry for the response delay…

I stay a little bit confuse with this last sugestion, because at the first responses of my doubt from Michael He told me to import my pfx file to the cacerts trust store certificate within KNIME AP installation, then I made this importation and get the same error I have now (third mensage of this post). Then he told me that the correct procedure is to import this pfx file to a KeyStore not a trustStore. That’s why I stayed a lit bit confused with your suggestion.

But any way I made what you said I add those tow command line to point as a trustStore, but I got the same error, please, could you check if I made same mistake at the knime.ini file?

tks for your help :slight_smile:

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.