jax-ws tomcat7 ssl certificate - ssl

I developed a web service to be consumed by another team.
These were my steps:
developed a web service with jax-ws 2.2.8 and jdk 1.7
deployed the web service to run on Tomcat 7
generated the client classes
created a self-signed server certificate using the jdk's keytool
configured Tomcat to support SSL connection
exported the generated server certificate to a certificate file
imported the server certificate into the truststore file
specified CONFIDENTIAL transport-guarantee in web.xml for the web service's servlet
developed a test client to consume the web service using the client classes
So then the other team started working with it and I was informed that the certificate is not properly signed. Is a self-signed certificate improperly signed? Is that true? I didn't think so. Well I don't want to argue the point. I was informed that they have their own signing authority that is already trusted by most of their system and it was suggested to me that I replace my cert with the one that is signed by the certs displayed in two screenshots that I was provided. I wasn't provided any further information but I guessed the screenshots were taken in Internet Explorer, Tools, Internet Options, Content, Certificates, Intermediate Certification Authorities, then in the list I found a certificate and clicked on View, clicked on Certification Path and my screen matches the screen of the other team member with one exception. His screen displays:
Company Name Root CA
Company Name Issuing CA
teamname.companyname.com
Whereas my screen only displays:
Company Name Root CA
Company Name Issuing CA
I don't see the
team.companyname.com
on my screen and not too sure how that got there or if I need that.
Then I clicked on Details and compared Version, Serial number, Signature algorithm, Signature hash algorithm, Issuer, Valid from, Valid To, Subject and Public key and they are all the same. The rest of the fields are not visible in the screenshot.
So where do I go from here? I am not certain.
According to: Apache Tomcat 7 documentation, Tomcat operates only on JKS, PKCS11 or PKCS12 format keystores.
My questions are these:
1) Should I export the certificate using the Certificate Export Wizard? (I am using Windows 7)
2) If so, should I select the format Personal Information Exchange - PKCS #12 (.PFX)?
3) And if so, which of the following options need to be selected?
Include all certificates in the certification path if possible
Delete the private key if the export is successful
Export all extended properties
Wait! Hold on! I just tried to select Personal Information Exchange - PKCS #12 and it is disabled. Hmmm.
Is there a way to export the certificate from the browser for the purposes of somehow getting a keystore format supported by Tomcat? And I must add that I don't know how to get from point a to point b and any help would be appreciated. And it also concerns me that my certificate doesn't display:
teamname.companyname.com
in
Company Name Root CA
Company Name Issuing CA
teamname.companyname.com
Any ideas/suggestions/feedback would be greatly appreciated as I not too familiar with certificates!

None of the above.
You need to follow the same steps you used to create your self-signed certificate but after you have created your Certificate Signing Request (CSR) you need to give that to the other team to get them to sign it with their Certificate Authority (CA). Then you continue as you did before.

Related

Add Service Refrence in VS19 that requires authentication with client certificate

How do I add a Connected Service that requires a Certificate?
I need to call a SOAP API developed by another company. The company has supplied me with a pfx-file based on a cer-file I've created. I've installed the certificate in "Trusted Root Certification Authorities" (in local computer and current user) using the supplied password. But when i try to add a WCF Web Service Provider either through the URL or the wsdl-file I get the error: "Could not create SSL/TLS secure channel", and the addition of the service is abandoned.
When I contacted the company they asked me to check if the certificate was installed correctly by calling the API from SOAP UI (adding a jks-file they gave me) - this works fine. They could not be of further assistance.
I'm writing a aps.net core web application and using .net core 3.0 in VS19
I'll have to mention that this is my first practical encounter with certificates and the question might be somewhat in concise.
The PFX might contain more than one certificate.
Are you shure you created a .cer (Certificate) and not a .csr (Certificate signing request)?
Nonetheless, the certificate must be in the personal store and the the certificate that issued it must be place into the Trusted Root Certification Authorities (if it is the last one in the chain).
Here is an example ( i ran certlm.msc and clicked the end entity certificate:
Sectico is the root certificate and goes to Trusted Root Certification Authorities
COMODO RSA ... is the intermediate certificate and goes to Intermediate Certification Authorities
Daniel... is the end entity certificate and goes to Personal
I recommend to import into Personal and then move (drag-drop) the certificates.
For the end entity there must be a private key associated - which can be identified by the key icon:
Microsoft also provides some documentation on the topic: https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648360(v=pandp.10)?redirectedfrom=MSDN

Old client's SSL certificate and new certificate with same pub/private key

Situation: we can't update der file on the client's device. And the SSL certificate on our web server expires soon.
Is it possible to renew the server's SSL certificate without replacing the client's certificate?
We want to follow this guide: https://www.smashingmagazine.com/how-to-issue-a-new-ssl-certificate-with-an-old-ssl-key/
However, we are not sure if it helps.
The question is:
Does the der file (on the client side) contain only public key and it is safe to renew SSL certificate using the technique described in the link above (keeping same pub/private keys).
Will it work on client's device without replacing der file? Or der file contains not only the public key for SSL certificate but also some other information?
I'm afraid, but based on your original post and clarifications, client will expect from web server the same server certificate as stored in DER file on client device. Client performs exact binary copy comparison (not only public keys).
Any attempts to replace server certificate will result in a connection failure on client. If you plan to replace the certificate on web server, you will have to update client devices as well.
Unfortunately, there are a lot of flawed HPKP implementations (to be honest, didn't see any reliable implementation) that work fine until server certificate is changed. In order to properly handle server certificate replacement, client MUST be able to store at least two server certificates, existing and new one. Here is the high-level server certificate replacement process:
acquire new server certificate from CA in advance.
make application update by including new certificate side-by-side. When client updates the application on their device, client app will trust both, existing and new certificate.
give clients a time to make app update on their devices. Ideally, you should wait until all clients have updated app version with updated certificate.
change SSL certificate in server bindings.
after aa time you can make another update for client certificate by removing expired certificate from trust store.
only this step sequence may guarantee uninterrupted certificate pinning renewal.

Ask for client certificate IIS7.5 when accessing certain folders

We've an ASP.NET MVC4 app where there is a part which should be secured through client certificates.
When anyone wants to connect to this part of the app, browsers should ask them for a client certificate, once they select it, our server will get it, check it's validity and show the content.
Ok, I'm getting trouble with the select certificate part. Before setting it just to one folder on views content, I'm trying to configure this on the global app.
I've set SSL to be required, and also set require client certificates on SSL Configuration on apps configuration on IIS.
I've enabled the iisClientCertificateMappingAuthentication (although I've set no mapping yet)
When I try to access the app both, Firefox and Chrome, return a 403 forbidden error, stating that I have no access to the app with the credentials provided.
I've a client certificate installed on my local machine and the CA who created this certificate as a trusted root certificate on server local machine.
I'm not being prompted for certificate.
If I uncheck the "require" from client certificates on SSL Settings, I can access the app through https.
This is the first time I work with client certificates, so it's being a bit confusing and maybe I'm not giving enough info. Feel fre to ask for further info on the comments.
EDIT: I've exported the client certificate, copied it to the server and checked it there. The certificate shows as valid and every element in the certification chain seems to be recognized in the server.
I've checked IIS logs also, and the error I'm getting is 403.7, so the certificate is not being issued to the server or it's invalid.
Now... I've checked that the certificate is valid on the server, it's correctly installed on the client but it's not getting to the server or is not beign validated there... what am I missing here?
Ok, finally I've found the problem, it's related to the buffer size reserved for the list of trusted certification authorities.
Check this kb article:
https://support.microsoft.com/en-us/kb/933430
TL DR; To solve the problem just add a new entry in the registry at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
named SendTrustedIssuerList as a DWORD value with value 0.
This way, the server won't send the trusted certification authorities list, so browsers will display the complete list of certificates to the user.

Azure Websites SSL Intermediate certificate

Azure Websites now supports SSL and allows you to upload a certificate. I have a GoDaddy certificate that I have uploaded and although this works fine for 80% of users it seems that Windows XP users browsing the site in Internet Explorer are given the following error:
There is a problem with this website's security certificate.
On further investigation it seems like I may need to provide an intermediate certificate but I can not find how to supply a Godaddy intermediate certificate (I have one) for my Azure Website.
Can anyone tell me if there is a solution to the intermediate certificate issue?
I followed the following step process when I was setting up SSL in Azure using GoDaddy as CA. (Notice the highlighted line below that might be your key):
Create a Certificate Signing Request (CSR) on the web server (local IIS, not Azure)
Send CSR to CA (Certificate Authority – GoDaddy) and specify alternative domain names (if you've paid for that possibility)
Download certificate from CA
Import certificate to web server (local IIS, not Azure)
Import the intermediate certificates from CA into local computer (where you have IIS)
Export the certificate as PFX file from IIS and give it a password
Import PFX file into Azure together with password
Bind configured domain names to the certificate in Azure
There are a few different ways to create the CSR file. I used IIS Manager on my local developer computer.
You can read an extended version of the list here where all the steps are more thoroughly explained.
Had a reply on twitter from Microsoft, the reply they give is as follows: "this is a known issue. Not an oversite but rather a bug... Check the MSDN support forum" I checked my post on MSDN forums and the reply they left there is "We will have this support soon".

Create my own intermediate cetification authority from commonly trusted certificate

I have a simple question (maybe stupid) and i didn't find any clear answer to it. If i get a certificate from a trusted signing company (like verisign...) for one of my server (web for instance), i'll have private an public keys. With this certificate can i set up my own intermediate CA and sign cert request and the be trusted by every one (i know that's shouldn't be..)? My real question is : what will prevent me for issuing certificate and how the company can garanty that nobody does ??
Thanking in advance!
The certificate issued for your web site is suitable for SSL/TLS and is not suitable for issuing other certificates (Key Usage field is different). Consequently while you technically can generate another certificate using yours as a CA, such generated certificate won't be trusted by properly implemented and configured validators (those that check Key Usage).
You are not paying verisign or other certificate organisation for the certificate publishing but for the certificate validation, this meens that they have web services that respond if your certificate is valid or not, if it is still active and not expired and your contact information as requested.
Unfortunatly this is something you have to live with it and pay them if you really need ssl over your site.
I have used a homemade certificate for my lan server and when i visit this https site a big red warning notifies me that this site is malicious and it has not a valid certificate. This doesn't bother me but I am sure that all of my clients would have freeked out if they see such a bold warning popping up to their browser.
what can you do? it's a companies' world