I have this certificates / files in order to enable SSL for my application:
I found out that this properties are needed for Spring Boot to enable HTTPS:
server.port=8089
server.ssl.enabled=true
server.ssl.key-store=src/main/resources/keystore.p12
server.ssl.key-store-password=****
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat
but this does not work. My question now would be what do I have to do in order to get it work? https://abc.lehr.co.at should be the URL.
[EDIT]
I have created my own keystore - with this I get the following exception:
java.io.IOException: Alias name tomcat does not identify a key entry
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:596)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:534)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:363)
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:739)
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:472)
at org.apache.coyote.http11.Http11NioProtocol.start(Http11NioProtocol.java:81)
at org.apache.catalina.connector.Connector.startInternal(Connector.java:986)
My keystore looks like this:
Actually I don't know what to import into keystore for embedded tomcat (Spring Boot).
To enable SSL, you must provide a private key, and not a trusted certificate.
In your keystore, 'tomcat' should be listed as an alias for a privatekeyentry and not a trustedcertentry.
You have to pack your private keys to PFX file or P12 with specifiyng aliases. So, it will be picked up accordingly from the keyStore after loading materials.
Use this tool to figure out what alias are:
keytool -list -storetype pkcs12 -keystore my_debug_keystore.p12 -storepass debug
server.port=8089
server.ssl.enabled=true
server.ssl.key-store=src/main/resources/keystore.p12
server.ssl.key-store-password=****
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat << This should be the alias of yourfile.12 if you have forgotten just create a new one and replace it>>
And dnt forget to add
security.require-ssl=true <<Tell Spring Security (if used) to require requests over HTTPS>>
I'd suggest you create your KeyStore in JKS format:
keytool -genkey -keyalg RSA -alias my_alias -keystore keystore.jks -storepass password -validity 360 -keysize 2048
then add the configuration:
server.port=8089
server.ssl.enabled=true
server.ssl.key-store=src/main/resources/keystore.jks
server.ssl.key-store-password=****
server.ssl.keyStoreType=JKS
server.ssl.keyAlias=my_alias
First you may convert your .pem file to a DER and then generate a keystore.
See https://stackoverflow.com/a/13992135/16358980 how to do this.
In your application.properties, change key-store property to your generated keystore file:
server.ssl.key-store=<your-generated-keystore>
Related
I got a serious problem while making an SSL request to the server with SOAPUI. I am a newbie in SoapUI and maybe I did something wrong while I'm trying to import the certificate into SOAPUI.
My client sends me:
Root CA
Intermediate CA
SSL CA
Private Key
I am using keytore to generate keystore with password by command
keytool -genkey -alias soapui -keyalg RSA -keystore soapui.keystore
And then I tried to export the this keystore with my SSL CA
keytool -export -alias soapui -file SSL.cer -keystore soapui.keystore
And then I import this into Keystores in the SoapUI.
However, I got the error
ERROR:java.security.KeyStoreException: Can't build keystore: [Private key missing (bad password?)]
I have no idea where am I wrong?
Could anyone please indicate what are the steps I should work on to make the SSL request to SoapUI?
Please help
Thank you.
I assume you need to make a Two-Way SSL connection with client cetificate.
Firstly you need to make a keystore (JKS) containing:
your private key
all certificates upwards including the root CA
Maybe using https://keystore-explorer.org/ may help you to understand and verify the content of your keystore.
There are multiple ways to configure the client certificate in SoapUI:
If you use the global configuration (File - Preferences - SSL Settings), there is only one password to be set. Make sure your keystore password and key password are equal.
If you use the setup on the project level, you are allowed to enter two passwords.
I tested the solution which given there:
In relation with the topic, How to add a SSL connector for apache karaf?
but I would want to use a certification authority CA.
For that purpose, I generated a CSR from the Keystore generated with a command like :
keytool -certreq -alias MyAlias -file MyCSR.csr -keystore Serverkeystore.jks
then I got back a CRT signed by our CA, but I do not know how to use it and where to declare it.
Would know how to declare it in the file CFG Pax Web? or if I just have to insert it into the store of key Serverkeystore.jks ?
(I am in Karaf V4.0.3)
I have problem configuring SSL on tomcat 7 (7.0.10) here I am using Thawte SGC Certificate , please read below description carefully help me out .
I have followed below step
1)Generated key using below command
keytool -genkey -keysize 2048 -alias test_self_certificate -keyalg RSA -keystore test_self_certificate.jks -validity 730
this command generated “test_self_certificate.jks” file in current folder
2)This generated CSR using below command
keytool -certreq -alias test_self_certificate -file my_application.csr -keystore test_self_certificate.jks
this command generated “my_application.csr” file in current folder
3)Then I have submitted this CSR to Thawte and got certificate from them in PKCS#7 format , I have copied that certificate text in notepad and saved that file as “signed_certificate.p7b”
4)Then i created New JKS keystore and imported certificate received from Thawte using below command
keytool -import -alias signed_cert -trustcacerts -file signed_certificate.p7b -keystore tomcat_application.jks
this command generated “tomcat_application.jks” file in current folder
5)I have update tomcat server.xml as below ( I have provided correct .jks file path and keystore password )
<Connector port="8001" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/export/home/parsupport/Tomcat_certs/ tomcat_application.jks " keystorePass="parlive" clientAuth="false" sslProtocol="TLS" />
6)After this change when I start Tomcat I get below Exception and tomcat does not start with SSL
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:774)
Important Note : but if I import certificate received from Thawte in keystore (test_self_certificate.jks -- mentioned as first step above) that I have created to generate KeyPair and CSR , and use that keystore to configure tomcat (as described in step 6 as above ) then Tomcat start in SSL mode but when in try to launch HTTPS URL I get untrusted certificate warning .
keytool -genkey -keysize 2048 -alias test_self_certificate [...]
Here, -genkey generates a public/private key pair and stores in into the "test_self_certificate" alias entry, thereby making this a private key entry. (If you use keytool -list, you'll see some private key entries and some certificate entries). -genkey also generates a self-signed certificate to associate with this private key automatically (this is also how the public key is effectively stored by default).
keytool -import -alias signed_cert [...]
If you get a certificate issued for a private key that is stored in a keystore, you need to store this certificate against the right private key entry, not just any entry. Here, you should have used -alias test_self_certificate instead (which may also mean that it wasn't the best choice of alias name, but that's just a detail).
(In some cases, you may also need to make sure you import the full chain.)
I have a webstart application where I want to do client authentication while connecting to the server. I have created pkcs12 certificate which I install using certmgr.exe and it works fine.
I want to do for every client that uses the application. How should I do this? If I distribute the certificate
I get a bad_certificate error. I know there isn't a problem with the certifcate because it would work if you install the certificate using the browser.
I had created the public key using
keytool -export -alias myKey -keystore abc.p12" -storetype PKCS12 -storepass mypassword -rfc -file abc.cer
then I imported this file into my server's keystore for mutual authentication using:
keytool -import -v -file abc.cer -keystore C:\apache-tomcat-7.0.26\tomcat.keystore" -storepass mypassword
after this, if I install abc.p12 certificate in certmgr, it works fine.
To be able to do it from Java, I needed a truststore. I created a truststore where I import the public key using
>keytool -import -keystore client-truststore.jks -file abc.cer
If I try to access the server using
-Djavax.net.ssl.keyStore=abc.p12
-Djavax.net.ssl.keyStorePassword=mypassword
-Djavax.net.ssl.trustStore=trustore.jks
-Djavax.net.ssl.trustStorePassword=mypassword
I'm not sure if I'm doing the right thing. Please let me know what you think.
What should I be doing? Please let me know your suggestions.
You should have imported it into your server's trust store, not its keystore.
You have to import the cert to your certs file, in the JDK is the cacerts file. After do that you have to view the cert is living on the file, and you will have do that on every client.
The thing about the trust store is that you create your own JKS file.
I have a problem in regards to Tomcat 6 and certificates. The problem is somewhat similar to this: Tomcat HTTPS keystore certificate.
My task is to get a Jira installation running with an SSL certificate issued by a CA.
To make sure I have got the workflow right I have tried to create a certificate of my own the following way (this works):
Create 'my' keystore
Extract the certificate from the 'my' keystore
Import the extracted certificate into Java's \cacerts keystore.
This solution works fine - site can be accessed over SSL.
I assume the following can be done with my CA issued certificate, in the form of a pfx file.
I created a new keystore using this command:
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -destkeystore \mydest\keystore.jks -deststorepass changeit
When I list the contents of the new keystore.jks I get one entry; private key with a guid.
I extract the certificate from the keystore. In this operation I am unable to specify an alias.
I import the certificate into the \cacerts keystore.
I then list the concents of the \cacerts keystore and find my new entry. Instead of having a name, the entry is showing the same guid as from the initial (pfx) keystore.
I alter my server.xml file with the new alias (e.g. guid) and keystore file.
However - starting Tomcat gives this error:
Alias name {guid} does not identify a key entry
Question is:
Can a guid be a key name?
If not, what I am doing wrong? :)
I have tried both keystores in the server.xml file, without luck.
New info; when I execute this command I am able to find information regarding the certificate in the \cacerts file:
keytool -list -v -keystore \cacerts -alias {guid}
So it seems that the guid exists. However, Tomcat seems to be unable to find the same key.
Answer is 'yes'.
The origins of my problem was that I had the wrong password for the key from the pfx file. Using the following command I changed the password from the original one to a the standard password (I did this prior to exporting the certificate from the keystore created from the pfx file):
keytool -keypasswd -alias {guid}
Keytool then asked me for old password and new password.
I might have been able to add some sort of configuration in the server.xml file like 'keypassword', but I haven't looked into that.