I deployed the IBM app center on IBM worklight server 6.1 and enabled the SSL by generating SSL certificate using Liberty core's common utility and updated the server.xml according to that.
When I am accessing the link https://< serverIP >:< sslPort >/appcenterconsole/inst.html
It shows SSL error SSL certificate not matches the server URL this is my first problem.
On chrome it shows an option to proceed anyway after that I am able to access the page which has IBM App Center installer application using my username and password.
But when I click on the link of the application to download and install the app it shows message that Cannot connect to < serverIP > this is my second problem
You generated a self-signed certificate. Per documentation, IBM Application Center does not support self-signed certificates. You need to purchase an official SSL certificate from a certificate authority. This limitation comes actually from iOS.
There is a complex workaround, but I recommend this only for testing. The workaround is not really suitable for production:
Generate a special self-signed certificate with CA flag set to true. This makes the certificate also a certificate authority. Note: Most instructions on the web are only valid for self-signed certificates with CA flag set to false. If you use openssl, use the options -reqexts v3_req -extensions v3_ca
Import this SSL certificate into your device. See here and in its subsections for details. This should also work for 6.1 even though the documentation link is for 6.2
Install this certificate for your webserver and proceed as usual.
You dont need to purchase nothing, you just need to create a CA certificate with an apple mac, install it to the device and u will be allowed to download the apps, easy peasy
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out cerficate.crt -reqexts v3_req -extensions v3_ca
put your domain in the name field when required.
then
cat cerficate.crt privateKey.key > server.pem
then
openssl pkcs12 -export -in certificate.crt -inkey server.pem -out server.p12 -passout pass:passServerP12 -passin pass:passServer
Then to try it out:
openssl s_client -connect hostname:port
Hope i could help ;D
Related
I apologize if this is a silly rookie question, I'm not really experience in dealing with SSL / https so please help me out.
I have docker swarm setup and using Traefik to handle all the HTTPS services. when I first load the page (take grafana page for example), there is a warning page and I click "Advanced" and "Proceed (accept risk)", then the page display and working just fine, the only problem is the "Not Secure" sign showing on browser.
A few things could be contributing to this:
Self-created CA and self-signed cert: I'm at development stage so I created my own CA and signed the cert using openssl, and use this cert in Traefik dynamic configuration.
Command to generate CA:
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca.pem
Command to generate self-signed cert:
openssl req -newkey rsa:2048 -days 365 -nodes -keyout key.pem -out req.pem
openssl x509 -req -in req.pem -days 365 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out cert.pem
See attached screenshot for the errors of the certs: "Subject Alternative Name missing" & "This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID)."
Chrome Dev Tool Certificate Error
Traefik configuration: Not using Let's Encrypt since I don't have an account, so using my own self-signed cert. I don't think this is the issue because I can see the page is using the cert I provided. But if anyone has similar experience with Traefik v2 maybe can give me some pointer if there is anything I set wrong?
Dynamic configuration file that declares the certs:
tls:
stores:
default:
defaultCertificate:
certFile: configuration/cert.pem
keyFile: configuration/key.pem
Question:
Is missing SAN a really important factor that will causes my page to be not secure? If yes, how can I add SAN while creating cert with openssl?
I understand that 2nd error "ERR_CERT_AUTHORITY_INVALID" means browser doesn't recognize the cert's validity. Does that mean I have to install my CA? Where and how to install it? Is it on docker swarm's manager node (this is where Traefik service and the certs at), or is it on any client's machine that trying to access the page?
I create self-signed certificate now my problem is Firefox,Safari and even IE will not allow me at all to visit my own page. I can't even click on ignore or similar. It will just block me from visiting mypage.io.
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT certificate is not valid for 81.33.34.123 (fake ip)
My openssl certificate key and crt creation was like this:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.crt
It prompts me to enter some more detail, and I think the problem is where it asks me about "Common Name (e.g. server FQDN or YOUR name)". I answered with www.mypage.io .
It's an unfinished project so I will not buy a certificate yet.
The trust is missing!
Please get a real certificate. You do net even have to buy on: https://letsencrypt.org/ provides them for free.
If you (for whatever reason) stick with your certificate:
IE: Import it to the trusted root certificate authority store (certlm.msc).
Mozilla: Look here
Alternatively please find information on how to generate your own trust chain with open SSL here: How to make browser trust localhost SSL certificate?
I'm using a Microsoft Certification authority to sign some certificates from a corporate network. Using the certreq utility everything works fine, but I didn't found the purpose of the template anywhere.
In my case, I need to create some certificates requests in a Linux server (using OpenSSL) and then sign it using the Microsoft CA in another server (Windows Server 2012). The proccess is basicaly described below:
Create the .csr file and key in a Linux server (openssl req -newkey rsa:1024 -keyout myKey.key -out myCsr.csr -subj /CN=mydomain.com/O=Organization/C=US/ST=ST/L=City);
Send the csr file to Windows Server where the CA is installed;
Call certreq utility to create the certificate itself (certreq -submit -attrib "CertificateTemplate:MyWebServerTemplate" -config DOMAINCA\CA1 myCsr.csr myCert.cer);
When needed, send the cert to Linux again and convert the .cer in a .crt with the command openssl x509 -outform DER -in myCert.cer -out myCert.crt. This is needed when certreq is used with -binary option
As far I know, the choose of the template is mandatory but anything changes no matter which I choose. I tried to select many templates, but apparently anything changes
update:
After some tests, I noted that some templates actually changes some original info from CSR, but my question still is: What is the purpose of the template, since the info is all in the CSR, and why is it mandatory? How can I force the MS CA to use the CSR info?
I'm new on this certificate administration thing. Am I misunderstood something in the process?
I have Tomcat-Apache set up to serve my application using 443(Apache).
Configured Apache for root certificate and key for enabling HTTPS access for my application.
On server i had to install this certificate to user personal store for HTTPS access.
Problem is if client wants to access he needs to manually install the certificate first. These are self signed certificates generated via openSSL.
openssl req -new -x509 -days 1024 -key ca.key -out ca.crt -config openssl.cnf
Is there a way to configure Apache, or install certificate in another store for client to trigger auto installation of certificate while accessing the site?
I am not familiar with SSL/TLS, I am trying to setup my moquitto broker with SSL. For testing purpose, I am not using a real rootCA, I create my own rootCA. Here is how I think what SSL is, correct me if I was wrong, I am a noob.
rootCA could issue second layer ca, cert, keys, and client/server exchange these information, when it needs to verify the identity of the others, it will bring these information to the rootCA and ask if that is correct.
so, I follow the documentation of Mosquitto, use OpenSSL to generate rootCA.crt, server.crt, server.key. I've also generated client.crt and client.key, so that when my client application connect to Mosquitto broker, the broker could identify that connection.
I added the ca file, key file, cert file configuration to my local.conf. Restart Mosquitto, it works.
Then I use mosquitto_sub with ca.crt, client.crt and client.key to connect to broker, that works out too.
What I don't understand is that, why does the documentation teaches me how to generate server.csr and client.csr?
I am guessing if I am not the rootCA, I need to send these csr to the real rootCA for those certificate to become legit, is that what csr is for?
.csr is a certificate sign request to be signed with your CA.crt and CA.key you won't need to use it on your mosquitto broker only CA.crt and client.crt/key are required. If you want to test it out Download MQTT.fx client to check your MQTT connection with these certifications. http://mqttfx.jensd.de/
The openssl command would be for example:
x509 -req -in client.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out client.crt -days 365