security

Configure OpenLDAP sudo Rules with SSSD on RHEL Family

Configure OpenLDAP sudoRole policies with SSSD on RHEL, Rocky Linux, AlmaLinux, Oracle Linux, and CentOS Stream clients.

Deepak Prasad17 min read
troubleshooting

Fix OpenLDAP Invalid Credentials Error 49

Fix OpenLDAP Error 49 for wrong bind DNs, passwords, userPassword ACLs, locked accounts, expired passwords, SSSD cache, PAM, and SSH authentication.

Deepak Prasad17 min read
troubleshooting

Fix OpenLDAP Insufficient Access Error 50

Fix OpenLDAP Error 50 for ldapadd, ldapmodify, ldapdelete, password changes, cn=config, and no-write-access-to-parent ACL failures.

Deepak Prasad24 min read
security

Configure OpenLDAP Password Policy with ppolicy

Configure OpenLDAP ppolicy for password expiration, warnings, history, account lockout, grace logins, forced resets, and SSSD client behavior.

Deepak Prasad23 min read
security

OpenLDAP ACL Configuration with Practical Examples

Configure OpenLDAP olcAccess ACLs for passwords, users, groups, SSSD, entry and children permissions, with safe testing and rollback.

Deepak Prasad26 min read
system-administration

Configure OpenLDAP Client with SSSD on RHEL-Based Linux

Configure OpenLDAP client authentication with SSSD, authselect, StartTLS, and automatic home directories on RHEL, Rocky Linux, AlmaLinux, Oracle Linux, and CentOS Stream.

Deepak Prasad15 min read
security

Configure OpenLDAP TLS on RHEL-Based Linux

Configure OpenLDAP TLS on RHEL, Rocky Linux, AlmaLinux, Oracle Linux, and CentOS Stream using a private CA, StartTLS, LDAPS, and cn=config.

Deepak Prasad21 min read
linux

Fix curl SSL Certificate Problem Behind Corporate Proxy on Linux

Fix curl error 60 and similar HTTPS failures on Linux when corporate SSL inspection replaces public certificates with a private root CA trusted on Windows but missing from the Linux trust store.

Deepak Prasad13 min read
linux

SSH Authentication Methods in sshd_config (Password, Public Key, PAM)

Configure OpenSSH authentication in sshd_config: password, public key, keyboard-interactive, host-based, GSSAPI, AuthenticationMethods, and Match blocks on Linux.

Deepak Prasad12 min read
security

How to View a Certificate with OpenSSL (PEM, CER, Chain, Bundle)

Use OpenSSL to view PEM, CRT, CER, chain, bundle, PFX, and P7B certificates. Check expiry, SAN, fingerprint, remote TLS certs, and verify chains.

Deepak Prasad12 min read
security

Automate keytool Certificate Import in Bash Safely

Back up a PKCS12 truststore, check the keytool alias and SHA-256 fingerprint, import a CA only when missing, and exit cleanly for Ansible, systemd, and CI pipelines.

Deepak Prasad7 min read
security

Keytool & Java Keystore Tutorial for Beginners

Complete keytool tutorial for Java keystores and truststores - generate PKCS12 keys, import CA-signed chains, automate truststore imports with Bash, sign and verify JAR files with jarsigner, build mTLS keystores and …

Deepak Prasad1 min read
security

Sign and Verify a JAR File with keytool and jarsigner

Create a code-signing keypair with keytool, sign a sample JAR with jarsigner, verify the signature, and read the PKIX chain warnings jarsigner prints for a self-signed certificate.

Deepak Prasad9 min read
security

Create Java mTLS Keystore and Truststore with keytool

Create Java mTLS keystore and truststore files with keytool and OpenSSL, then run a mutual TLS HttpsServer lab that fails without a client cert and succeeds.

Deepak Prasad11 min read
security

How to Configure Java javax.net.ssl.trustStore and keyStore Properties

Set javax.net.ssl.trustStore and keyStore JVM properties after building a PKCS12 file with keytool: property names, -D flags, JAVA_TOOL_OPTIONS, and a lab that fails without trustStore then succeeds.

Deepak Prasad9 min read
security

How to Import Certificates into App-Specific Java Truststores

Fix PKIX after importing into the wrong cacerts. Find the Java truststore your app actually uses, including bundled JRE cacerts, and import with keytool.

Deepak Prasad10 min read
security

Renew or Replace an Expired Certificate in an Existing Java Keystore

Renew an expired TLS certificate in an existing Java PKCS12 keystore by checking expiry with keytool -list -v, exporting a CSR from the same alias, and importing the CA-signed reply without deleting the private key.

Deepak Prasad8 min read
security

Fix keytool Invalid keystore format Error

Fix keytool Invalid keystore format by matching JKS or PKCS12 storetype to the file, avoiding PEM certificates as keystores, and repairing empty or corrupt keystore paths.

Deepak Prasad9 min read
security

Add Java Truststore in Docker and Kubernetes Using keytool

Build a custom PKCS12 Java truststore with keytool for Docker and Kubernetes: RUN importcert in the image, set JAVA_TOOL_OPTIONS with trustStoreType=PKCS12, or use an initContainer with a mounted CA Secret and emptyDir …

Deepak Prasad9 min read
security

How to Find the Correct Java cacerts File Used by an Application

Find which Java cacerts file your application actually uses: compare JAVA_HOME, java.home, bundled JRE paths, and javax.net.ssl.trustStore overrides before importing a CA certificate.

Deepak Prasad10 min read
security

Fix Java No Subject Alternative Names Present with keytool

Fix Java No subject alternative names present by adding DNS and IP SAN entries with keytool -ext SAN so the certificate matches the hostname or IP clients use.

Deepak Prasad9 min read
security

Fix keytool Failed to establish chain from reply

Fix keytool Failed to establish chain from reply by importing missing intermediate and root CA certificates before the server reply, using the correct keystore alias, or importing a complete PKCS7 chain bundle.

Deepak Prasad10 min read
security

Fix keytool Certificate not imported, alias already exists

Fix keytool Certificate not imported, alias already exists by listing aliases, deleting or renaming the old entry, and re-importing to the correct keystore with a unique alias.

Deepak Prasad7 min read
security

Fix keytool Error: Input not an X.509 certificate

Fix keytool Input not an X.509 certificate by importing valid PEM, DER, or supported certificate-chain input instead of HTML, private keys, PFX files, or malformed PEM.

Deepak Prasad9 min read
security

Fix java.security.UnrecoverableKeyException: Cannot recover key

Fix java.security.UnrecoverableKeyException: Cannot recover key by aligning keystore and private key passwords in Tomcat, Spring Boot, and KeyManagerFactory.

Deepak Prasad7 min read
security

Fix Java keytool Keystore Was Tampered With or Password Was Incorrect

Fix keytool Keystore was tampered with, or password was incorrect by checking storepass, file path, JKS vs PKCS12, cacerts, import passwords, and corruption.

Deepak Prasad9 min read
security

Configure Spring Boot HTTPS with keytool Keystore and Truststore

Enable Spring Boot HTTPS on port 8443 with a PKCS12 keystore from keytool, set server.ssl.key-store in application.properties, add an optional truststore for private CAs, and verify with Java HttpClient.

Deepak Prasad8 min read
security

Configure Tomcat SSL Certificate with keytool Keystore

Enable Tomcat 10 HTTPS on port 8443 with a PKCS12 keystore from keytool: import the CA chain before the server certificate, set certificateKeystoreFile in server.xml, and verify the TLS handshake.

Deepak Prasad7 min read
security

Fix Java PKIX Path Building Failed Using keytool Truststore

Fix javax.net.ssl.SSLHandshakeException PKIX path building failed by importing your private CA chain into a PKCS12 truststore with keytool, then point the JVM at it with javax.net.ssl.trustStore — without editing …

Deepak Prasad10 min read
security

Create a CSR with keytool and Import a CA-Signed Certificate

Generate a private key with keytool -genkeypair, build a CSR with -certreq, sign it with a local OpenSSL CA, and replace the self-signed entry using -importcert on the same alias.

Deepak Prasad8 min read