I am trying to test SSL with a spring boot app running on my personal computer. I generated a PKCS12 certificate using keytool with the following parameters.
CN = localhost:8080
OU = localhost:8080
O = localhost:8080
L = Galle
S = Galle
C = LK
I configured my app to use this certificate and installed this self signed certificate in to my chrome browser.
When I attempt to access my API endpoint (https://localhost:8080/api/meta/divisions) using the chrome extension Advanced REST client, I am receiving an error saying
Certificate is invalid for given domain
Certificate presented to the app has different CN (common name) than the domain of the request.
What is the reason for this error, how can I fox this?
This was fixed when using 127.0.0.1 as CN and filling a SAN extension when generating the self signed certificate.
I tried to reproduce the same behaviour and initially my chrome also blocked the page. It looks like google is not allowing localhost:8080 as CN name.
If you try the following command:
keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -dname "CN=abcd,OU=efgh,O=ijkl,C=Galle" -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 3650 -keystore identity.jks -storepass secret -keypass secret -deststoretype pkcs12
Add the following spring properties to your application with your own values:
server:
port: 8443
ssl:
enabled: true
key-store: classpath:identity.jks
key-password: secret
key-store-password: secret
Export the certificate from the keystore and added to your machine or chrome and it should work. To extract the certificate you can use the following command:
keytool -exportcert -keystore identity.jks -storepass secret -alias server -rfc -file server.cer
Could you retry it with the steps above?
Related
I am trying to setup 2 way ssl authentication. My requirement is broker should authenticate only specific clients.
My organization has a CA which issue all certificates in pkcs12 format. steps i followed are as follows.
get a certificate for the broker and configured it in the broker keystore
ssl.keystore.location=/home/kafka/certificate.p12
ssl.keystore.password=xxxxx
ssl.client.auth=required
get a certificate for the client and configured it in the client keystore
ssl.keystore.location=/home/kafka/certificate.p12
ssl.keystore.password=xxxxx
extracted the public certificate from the client certificate using keytool command
keytool -export -file cert -keystore certificate.p12 -alias "12345" -storetype pkcs12 -storepass xxxxx
imported the certificate into broker truststore. broker truststore contains only the client 12345 certificate.
keytool -keystore truststore.p12 -import -file cert -alias 12345 -storetype pkcs12 -storepass xxxxx -noprompt
configured the truststore in the broker.
ssl.truststore.location=/home/kafka/truststore.p12
ssl.truststore.password=xxxxx
configured the truststore in client. client truststore contains CA certificates.
ssl.truststore.location=/etc/pki/java/cacerts
ssl.truststore.password=xxxxx
When i run the broker and client i expect the broker to authenticate the client and establish ssl connection. but instead following error is thrown.
[2021-06-03 23:32:06,864] ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (abc.com/10.129.140.212:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
[2021-06-03 23:32:06,866] WARN [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error (org.apache.kafka.clients.admin.internals.AdminMetadataManager)
org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed
Caused by: javax.net.ssl.SSLProtocolException: Unexpected handshake message: server_hello
I tried various things but nothing seems to work. when i replace the broker truststore with /etc/pki/java/cacerts truststore file which contains only the CA certificate
then it works fine. but it will authenticate any client which has certificate issued by the CA.
what could be the issue ?
The default format is jks,
use keytool to create a Java KeyStore (JKS) with the certificate and key for use by Kafka. You'll be prompted to create a new password for the resulting file as well as enter the password for the PKCS12 file from the previous step. Hang onto the new JKS password for use in configuration below.
$ keytool -importkeystore -srckeystore server.p12 -destkeystore kafka.server.keystore.jks -srcstoretype pkcs12 -alias myserver.internal.net
Note: It's safe to ignore the following warning from keytool.
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.p12 -destkeystore kafka.server.keystore.jks -srcstoretype pkcs12"
I have installed Nexus Repository Manager OSS 3.0.2-02 on my CentOS Linux release 7.4.1708.
Also I have CA certificate:
Issued to: \*.mycompany.com
Issued by: Go Daddy Secure Certificate Authority - G2
Valid from 2016-11-12 to 2018-01-11
The RSA private key match with my CA certificate, which was checked with Certificate Key Matcher and reported:
The certificate and private key match!
In Nexus3 directory I made the following changes:
Added to the file org.sonatype.nexus.cfg the lines:
nexus-args=${karaf.etc}/jetty.xml,${karaf.etc}/jetty-http.xml,${karaf.etc}/jetty-requestlog.xml,${karaf.etc}/jetty-https.xml
application-port-ssl=8443
Added to jetty-https.xml file next lines:
KeyStorePath /ssl/test.jks
KeyStorePassword 123456
KeyManagerPassword 123456
TrustStorePath ssl/test.jks
TrustStorePassword 123456
Created SSL directory in $NEXUS_HOME/etc/ and created inside the SSL directory a Java keystore file test.jks with command:
openssl pkcs12 -export -in mycompany.com.pem -inkey key.pem -name xxx.mycompany.com -out test.pks
keytool -importkeystore -deststorepass 123456 -destkeystore test.jks -srckeystore test.pks -srcstoretype PKCS12
keytool -import -alias bundle -trustcacerts -file gd_bundle.crt -keystore test.jks
After Nexus restart I can't not reach it by URL //xxx.mycompany.com:8443. Firefox says:
The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified
Also trying to do: docker login xxx.mycompany.com:8443 and providing default admin:admin:123 credentials cause:
Error response from daemon: Get xxx.mycompany.com:8443/v1/users/:
x509: certificate signed by unknown authority
I also try to chain certificates by various scenarions from Google, including How to add certificate chain to keystore?, but got error on Docker:
Error response from daemon: Get //xxx.mycompany.com:8443/v1/users/: EOF
on Firefox, the same as first time and on Chrome:
//xxx.mycompany.com unexpectedly closed the connection
Question: Where is my mistake, or how to correctly install CA certificate on Nexus3?
I've found the resolution. Just needed to set in jetty-https.xml next lines:
<Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
I am trying to enable two way ssl authentication between Apache Ace and management agent(by following the document http://ace.apache.org/dev-doc/design/using-client-certificates.html). To achieve this , first of all i created the required certificates by following the steps mentioned below:
Step#1) Created a self-signed certificate authority using OpenSSL by excecuting the command below:
openssl req -x509 -new -config Certi/X509CA/openssl.cnf -days 365 -out Certi/X509CA/ca/new_ca.pem -keyout Certi/X509CA/ca/new_ca_pk.pem
This command created a certificate new_ca.pem and its private key new_ca_pk.pem.
Step#2) Imported the certificate new_ca.pem to keystore file named truststore by using following command
keytool -import -alias truststore -keystore truststore -file new_ca.pem
Step#3) Created certificate for the management agent, available in a Java keystore file, called keystore-ma.jks.
keytool -genkey -dname "CN=<hostIP>, OU=IT, O=<Organization Name>, ST=UP, C=IN" -validity 365 -alias keystore-ma -keypass secret -keystore keystore-ma.jks -storepass secret
Step#4) Created a CSR:
keytool -certreq -alias keystore-ma -file keystore-ma_csr.pem -keypass secret -keystore keystore-ma.jks -storepass secret
Step#5) Signed the certificate using the certificate authority created in Step 1.
openssl ca -config X509CA/openssl.cnf -days 365 -cert C:/X509CA/ca/new_ca.pem -keyfile C:/X509CA/ca/new_ca_pk.pem -in C:/X509CA/ca/keystore-ma_csr.pem -out C:/X509CA/ca/keystore-ma.pem
Step#6) Imported the certificate in a kestore file named keystore-ma
keytool -import -alias keystore-ma -keystore keystore-ma -file keystore-ma.pem
Similar steps(3-6) were followed to create and sign the cetificate or the ACE server, available in a Java keystore file, called keystore-server.
Then i updated the Platform.properties of Ace Server to include the additional properties and started Ace Server:
-Dorg.osgi.service.http.port.secure=8443
-Dorg.apache.felix.https.enable=true
-Dorg.apache.felix.https.truststore=/path/to/truststore
-Dorg.apache.felix.https.truststore.password=secret
-Dorg.apache.felix.https.keystore=/path/to/keystore-server
-Dorg.apache.felix.https.keystore.password=secret
-Dorg.apache.felix.https.clientcertificate=needs
Started ace-launcher.jar with the following command:
java -Djavax.net.ssl.trustStore=/path/to/truststore -Djavax.net.ssl.trustStorePassword=secret -Djavax.net.ssl.keyStore=/path/to/keystore-ma -Djavax.net.ssl.keyStorePassword=secret -jar org.apache.ace.launcher-0.8.1-SNAPSHOT.jar discovery=https://<Ace Server Ip>:8443 identification=MyTarget
i tried multiple times by changing the discovery url to
1) https://<Ace Server Ip>:8080
2) http://<Ace Server Ip>:8080
3) https://<Ace Server Ip>:8443
But the target was not registered in the Ace Server. Am i using the correct URLs to connect to Ace server through HTTPS?
Also how to confirm if my Ace Server is configured to accept HTTPS traffic from the management agent?
I see you use a distinguished name (DN) with more than only a common name.
By convention, the hostname as common name is used for certificate validation. It should work if you create a certificate with CN=hostname-of-target (IP address is not sufficient).
Another hint I can give you for troubleshooting SSL errors: use -Djavax.net.debug=ssl for the server, it will spit out lots of information, but gives detailed information on what is going on and what causes the error.
I am using self signed certificate for HTTPS connection to and from Axis2 server. All of these connections works fine and as desired.
There is a part in my web service which is responsible for sending emails. I am using GMail for the purpose of sending mail.
The problem is when I try to send a mail using an SSL connection I get certificate error, i.e. GMail certificate is not trusted. I had faced a similar problem with JBoss as well. For once I was able to get around this problem downloading GMail certificate and than importing it into the Keystore using Keytool utility. For a long time this had worked.
But only recently I have started to get the Old problem again. I tried to use the old technique that fixed the problem last time, but this time that did not work. (not sure why)
I reckon that GMail uses a signed certificate which out of the box should be trusted by any of the servers, let it be JBoss or Axis2. I fail to figure out what the problem actually is. Is it because of using of Self Signed certificate? Or are there any specific way of creating it so that the Signed certificates are trusted?
Thanks for the help.
To have a SSL encrypted Server/Client communication we need to Keystores and Truststore for Server & Client. Following are the steps to create them.
#Creating Server keystore and exporting a certificate
keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass changeit -keypass changeit -dname "CN=test.com, OU=Test, O=Test, L=London, ST=London, C=UK"
keytool -export -alias serverkeys -keystore server.keystore -storepass changeit -file server.cer
#Creating Client keystore and exporting a certificate
keytool -genkey -alias clientkeys -keyalg RSA -keystore client.keystore -storepass changeit -keypass changeit -dname "CN=test.com, OU=test, O=test, L=London, ST=London, C=UK"
keytool -export -alias clientkeys -keystore client.keystore -storepass changeit-file client.cer
#Making a copy of cacerts file. These copies will be used for client/server truststore
cp /usr/java/jdk1.6.0_14/jre/lib/security/cacerts client.truststore
cp /usr/java/jdk1.6.0_14/jre/lib/security/cacerts server.truststore
#Copying server certificate to Client truststore
keytool -import -trustcacerts -v -keystore client.truststore -storepass changeit -file server.cer
#Copying Client certificate to Server truststore
keytool -import -trustcacerts -v -keystore server.truststore -storepass changeit -file client.cer
During the first few iteration I was not using cacert but directly create truststores from the certificate and that too worked well. Problems came up when we need to connect to some other services using SSL and connection could not be establised even when the service used a Signed Certificate.
For example connecting to GMail SMTP server would faile if the truststore were not created up from cacerts. Reason being even though GMail uses a signed certificate, we wold be using a truststore that would not know if the GMail certificate can be trusted. For this reason we used cacerts to create out truststore. After which we were able to connector any service that uses a Signed Certificate.
If in case we encounter a unsigned certificate we will then have to add them to the Components Truststore.
I'm trying to build a simple client/server system wich uses SSLSocket to exchange data. (JavaSE 6)
The server must have its own certificate, clients don't need one.
I started with this
http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
To generate key for the server and a self signed certificate.
To sum it up:
Create a new keystore and self-signed certificate with corresponding public/private keys.
keytool -genkeypair -alias mytest -keyalg RSA -validity 7 -keystore /scratch/stores/server.jks
Export and examine the self-signed certificate.
keytool -export -alias mytest -keystore /scratch/stores/server.jks -rfc -file server.cer
Import the certificate into a new truststore.
keytool -import -alias mytest -file server.cer -keystore /scratch/stores/client.jks
Then in my server code I do
System.setProperty("javax.net.ssl.keyStore", "/scratch/stores/server.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
SSLServerSocketFactory sf = sslContext.getServerSocketFactory();
SSLServerSocket sslServerSocket = (SSLServerSocket)sf.createServerSocket( port );
Socket s = sslServerSocket.accept();
I am basically missing some point because I get a "javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled." when I try to run the server.
Can it be a problem with the certificate? When using -validity in keytool the certificate gets self-signed, so it should work if I'm not wrong.
Reading the docs seems that setting the property "javax.net.ssl.keyStore" is sufficient for the SSLContext to setup correctly. Any suggestion?
I messed up things a little, complete solution is here: https://forums.oracle.com/forums/thread.jspa?threadID=1531716