Good day,
As my understanding, if an application needs to connect to a https web service, I have to download the cert from the URL and import the cert to WAS Console. This is working fine for me.
Until today, the application has to call a new https URL. Same way, I download the cert and import the cert into WAS Console, but application hitting peer not authenticated error.
After my checking, this URL is using CA cert, not the self-sign cert that I imported usually. May I know is it the way to import CA cert into WAS Console different?
Based on the screen shot below, I imported total 3 cents.
Am I doing the correct way? or for CA cert URL, I need to ask cert from the URL owner? instead of downloading myself.
Will it be caused by protocol issue? I already set the WAS setting protocol to SSL_TLSv2
Kindly advise.
WebSphere has a "retrieve signer from port" function in the SSL Certificate Management UI. That will connect to the host/port you instruct it to and find the root, self-signed issuer (if the server sends it, it's not required) and add it as trusted.
If the server does not send its root, self-signed issuer, you can always look at the last certificate it provides in the chain and add it manually.
Related
I am a newbie when it comes to SSL. So I could use some expertise here regarding my situation.
I have a Java based web app that makes SSL API calls. The API and web app, both are hosted in the same server (myserver), and web app makes API calls. Now for testing purpose, we created a self signed certificate with the local domain name and server name (myserver.mydomain.local) and added to the cacerts. SSL handlshake works as desired.
But now, our client is using a CA certificate which they imported to cacerts. And during the SSL handshake, the web app client complains that the certificate issued by the
CN=abc-dns.com,OU=Root Certificate, OU=WASFarmLLLCell01, OU=WASFarmLLLCellManager01, O=IBM, C=US is not trusted; where abc-dns.com is the server name where the API is hosted through Web Sphere.
Do they need to add a self signed certificate in the trust store with the server name abc-dns.com in it to resolve the SSL handshake? Any tips will be greatly appreciated.
The public key from abc-dns.com needs to be added to the truststore of the server that is throwing the handshake exception. There are multiple ways of doing that, here's one:
https://www.ibm.com/support/knowledgecenter/SSEQTP_9.0.5/com.ibm.websphere.base.doc/ae/usec_sslretrievesignercert.html
I've got an app written using the Spark Java framework, with TLS enabled.
See:
Service https = ignite()
.port(8443)
.secure(keystorePath, keystorePass, truststorePath, truststorePass);
This is being served on port 443 via an iptables rule that redirects incoming 443 to 8443.
The problem I am having is that when using the Qualys ssl labs test (https://www.ssllabs.com/ssltest/) the server is not providing the intermediate certificates that have been configured in my truststore.
Similar results occur when I use openssl s_client:
Verify return code: 21 (unable to verify the first certificate)
Along with
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=my.app.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=my.app.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=my.app.com
verify error:num=21:unable to verify the first certificate
verify return:1
From what I can tell, it appears that the server (spark java app, or embedded Jetty I suppose) is not serving up the intermediate certificates for chain validation.
Browsers see the site as secure, but I believe that's because the browsers are downloading the necessary intermediate certificates on their own.
The reason that this is a problem is that I am trying to use Stripe payment webhooks, and they have strict regulations in terms of the TLS cert chain being valid.
I am not sure where to begin on figuring out why these intermediate certs are not being served by my app. Could anyone offer some advice?
I have more or less the same exact problem. I followed the instructions at the Java Spark website (sparse that they are) and only get a Server Error for my efforts.
I imported a third-party certificate in my keystore file. I generated the CSR externally to the java keytool.
I moved the keystone file on the server where the "mydomain.com" exists.
I have the same basic code to do a test "secureHello" (per their documentation), passing the path to the keystore.jks file as the first parameter, and the password as the second.
RESULT: SERVER ERROR.
Not sure what I can try next. Clearly, I'm missing something.
4 hours banging my head on the desk so far (today)...
I am using Spring Security to authenticate using an x.509 certificate, and it works only when the client certificate which is configured in the browser key-store is present in server trust-store.
How it is working currently:
I have configured the SSL client authentication as optional (server.ssl.client-auth=want , like in this post)
I have configured a server trust-store that contains all client certificates. If the certificate presented by the client is in the trust-store, the mutual SSL connection is created.
When I have the client certificate(s) present in the server-side trust-store, Firefox opens a popup with my client-side certificate(s), which I can choose and the mutual SSL connection is established.
I have configured Spring Security to extract the username from the SubjectDN of the client certificate and check it against a UserDetailsService. If a UserDetails object is returned for that username, the authentication process completes successfully
The problem is that if I remove the client-certificate from the server-side trust-store, Firefox doesn't open this popup anymore, and only a one-way SSL connection is made. Even if the Root CA cert is present in the server trust-store.
What I want:
store in the server trust-store only the certificate of a Root Certificate Authority
allow mutual SSL connection when the client presents a certificate issued by the Root CA in the server trust-store (even if the client certificate isn't present in the server trust-store)
I am also intrigued by two resources on the internet. In this tutorial on Baeldung, it says that all client certificates must be stored in the server trust-store for X.509 auth to work (which confirms my experience).
You must remember that for each user that should be verified by the server, its own certificate needs to be installed in the configured truststore. For small applications with only a few clients, this may perhaps be practicable, with an increasing number of clients it may lead to complex key-management for users.
However, this tutorial by #robinhowlett says that
The client will present its certificate in its keystore to the server, and the server will validate the client certificate’s chain using the CA certificate in the server’s truststore.
This is basically what I want to achieve, but am not able to.
Bottom line: did someone manage to store one or more Root CA certificates in the server trust-store and use client certificates issued by these Root CAs to authenticate via X.509 mutual SSL handshake in Spring Security?
I am using Spring Boot 1.5.2.RELEASE (spring-security-web 4.2.2.RELEASE). I have tested my working SSL authentication with Firefox 53.
I found my problem - I was modifying the trust-store (removing the client cert and leaving only the CA cert) while the server was up (Tomcat, in my case). But the trust-store is kept in memory and gets read only once, when the JVM is initialized (details on this ServerFault post). So trust-store changes are not being read during runtime by Tomcat.
So the answer is simple: yes, if only CA certs are present in the trust-store, during the SSL handshake the server communicates to the browser it wants client certificates issued by the trusted CAs and then the browser prompts the user to select a certificate that is issued by a trusted CA (if such a cert is present in the browser keystore).
However, if a CA is added dynamically to the server trust-store while the server is up and running, it won't be detected. The new CA will only be recognized after the server reboots (and the JVM is re-initialized).
If so, How do you set certificate for authentication, what files do you need? is it .pfx? How would you install that in browser? Been stuck trying to test 2 way ssl through browser. I have a webservice, and trying to connect always returns certification authentication failed.
Expanding on nickrak's answer. 2-way SSL means that the client trusts the webservice, and that the webservice trusts/authenticates the client.
On the webservice side:
Add the client's CA cert into the webservice's trusted certificates. The "CN" in the webservice server certificate must match the URL of the webservice. The webservice server certificate must not be expired. The webservice may choose to do further authentication based on the client certificate...for example, is the client certificate in a "whitelist" of authorized clients. Perhaps the webservice has multiple levels of access, so the client certificate is checked to determine how much access to give the client.
On the client side:
The CA that signed the webservice server certificate will need to be added to the client's trusted certificate list. In a browser, this will be in the "Trusted Root Certification Authorities" section (IE, Chrome) or "Authorities" section (Firefox). The extensions for these certificates are usually .der, .cer, .crt, or .pem. Also, the client's own private key/certificate combination need to be added to the client browser. This will be in the "Personal" section (IE, Chrome) or "Your Certificates" (Firefox). The extensions for these keystores are usually .p12 or .pfx.
Add the client's CA's public certificate to the Trusted Root Certificate Store.
Add the client's public and private key to the browser's Personal Certificate Store. (usually a pfx, but might also be a der/pem/crt/cer.)
Navigate to page requiring certificate
Optionally, depending on browser: select the certificate you want to use for this connection.
Hopefully, success.
I have a thrift endpoint that someone created who is not longer with our company. They implemented the authentication via client side certs, but I having a hard time wrapping my head around how it all works. Does anyone know of a tutorial, or howto on this topic.
All I really have is a sample client class. Here are a list of things that I need help with:
Can a server cert and the client cert both be contained in the same trust store
How do you create a new client side cert?
How do you add that client side cert to the server trust store?
Do you need to set the client trust store, and set the java trust (assuming the server is a self signed endpoint)
What does the following error mean?
ERROR[com.cada.CadaDaoTest][main] - Error:
org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
The truststore (on Tomcat it's configured forthe SSL connector in server.xml) can hold the root of the certificate chain of the client certificate, not the certificate itself. That is, when a certificate is created, it is signed by a CA - certificate authority. If the CA cert is trusted, all certs singed by the CA are trusted as well.
You can create certificates using either keytool (in jdk/bin/) or openssl. There are GUIs for that, like portecle.
The tomcat ssl tutorial might be helpful.