So I bought a certificate I got a certificate, a key, and intermediate that has 2 beginnings I dont know if that counts or should be add as separated intermediate.
I added the certificate and the intermidate like this.
keytool -import -trustcacerts -alias rootmydomain -file rootmydomain.crt -keystore mykeystore.keystore
keytool -import -trustcacerts -alias interm.mydomain -file interm.mydomain.crt -keystore mykeystore.keystore
I didnt have a problem so far, it crated a mykeystore.keystore file in my wildfly/standalone/configuration/ folder. I was even able to list my entries in mykeystore.keystore.
Then added the following to my standalone.xml.
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="mykeystore.keystore" relative-to="jboss.server.config.dir" keystore-password="mypassword" alias="rootmydomain" key-password="mypassword"/>
</ssl>
</server-identities>
</security-realm>
And I get the followin error:
04:55:22,538 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.server.controller.management.security_realm.ssl-realm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.ssl-realm.key-manager: WFLYDM0083: The KeyStore /opt/wildfly-10.0.0.Final/standalone/configuration/mykeystore.keystore does not contain any keys.
I had the same configuration with an cert generated by myself and it worked. I dont know why I am not able to make is work like this.
Based on the commands you issued, there are indeed no keys in your keystore, just certificates. You need to get your private key in the keystore in order for Wildfly to be able to pick it up.
importing an existing x509 certificate and private key in Java keystore to use in ssl is an example of how it can be done.
Related
I was trying to install SSL certificate on wildfly application server which is hosted in aws Ec2 instance.
I purchased SSL certificate in godaddy. I downloaded SSL ssl certificate zip from godaddy portal. Which consists of following
1 .gd_bundle-g2-g1.crt
2 .gdig2.crt.pem
3. 70c350d31695.crt
4. 70c350d31695.pem
Created keystore and imported certificates in to keystore with following command
keytool -genkey -alias wildfly -keyalg RSA -keystore wildfly.jks
keytool -import -alias root -keystore wildfly.jks -trustcacerts -file 70c350d31695.crt
keytool -import -alias intermed -keystore wildfly.jks -trustcacerts -file gd_bundle-g2-g1.crt
Also done configuration in wildfly as follows
standalone.xml
<security-realm`enter code here` name="SslRealm">
<server-identities>
<ssl>
<keystore path="/home/centos/ssl/newssl/wildfly.jks" alias="wildfly" keystore-password="OHGv216TZDhbd" />
</ssl>
</server-identities>
</security-realm>
and
<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>
But after restarts application, keystore recognized but https certificates not recognized. When i am double click on certificate in browesr it has only keystore information not certificate information.
Please help me to fix this.
In browser certificate error like following
You need a single entry I think in your keystore with all the details. You might find it easier using KSE (https://keystore-explorer.org/) rather than the cli
Context of my problem :
I'm working with apache camel in servicemix, and i'm developing a bundle. In this bundle, the following endpoint is defined in a route :
<to uri="https4://URL_I_WANT_TO_CONNECT_TO?proxyAuthHost=MY_PROXY_HOST_NAME&proxyAuthPort=MY_PROXY_PORT&sslContextParameters=mySslContextParameters" />
As you can see in the value of the "uri" attribute, i use a HTTP proxy.
My goal is to do a HTTP POST request to the "URL_I_WANT_TO_CONNECT_TO". I've been given 3 certificates (3 ".cer" files, and according to the names of these files i guess there is one for the server, one for the CA and one for CA intermediate). Let's name these 3 certificates "cert_server.cer", "cert_ca.cer", and "cert_ca_intermediate.cer".
I created a file named "keystore.jks" using the tool "keytool". This creation was done by executing the three following commands in this order :
keytool -import -keystore keystore.jks -file cert_server.cer -alias "server"
keytool -import -keystore keystore.jks -file cert_ca.cer -alias "ca"
keytool -import -keystore keystore.jks -file cert_ca_intermediate.cer -alias "ca_intermediate"
Note : i used the same password for all certificates
Then i added the file "keystore.jks" and the 3 certificates in the java project corresponding to my bundle, and defined the following sslContextParameters (which is referenced in the value of the "uri" attribute of the previously defined endpoint) in the blueprint file of my bundle :
<sslContextParameters id="mySslContextParameters"
xmlns="http://camel.apache.org/schema/blueprint">
<keyManagers keyPassword="abcde">
<keyStore resource="/key/keystore.jks" password="abcde" />
</keyManagers>
</sslContextParameters>
The problem is that it doesn't work (i don't manage to connect to "URL_I_WANT_TO_CONNECT_TO"), and the only information i have is the following log message : "Error : Remote host closed connection during handshake". I have no idea how to solve the problem.
Could the HTTP proxy be the source of the problem?
Thank you for any help.
Best regards
If your certificates are used to contact the SSL server (and not to authenticate), have a look at TrustManagersParameters (and not KeyStoreParameters).
http://camel.apache.org/camel-configuration-utilities.html#CamelConfigurationUtilities-TrustManagersParameters
I have problem configuring SSL on tomcat 7 (7.0.10) here I am using Thawte SGC Certificate , please read below description carefully help me out .
I have followed below step
1)Generated key using below command
keytool -genkey -keysize 2048 -alias test_self_certificate -keyalg RSA -keystore test_self_certificate.jks -validity 730
this command generated “test_self_certificate.jks” file in current folder
2)This generated CSR using below command
keytool -certreq -alias test_self_certificate -file my_application.csr -keystore test_self_certificate.jks
this command generated “my_application.csr” file in current folder
3)Then I have submitted this CSR to Thawte and got certificate from them in PKCS#7 format , I have copied that certificate text in notepad and saved that file as “signed_certificate.p7b”
4)Then i created New JKS keystore and imported certificate received from Thawte using below command
keytool -import -alias signed_cert -trustcacerts -file signed_certificate.p7b -keystore tomcat_application.jks
this command generated “tomcat_application.jks” file in current folder
5)I have update tomcat server.xml as below ( I have provided correct .jks file path and keystore password )
<Connector port="8001" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/export/home/parsupport/Tomcat_certs/ tomcat_application.jks " keystorePass="parlive" clientAuth="false" sslProtocol="TLS" />
6)After this change when I start Tomcat I get below Exception and tomcat does not start with SSL
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:774)
Important Note : but if I import certificate received from Thawte in keystore (test_self_certificate.jks -- mentioned as first step above) that I have created to generate KeyPair and CSR , and use that keystore to configure tomcat (as described in step 6 as above ) then Tomcat start in SSL mode but when in try to launch HTTPS URL I get untrusted certificate warning .
keytool -genkey -keysize 2048 -alias test_self_certificate [...]
Here, -genkey generates a public/private key pair and stores in into the "test_self_certificate" alias entry, thereby making this a private key entry. (If you use keytool -list, you'll see some private key entries and some certificate entries). -genkey also generates a self-signed certificate to associate with this private key automatically (this is also how the public key is effectively stored by default).
keytool -import -alias signed_cert [...]
If you get a certificate issued for a private key that is stored in a keystore, you need to store this certificate against the right private key entry, not just any entry. Here, you should have used -alias test_self_certificate instead (which may also mean that it wasn't the best choice of alias name, but that's just a detail).
(In some cases, you may also need to make sure you import the full chain.)
I am now trying to access the web service via https and to achieve this i have done the below.
I used the below commands to generate the self signed certificate and placed in /conf dir.
keytool -genkey -alias localhost -keyalg RSA -validity 365 –keystore server.keystore –storetype JKS
keytool -export -alias localhost –keystore server.keystore -rfc -file public.cert
keytool -import -alias localhost -file public.cert –storetype JKS -keystore server.truststore
Below is the server.xml entry
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
keystoreFile="conf/server.keystore"
keystorePass="changeit"
truststoreFile="conf/server.truststore"
truststoreType="JKS" truststorePass="changeit"
clientAuth="false" protocol="TLS"/>
</Connector>
And now i am facing the below error.
{http://xml.apache.org/axis/}stackTrace: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
However the error is not thrown if i add the below code in the class file accessing the webservice.
AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
Could you please guide me in resolving this issue?
TLS is being set up on two sides: server and client. Each side must have its own key pair saved into a key store. Let's call them serverKeystore.jks and clientKeystore.jks
Then additional key store is to be created containing only public key. This one is called trust store and used for key authentication. Let's follow the same scheme and save them into serverTruststore.jks and clientTruststore.jks.
In one way TLS only server key is being authenticated.
Server must have only serverKeystore.jks provisioned in Connector.
Client must have provisioned both clientKeystore.jks and serverTruststore.jks.
In two way TLS both server and client keys are being authenticated.
Server must have serverKeystore.jks and clientTruststore.jks provisioned in Connector.
Client must have provisioned both clientKeystore.jks and serverTruststore.jks.
Client registers key stores either by specifying Java environment variable with
-Djavax.net.ssl.keyStore="path\\to\\server.keystore"
in parameters to command starting JVM, or programmatically in the code with
System.setProperty("javax.net.ssl.keyStore", "path\\to\\server.keystore");
Technically it is possible to use the same key pair both on client and server side as you did. But this compromises the private key, as it is not secret any more.
The below entry is added in the class file where the call to https would happen and it works like charm. Yet i am not sure why the xml entry is not considered.
System.setProperty("javax.net.ssl.keyStore", "path\\to\\server.keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
System.setProperty("javax.net.ssl.trustStore", "path\\to\\server.truststore");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
PS: Both xml entry and the class entry is needed else the same error is thrown. I am yet to get a clear picture on this. Maybe someone might explain. Thanks
We use ActiveMQ to queue up messages from remote clients.
The clients use the following URL to connect to ActiveMQ on our server;
ssl://www.mydomain.com:61616
This worked fine in the past and was set up by a developer know longer with the company.
Recently we had to update our SSL Cert as the old one had ran out. We did this successfully for our http server but have only now realised that a copy of the original keystore still resided in the ActiveMQ config folders.
We have tried to place the new keystore into the ActiveMQ config folders, overwriting the old keystore. However this does not appear to work and all connections are rejected with the following stack trace;
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
What are we doing wrong here?
We've listed the contents of both the old and new keystore using the keytool -list command and they appear to be very similar (apart from the dates of course).
Is there additional updates we need to make to the clients calling the above url to accept our new keystore?
It may be that your truststore is out of synch with your keystore. Here is the general way to set it up from scratch; your config will differ, so adapt as needed:
Generate certs for each of the clients, and register the client certs with the broker truststore.
> keytool -genkey -alias producer -keyalg RSA -keystore myproducer.ks
> keytool -genkey -alias consumer -keyalg RSA -keystore myconsumer.ks
Export both certs
> keytool -export -alias producer -keystore myproducer.ks -file producer_cert
> keytool -export -alias consumer -keystore myconsumer.ks -file consumer_cert
Import the certs into the producer truststore (new file)
> keytool -import -alias producer -keystore mybroker.ts -file producer_cert
> keytool -import -alias consumer -keystore mybroker.ts -file consumer_cert
Copy the broker truststore to whichever location you had the old one in, usually {ACTIVEMQ_HOME}/conf. You can generally see this in your broker config:
<broker ...>
<sslContext>
<sslContext keyStore="file:${activemq.base}/conf/mybroker.ks"
keyStorePassword="test123"
trustStore="file:${activemq.base}/conf/mybroker.ts"
trustStorePassword="test123"/>
</sslContext>
</broker>