I am trying to connect to a kafka 2.0 server using SSL. I have been provided with a Truststore file and a Keystore file and since I am using python I tried to extract the the client certificate using the command:
keytool -exportcert -alias localhost -keystore kafka.client.keystore.jks -rfc -file certificate.pem
taken from here (a similar command was provided also here). The problem is I am getting an error:
keytool error: java.lang.Exception: Alias does not exist
which I have some trouble decipher. Am I supposed to create an alias myself or I should ask for an alias from the ones provided the JKS containers? I am not really familiar with the SSL configuration so I may be missing something here.
I have also tried to check the available aliases in my machine using the command (from here):
keytool -list -keystore /etc/ssl/certs/java/cacerts -storepass changeit
but I am not sure 1) if this is the right place to search for the aliases and 2) I could not find any relevant entry there I think.
If someone can provide some instructions on how I should proceed from here it would be great.
Well, after some research I think I found a solution over this problem.
1 First I used this command to find out the aliases included in the files:
keytool -list -rfc -keystore kafka.client.keystore.jks
in my case there were 2 aliases: client and caroot. The output looks like this:
Keystore type: PKCS12
Keystore provider: XXX
Your keystore contains 2 entries
Alias name: caroot
Creation date: Sep 4, 2020
Entry type: trustedCertEntry
-----BEGIN CERTIFICATE-----
.....
where it is clear what the aliases are.
2 Then I used the proper alias in place of localhost:
keytool -exportcert -alias client -keystore kafka.client.keystore.jks -rfc -file certificate.pem
to extract the client certificate.
Related
Before I start, I have looked at 2 other questions:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
And
java.lang.Exception: Public keys in reply and keystore don't match
But I believe that the error comes in the way I am generating the csr that I submit to my provider(Digicert). I will detail my commands below, notice that this is the way our department has always done this and up till this point I can't understand why this is not working (I am also not capacitated at all to do system administration things, but this landed on me)
First - Generating the keystore
keytool -genkey -alias aliasItem -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keypass <password> -dname "CN=server.domain.whatever, OU=IT, O=SOME NAME, L=City ST=State C=COUNTRY" -keystore keycerts -storepass <password>
I changed the important items as you might well assume for security concerns. Afterwards:
keytool -keycerts -keyalg RSA -sigalg SHA256withRSA -v -alias aliasItem -file outputfile.csr -keystore keycerts
After I get the csr, I submit it to my provider, there is no copy/paste error in this case since I import the file directly. They provide two .crt files, one from the service provider, and one for the server i am requesting it for. After I move these files to my server and attempt to import the service provider's .crt to the keystore I get an error, this is the command I use for importing the .crt to the keystore:
keytool -import -v -alias aliasItem -file <Provider>.crt -keystore keycerts
Which outputs the error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
java.lang.Exception: Public keys in reply and keystore don't match
at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2688)
at sun.security.tools.KeyTool.installReply(KeyTool.java:1940)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:855)
at sun.security.tools.KeyTool.run(KeyTool.java:194)
at sun.security.tools.KeyTool.main(KeyTool.java:188)
I have tried changing some parts of the scripts a total of 8 times now, all using the notes and documentation provided by me with no positive results. What strikes me as odd is that this server is identical in all aspects to another one of our test servers, for which I had done this before with no issues. I am still trying to do different things to solve my issue, but due to my limited knowledge in this I believe that there has got to be something I am doing from the beginning that might be wrong.
Any input will be greatly appreciated.
The second command for generating the car seems to be incorrect because "-keycerts" is an illegal parameter. IT must be "-certreq" .
Now, the error states that the private key does not match with the certificate which you are trying to install. Kindly check the below
a) Please make sure you are trying to use the same keystore file which you used to generate the csr
b) Please check while importing you are using the correct alias name. The alias should match with the one you mentioned while generating the keystore file.
c) Please make sure you are importing the correct server certificate and not the intermediate or root. Digicert must have provided you all the three files namely, Server certificate (CN of this certificate must match with the one when you generated the csr file and this is the one which needs to be imported), Intermediate and root.
If the above steps don't work then you have to generate the new csr and keystore file and ask Digicert to Reissue the certificates. They will do it for you free of cost.
I have this certificates / files in order to enable SSL for my application:
I found out that this properties are needed for Spring Boot to enable HTTPS:
server.port=8089
server.ssl.enabled=true
server.ssl.key-store=src/main/resources/keystore.p12
server.ssl.key-store-password=****
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat
but this does not work. My question now would be what do I have to do in order to get it work? https://abc.lehr.co.at should be the URL.
[EDIT]
I have created my own keystore - with this I get the following exception:
java.io.IOException: Alias name tomcat does not identify a key entry
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:596)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:534)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:363)
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:739)
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:472)
at org.apache.coyote.http11.Http11NioProtocol.start(Http11NioProtocol.java:81)
at org.apache.catalina.connector.Connector.startInternal(Connector.java:986)
My keystore looks like this:
Actually I don't know what to import into keystore for embedded tomcat (Spring Boot).
To enable SSL, you must provide a private key, and not a trusted certificate.
In your keystore, 'tomcat' should be listed as an alias for a privatekeyentry and not a trustedcertentry.
You have to pack your private keys to PFX file or P12 with specifiyng aliases. So, it will be picked up accordingly from the keyStore after loading materials.
Use this tool to figure out what alias are:
keytool -list -storetype pkcs12 -keystore my_debug_keystore.p12 -storepass debug
server.port=8089
server.ssl.enabled=true
server.ssl.key-store=src/main/resources/keystore.p12
server.ssl.key-store-password=****
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat << This should be the alias of yourfile.12 if you have forgotten just create a new one and replace it>>
And dnt forget to add
security.require-ssl=true <<Tell Spring Security (if used) to require requests over HTTPS>>
I'd suggest you create your KeyStore in JKS format:
keytool -genkey -keyalg RSA -alias my_alias -keystore keystore.jks -storepass password -validity 360 -keysize 2048
then add the configuration:
server.port=8089
server.ssl.enabled=true
server.ssl.key-store=src/main/resources/keystore.jks
server.ssl.key-store-password=****
server.ssl.keyStoreType=JKS
server.ssl.keyAlias=my_alias
First you may convert your .pem file to a DER and then generate a keystore.
See https://stackoverflow.com/a/13992135/16358980 how to do this.
In your application.properties, change key-store property to your generated keystore file:
server.ssl.key-store=<your-generated-keystore>
I have problem configuring SSL on tomcat 7 (7.0.10) here I am using Thawte SGC Certificate , please read below description carefully help me out .
I have followed below step
1)Generated key using below command
keytool -genkey -keysize 2048 -alias test_self_certificate -keyalg RSA -keystore test_self_certificate.jks -validity 730
this command generated “test_self_certificate.jks” file in current folder
2)This generated CSR using below command
keytool -certreq -alias test_self_certificate -file my_application.csr -keystore test_self_certificate.jks
this command generated “my_application.csr” file in current folder
3)Then I have submitted this CSR to Thawte and got certificate from them in PKCS#7 format , I have copied that certificate text in notepad and saved that file as “signed_certificate.p7b”
4)Then i created New JKS keystore and imported certificate received from Thawte using below command
keytool -import -alias signed_cert -trustcacerts -file signed_certificate.p7b -keystore tomcat_application.jks
this command generated “tomcat_application.jks” file in current folder
5)I have update tomcat server.xml as below ( I have provided correct .jks file path and keystore password )
<Connector port="8001" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/export/home/parsupport/Tomcat_certs/ tomcat_application.jks " keystorePass="parlive" clientAuth="false" sslProtocol="TLS" />
6)After this change when I start Tomcat I get below Exception and tomcat does not start with SSL
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:774)
Important Note : but if I import certificate received from Thawte in keystore (test_self_certificate.jks -- mentioned as first step above) that I have created to generate KeyPair and CSR , and use that keystore to configure tomcat (as described in step 6 as above ) then Tomcat start in SSL mode but when in try to launch HTTPS URL I get untrusted certificate warning .
keytool -genkey -keysize 2048 -alias test_self_certificate [...]
Here, -genkey generates a public/private key pair and stores in into the "test_self_certificate" alias entry, thereby making this a private key entry. (If you use keytool -list, you'll see some private key entries and some certificate entries). -genkey also generates a self-signed certificate to associate with this private key automatically (this is also how the public key is effectively stored by default).
keytool -import -alias signed_cert [...]
If you get a certificate issued for a private key that is stored in a keystore, you need to store this certificate against the right private key entry, not just any entry. Here, you should have used -alias test_self_certificate instead (which may also mean that it wasn't the best choice of alias name, but that's just a detail).
(In some cases, you may also need to make sure you import the full chain.)
I have a webstart application where I want to do client authentication while connecting to the server. I have created pkcs12 certificate which I install using certmgr.exe and it works fine.
I want to do for every client that uses the application. How should I do this? If I distribute the certificate
I get a bad_certificate error. I know there isn't a problem with the certifcate because it would work if you install the certificate using the browser.
I had created the public key using
keytool -export -alias myKey -keystore abc.p12" -storetype PKCS12 -storepass mypassword -rfc -file abc.cer
then I imported this file into my server's keystore for mutual authentication using:
keytool -import -v -file abc.cer -keystore C:\apache-tomcat-7.0.26\tomcat.keystore" -storepass mypassword
after this, if I install abc.p12 certificate in certmgr, it works fine.
To be able to do it from Java, I needed a truststore. I created a truststore where I import the public key using
>keytool -import -keystore client-truststore.jks -file abc.cer
If I try to access the server using
-Djavax.net.ssl.keyStore=abc.p12
-Djavax.net.ssl.keyStorePassword=mypassword
-Djavax.net.ssl.trustStore=trustore.jks
-Djavax.net.ssl.trustStorePassword=mypassword
I'm not sure if I'm doing the right thing. Please let me know what you think.
What should I be doing? Please let me know your suggestions.
You should have imported it into your server's trust store, not its keystore.
You have to import the cert to your certs file, in the JDK is the cacerts file. After do that you have to view the cert is living on the file, and you will have do that on every client.
The thing about the trust store is that you create your own JKS file.
I am trying to enable two way ssl authentication between Apache Ace and management agent(by following the document http://ace.apache.org/dev-doc/design/using-client-certificates.html). To achieve this , first of all i created the required certificates by following the steps mentioned below:
Step#1) Created a self-signed certificate authority using OpenSSL by excecuting the command below:
openssl req -x509 -new -config Certi/X509CA/openssl.cnf -days 365 -out Certi/X509CA/ca/new_ca.pem -keyout Certi/X509CA/ca/new_ca_pk.pem
This command created a certificate new_ca.pem and its private key new_ca_pk.pem.
Step#2) Imported the certificate new_ca.pem to keystore file named truststore by using following command
keytool -import -alias truststore -keystore truststore -file new_ca.pem
Step#3) Created certificate for the management agent, available in a Java keystore file, called keystore-ma.jks.
keytool -genkey -dname "CN=<hostIP>, OU=IT, O=<Organization Name>, ST=UP, C=IN" -validity 365 -alias keystore-ma -keypass secret -keystore keystore-ma.jks -storepass secret
Step#4) Created a CSR:
keytool -certreq -alias keystore-ma -file keystore-ma_csr.pem -keypass secret -keystore keystore-ma.jks -storepass secret
Step#5) Signed the certificate using the certificate authority created in Step 1.
openssl ca -config X509CA/openssl.cnf -days 365 -cert C:/X509CA/ca/new_ca.pem -keyfile C:/X509CA/ca/new_ca_pk.pem -in C:/X509CA/ca/keystore-ma_csr.pem -out C:/X509CA/ca/keystore-ma.pem
Step#6) Imported the certificate in a kestore file named keystore-ma
keytool -import -alias keystore-ma -keystore keystore-ma -file keystore-ma.pem
Similar steps(3-6) were followed to create and sign the cetificate or the ACE server, available in a Java keystore file, called keystore-server.
Then i updated the Platform.properties of Ace Server to include the additional properties and started Ace Server:
-Dorg.osgi.service.http.port.secure=8443
-Dorg.apache.felix.https.enable=true
-Dorg.apache.felix.https.truststore=/path/to/truststore
-Dorg.apache.felix.https.truststore.password=secret
-Dorg.apache.felix.https.keystore=/path/to/keystore-server
-Dorg.apache.felix.https.keystore.password=secret
-Dorg.apache.felix.https.clientcertificate=needs
Started ace-launcher.jar with the following command:
java -Djavax.net.ssl.trustStore=/path/to/truststore -Djavax.net.ssl.trustStorePassword=secret -Djavax.net.ssl.keyStore=/path/to/keystore-ma -Djavax.net.ssl.keyStorePassword=secret -jar org.apache.ace.launcher-0.8.1-SNAPSHOT.jar discovery=https://<Ace Server Ip>:8443 identification=MyTarget
i tried multiple times by changing the discovery url to
1) https://<Ace Server Ip>:8080
2) http://<Ace Server Ip>:8080
3) https://<Ace Server Ip>:8443
But the target was not registered in the Ace Server. Am i using the correct URLs to connect to Ace server through HTTPS?
Also how to confirm if my Ace Server is configured to accept HTTPS traffic from the management agent?
I see you use a distinguished name (DN) with more than only a common name.
By convention, the hostname as common name is used for certificate validation. It should work if you create a certificate with CN=hostname-of-target (IP address is not sufficient).
Another hint I can give you for troubleshooting SSL errors: use -Djavax.net.debug=ssl for the server, it will spit out lots of information, but gives detailed information on what is going on and what causes the error.