keytools add new alias to keystor (jceks) and delete old

Java Keytool is a command-line tool that is used for managing cryptographic keys, certificates, and keystores in Java-based applications. In Linux, Java Keytool is often used for managing SSL/TLS certificates and securing web applications that run on Java-based servers like Tomcat, GlassFish, and JBoss.

Some of the key features of Java Keytool in Linux include:

  1. Generating key pairs: Java Keytool can be used to generate key pairs, which are used for encryption, decryption, and digital signatures.
  2. Importing and exporting certificates: Java Keytool can import and export certificates, which are used for verifying the authenticity of digital signatures and ensuring secure communications.
  3. Managing keystores: Java Keytool can create, modify, and delete keystores, which are containers for cryptographic keys and certificates.
  4. Configuring SSL/TLS: Java Keytool can be used to configure SSL/TLS connections for Java-based web applications, which are essential for securing data communications.

Some of the most commonly used Java Keytool commands in Linux include:

  • keytool -genkeypair: This command is used to generate a new key pair.
  • keytool -import: This command is used to import a certificate into a keystore.
  • keytool -list: This command is used to list the contents of a keystore.
  • keytool -delete: This command is used to delete a key or certificate from a keystore.

Overall, Java Keytool is an important tool for managing cryptographic keys and certificates in Java-based applications in Linux, and it is essential for securing web applications and ensuring the privacy and integrity of sensitive information.

Before we begin make copy of old keystor like this:

and then we can remove alias:

when you gonna add new alias by keytool:

To be sure, you can check it and see more information like date or fingerprint:

When sometings go wrong, you can also copy backup file.

Good luck!

Check DNS and more information about domain

The best way to check information about domain and DNS configuration is “whois” and “dig”. This tools can provide a lot of informations. Lets try use it. First we must check that package is installed.
I have already installed “dig”:

In debian, you can use “dpkg -S”

if you don’t have it then you should install:

Now we can check “dig” in “soban.pl” domain:

The same case in “whois”:

Check what package provide:

And if you don’t have it, then install:

The best way to check information about domain and DNS configuration is “whois” and “dig”. This tools can provide a lot of informations. Lets try use it. First we must check that package is installed.
I have already installed “dig”:

In debian, you can use “dpkg -S”

if you don’t have it then you should install:

Now we can check “dig” on “soban.pl” domain:

The same case in “whois”:

Check what package provide:

And if you don’t have it, then install:

As you can see, the domain “soban.pl” is currently using cloudflare DNS – which I highly recommend.

Pointing DNS to a different IP address

Sometimes it is necessary to change the DNS name indication to a different IP address. As you can see in the example below, google.com currently points to:

To change google.com indication to, for example – 37.187.101.239, edit the file: “/etc/resolv.conf” as root:

After making this change, the effect is as follows:

Windows as you see there is similar situation:

File must be edited as administrator “C:\Windows\System32\drivers\etc\hosts”:

After saving the file, the effect is as follows:

Automatic update of the Debian Linux test environment

A convenient way to maintain the test environment is automatic updating.
However, remember to set the backup, e.g. the day before – I always set it like that in proxmoxe.
The script that updates the Debian system looks like this:

You can download the script from:

The script cleans unnecessary deb files after the update.
Keep in mind the permissions and capabilities of the script:

In crontab, I set the day after automatic backup in proxmoxe:

Of course, the script can be added in the production environment, but it should not be added to the crontab.

E-mail notification about new updates Proxmox

This script send you e-mail notification about new updates:

You can download the script from:

You should set the correct e-mail address in the script, for now it is soban@soban.pl
Notification it’s looks something like that:

Should the script be executed:

Also added to the crontab, every day to extend a new update:

Remember don’t to upgrade your system on Friday! Good luck!

Upgrade Debian GNU/Linux 10 (buster) to 11 (bullseye)

Before we start upgrading the Debian system version, please make a snapshot or a possible backup of the system. Such a change entails significant changes that can damage the system. Of course, before you upgrade the system in production, it is best to upgrade to the testing environment first. The upgrade process affects the entire system. Services may not be available at this time. If the system is doing the hosting for your website then it may not be available!

Always bear in mind that the production environment is different from test environment, so I recommend that you do it carefully. A good practice is to keep a time interval between the upgrade of test and production environment, in my case it is a week. Remember not to make changes to production on Friday!

This is how we check the version of the system:

And now, we going to update OS, but before we do that – we will make copy of:

There is sorces setup for buster:

Before we upgrade the debian system version to 11, we need to do a full upgrade:

Then we use sed to replace “buster” on “bullseye”:

There here’s the effect:

To be sure, we will do a comparison of the backed up file:

And then we can do update:


So that it is not too easy, to start the task in the form of:


Specifically about this error:

To fix it, use any editor on the file (vi in ​​my case):

We remove line 4 – “deb http://security.debian.org buster/updates main contrib” as you can see, we go out and save :

Of course, any other editor like nano is also good for this case.
The contents of the /etc/apt/sources.list file now looks like this:

We can try to update the system again:

Now you need get some the system upgrade process has started. You can go for a coffee, or not 😉
There will be questions.
And more information, albout apt listchanges:

Just press ‘q’ and enter.

In this case we press enter.

Services to restart:

Enter agien.

This is question, about ssh deamon configuration:

In my case, I press enter because I don’t want to make changes to its configuration.


If all went well, we can reboot the system:

Now check the system:

Congratulations, we are on the new version of the system!
At this point, we can verify all services, for example whether the website is working properly. If it is OK, upgrade the production environment.

In my cases, I have problem PHP new version.
PHP have no persmision on nginx to user – when I try enter to page:

So we need to fix that in this way:

There is something wrong with the permissions:

Let’s make some backup:

I will replace www-data to nginx:

Now it’s looks better:

And restart services:

Also checking status:

Another problem is that, mariadb was removed, so I install it agien:

and that resolved all my problems.

To be 100% sure, I reloaded the entire machine.

nmap scaning ciphers and ssl

In debian 11:

Nmap is one of more powerfull tools to scaning network.
We start the installation on debian as root:

and than we can check for example google.com:

It’s much slower than sslscan, but result is the same (tls 1.1, 1.2 and tls 1.3).

TLS 1.0:

TLS 1.1:

TLS 1.2:

The most important thing is don’t using vulnerable ciphers, and reading output of nmap, for example in this case:
“64-bit block cipher 3DES vulnerable to SWEET32 attack” – on SWEET32 vulnerability.
When we testing external website available from internet you can use www.ssllabs.com/ssltest/ but if we have internal server nmap in this case is very good solution to use.

sslscan tool for scaning SSL

SSLScan is a command-line tool used for SSL/TLS vulnerability scanning. It is used to detect SSL/TLS vulnerabilities and weaknesses on servers that use SSL/TLS. SSLScan supports all SSL and TLS protocols and cipher suites, including new ones such as TLS 1.3.

SSLScan can be used to identify various SSL/TLS vulnerabilities, such as weak ciphers and encryption algorithms, insecure renegotiation, and Heartbleed attacks. It can also identify unsupported SSL/TLS versions and protocols, as well as expired or self-signed certificates.

SSLScan works by connecting to the target server and sending a series of SSL/TLS handshake messages to determine the supported protocols and cipher suites. It then checks for vulnerabilities and weaknesses by trying various attacks against the server, such as malformed SSL/TLS packets and invalid certificates.

SSLScan can be run from the command line and supports various options and flags to customize the scan. For example, it can be used to scan a specific port, specify the SSL/TLS version, or use a specific cipher suite.

Overall, SSLScan is a useful tool for checking SSL/TLS vulnerabilities and ensuring that servers are secure. It is commonly used by security professionals and system administrators to identify and mitigate SSL/TLS vulnerabilities on their networks.

In debian 11:

One of the best tool for scaning ssl is sslscan in Linux.
You can install on debian like this as root of course:

and than we can check for example google.com:

As you see, google use now tls 1.0, 1.1, 1.2 and 1.3: