In our application we are creating Client and server that talks with each other using SSL authentication. I done a POC which downloads certificate using following commnand:
keytool -genkey -keystore yourKEYSTORE -keyalg RSA
Need to know if the certificate created by above command is free to use ?
It's free to use but it is self-signed, which makes it basically useless unless you can go through all the steps required to get the peers to trust it.
Failing that, you need to generate a certificate request from this, get it signed, and import the resulting signed certificate into that keystore using the same alias you used here.
Related
I got a serious problem while making an SSL request to the server with SOAPUI. I am a newbie in SoapUI and maybe I did something wrong while I'm trying to import the certificate into SOAPUI.
My client sends me:
Root CA
Intermediate CA
SSL CA
Private Key
I am using keytore to generate keystore with password by command
keytool -genkey -alias soapui -keyalg RSA -keystore soapui.keystore
And then I tried to export the this keystore with my SSL CA
keytool -export -alias soapui -file SSL.cer -keystore soapui.keystore
And then I import this into Keystores in the SoapUI.
However, I got the error
ERROR:java.security.KeyStoreException: Can't build keystore: [Private key missing (bad password?)]
I have no idea where am I wrong?
Could anyone please indicate what are the steps I should work on to make the SSL request to SoapUI?
Please help
Thank you.
I assume you need to make a Two-Way SSL connection with client cetificate.
Firstly you need to make a keystore (JKS) containing:
your private key
all certificates upwards including the root CA
Maybe using https://keystore-explorer.org/ may help you to understand and verify the content of your keystore.
There are multiple ways to configure the client certificate in SoapUI:
If you use the global configuration (File - Preferences - SSL Settings), there is only one password to be set. Make sure your keystore password and key password are equal.
If you use the setup on the project level, you are allowed to enter two passwords.
Ok first I'll say what I know about how SSL works.
Most of all I need to understand how the client certificate works, because I was setting up mTls istio gateway and had trouble with it.
So, firstly I need key-pair, private and public. If I understood correctly, i create them next with the following command:
keytool -genkey -alias myKeyPair -keyalg RSA -keysize 2048 store.jks
If I look in the keystore there will be one PrivateKeyEntry. Next I create request for certificate:
keytool -certreq -keyalg RSA -alias myKeyPair -file request.csr -keystore store.jks
After a while, I received a signed client certificate client.cer and certificate trusted CA ca.cer.
Now there are questions:
First, i tried to send request from curl. But curl needs private key which stored in jks. I dont have openssl and cant get it, so i extract private key using java code. But the result was always the same: istio gateway: peer did not return a certificate
Second, I tried using java.net.http.HttpClient with SSLContext setting containing my jks. And it worked. But firstly I had to put ca.cer and client.cer in my jks. And this I cannot understand: why do I need to put ca.cer? Because without ca.cer stored in store.jks i have error certificate validation.
Also when I put client.cer in jks, keytool displays a warning: Certificate already exists in keystore under alias <myKeyPair>. Do you still want to add it? Why does it think privateKeyEntry and trustedCertEntry are the same?
Meta: a poor answer due to the vagueness of the question, but much too long for comments.
First, i tried to send request from curl. But curl needs private key which stored in jks. I dont have openssl and cant get it, so i extract private key using java code. But the result was always the same: istio gateway: peer did not return a certificate
Either your 'extract' was wrong or the way you provided it to curl was wrong, or both, and you described neither. First, to be clear, like any client doing client auth, curl actually needs the privatekey and certificate, and usually any applicable chain certificate(s). What file format(s) you must use, and whether a single combined file or separate files (added:) or none at all as it turns out, depends on the curl build you are using: curl supports seven SSL/TLS implementations, and the ways to provide client-key-and-cert vary among them. Use curl -V (uppercase) to see how it was built, then look at the portions of the man page, on your system or on the web, that apply to that implementation.
Second, I tried using java.net.http.HttpClient with SSLContext setting containing my jks. And it worked. But firstly I had to put ca.cer and client.cer in my jks. And this I cannot understand: why do I need to put ca.cer? Because without ca.cer stored in store.jks i have error certificate validation.
Possibly it is a 'chain' or intermediate CA cert. An SSL/TLS client (like a server) is required by the standard to send any chain cert(s) needed to connect the end-entity (client or server) cert to normally a 'root' in the receiver's truststore. (Since RFC5280, and confirmed by RFC8446, it is actually possible to use an anchor that isn't a root, but it is rare to do so.) Possibly it is even a combination of chain cert(s) and root (or anchor). (Some reliers sometimes can still build the chain to validate a cert when it wasn't correctly sent; browsers especially tend to do this, but most servers not.)
Look at it and see. If it is PEM format you can see with any text display or edit program how many certs it contains. If it is a single cert you can display the details with keytool -printcert -file $file -- or since you already imported it, keytool -list -v -alias name -keystore $ks [-storepass $pw]. If it is multiple certs in PEM format you can break it apart with an editor and display each one separately. If it is multiple certs in DER format you won't be able to handle that easily, but fortunately that format is rarely used. openssl x509 [-inform pem|der] -text -noout is also commonly used to display cert file details, but you say you can't use it.
Also when I put client.cer in jks, keytool displays a warning: Certificate already exists in keystore under alias . Do you still want to add it? Why does it think privateKeyEntry and trustedCertEntry are the same?
If you only did this once, and correctly, it shouldn't. Given separate cert
files, you should keytool -importcert the client cert to the alias of the privatekey entry you created, and used to create the -certreq, which in your example is myKeyPair, after you keytool -importcert any needed chain cert(s), and optionally the root or anchor, (each) to a different alias. (It is often convenient, but not required, to use simple words like root, imed, imed2 etc. as aliases.) Alternatively, if you have the whole chain as a single file, either PEM sequence or DER sequence, or 'p7b' (a dummy PKCS7 SignedData with no data and no signature, commonly used as a container for one or more certs, such as a chain) either PEM or DER, you should import that chain in a single operation.
Before I start, I have looked at 2 other questions:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
And
java.lang.Exception: Public keys in reply and keystore don't match
But I believe that the error comes in the way I am generating the csr that I submit to my provider(Digicert). I will detail my commands below, notice that this is the way our department has always done this and up till this point I can't understand why this is not working (I am also not capacitated at all to do system administration things, but this landed on me)
First - Generating the keystore
keytool -genkey -alias aliasItem -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keypass <password> -dname "CN=server.domain.whatever, OU=IT, O=SOME NAME, L=City ST=State C=COUNTRY" -keystore keycerts -storepass <password>
I changed the important items as you might well assume for security concerns. Afterwards:
keytool -keycerts -keyalg RSA -sigalg SHA256withRSA -v -alias aliasItem -file outputfile.csr -keystore keycerts
After I get the csr, I submit it to my provider, there is no copy/paste error in this case since I import the file directly. They provide two .crt files, one from the service provider, and one for the server i am requesting it for. After I move these files to my server and attempt to import the service provider's .crt to the keystore I get an error, this is the command I use for importing the .crt to the keystore:
keytool -import -v -alias aliasItem -file <Provider>.crt -keystore keycerts
Which outputs the error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
java.lang.Exception: Public keys in reply and keystore don't match
at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2688)
at sun.security.tools.KeyTool.installReply(KeyTool.java:1940)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:855)
at sun.security.tools.KeyTool.run(KeyTool.java:194)
at sun.security.tools.KeyTool.main(KeyTool.java:188)
I have tried changing some parts of the scripts a total of 8 times now, all using the notes and documentation provided by me with no positive results. What strikes me as odd is that this server is identical in all aspects to another one of our test servers, for which I had done this before with no issues. I am still trying to do different things to solve my issue, but due to my limited knowledge in this I believe that there has got to be something I am doing from the beginning that might be wrong.
Any input will be greatly appreciated.
The second command for generating the car seems to be incorrect because "-keycerts" is an illegal parameter. IT must be "-certreq" .
Now, the error states that the private key does not match with the certificate which you are trying to install. Kindly check the below
a) Please make sure you are trying to use the same keystore file which you used to generate the csr
b) Please check while importing you are using the correct alias name. The alias should match with the one you mentioned while generating the keystore file.
c) Please make sure you are importing the correct server certificate and not the intermediate or root. Digicert must have provided you all the three files namely, Server certificate (CN of this certificate must match with the one when you generated the csr file and this is the one which needs to be imported), Intermediate and root.
If the above steps don't work then you have to generate the new csr and keystore file and ask Digicert to Reissue the certificates. They will do it for you free of cost.
I am passing certificates in RestTemplate request header. I get 403 forbidden error. How can I display the certificate information at my end before I make a call to the web service? I am using below code to pass certificate in request header.
What is the right way to send a client certificate with every request made by the resttemplate in spring?
Not sure about 403 as I'm newbie on certs & stuff, but for your other questions(I know this is late but might help someone who come across to this page) :
Java Keytool Commands for Checking :
keytool comes with JDK
If you need to check the information within a certificate, or Java keystore, use these commands.
Check a stand-alone certificate :
keytool -printcert -v -file mydomain.crt
Check which certificates are in a Java keystore :
keytool -list -v -keystore keystore.jks
Check a particular keystore entry using an alias :
keytool -list -v -keystore keystore.jks -alias mydomain
First, I would suggest to verify in your rest client whether you're able to access the rest endpoint or not by importing cert & key files:
https://www.getpostman.com/docs/v6/postman/sending_api_requests/certificates
Helpful links:
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
I'm trying to create a SSL rest endpoint (just a hello world get request) using spring boot.
I created a self signed certificate and imported into the PKCS12 keystore using the following command, and was able to successfully add it to the keystore of Tomcat embedded within spring boot application.
I was using postman to test my endpoint. Before that, I successfully imported the client certificate as described in the link - http://blog.getpostman.com/2014/01/28/using-self-signed-certificates-with-postman/ to the Trusted Root Certificate Authorities and also in personal.
In spite of importing the client certificate, the request through postman fails. However, if I try to hit the same HTTPS endpoint using SoapUI, I get a successful response.
Note: In the link - http://blog.getpostman.com/2014/01/28/using-self-signed-certificates-with-postman/ someone had already raised a similar issue. However, not sure whether this was addressed by postman.
Any help on this is much appreciated!!!
Command used to create used to create keystore:
keytool -genkeypair -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore "c:\cert\keystore.p12" -validity 3650
spring boot application.properties:
server.port=8443
server.ssl.key-store=keystore.p12
server.ssl.key-store-password=changeit
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=tomcat