jdbc:mysql://localhost:3306/MyDb?verifyServerCertificate=true&useSSL=true&requireSSL=true
I downloaded the public certificate from the mySql server and put it into cacerts like this:
keytool.exe -import -alias mysql_dev \
-keystore /c/dev/tools/Java/jre1.8.0_131/jre/lib/security/cacerts \
-file rds-combined-ca-bundle.pem
I generated new keys using keytool like this:
keytool.exe -genkeypair -alias adam \
-keypass changeit \
-keysize 1024 \
-keystore /c/dev/.secure/haa2xt.jks \
-storepass changeit
So now I can see that Java is picking up both my key from the keystore and the server certificate from the truststore, but still I'm getting the PKIX error.
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
I added this debug param to the command line and got some more info which all looks good, and I can see the mySql certificate in there.
-Djavax.net.debug=all
trustStore is: c:\dev\tools\java\jdk1.8.0_131\jre\lib\security\cacerts
trustStore type is : jks
[.....]
keyStore is : C:/dev/.secure/haa2xt.jks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
*** found key for : adam
What have I done wrong?
It turns out that the keytool import command will only import the first certificate in the PEM file when there are more than one.
This was the only one I checked for as well, so I thought it was fine when actually there were about 15 that I still hadn't imported.
I used this tool to import them all: https://github.com/use-sparingly/keyutil
Related
I have a keystore with 16 certificates inside. different aliases.
When I use this keystore in SiapUi/ReadyApi and hit the url:
https:x.y.z.com/...
I can see the 200 response successfully.
So,When I view the keystore by:
keytool -list -v -keystore keystore.jks
I expect to see word "x.y.z.com" in CN or SubjectAlternativeName But I couldn't!!!
But I can find:
a.b.z.com and a.y.z.com
I have a blah.p7b certificate type PKCS#7 which i want to import it to a java keystore using keytool in order to enable HTTPS on tomcat , i don't have the alias name and keystore when the certificate was generated i took it from the client whose want to enable https on our web-application server that they use, can this works without having the original alias name and keystore ?
when i tried to import the certificate i used this command
keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass <mypasswd> -alias "myalias"
but it gives me this error
keytool error: java.lang.Exception: Certificate reply does not contain public key for <mydomain>
Please help...
If you haven't got the original KeyStore you are hosed. You have to generate a new KeyStore, a new keypair, a new CSR, get it signed, and then import the signed cert and its chain into the KeyStore using the same alias as the keypair.
I have an instance of glassfish 4.1.1 running and I added my own certificate to my applications, until then everything is Ok..
But, when I tried to access the glassfish admin(DAS) the connection was unstrusted and the button to add exception disappears.
Then I found some interesting links talking about that, like :
Right way to configure Glassfish SSL certificate nickname?
I tried this:
asadmin enable-secure-admin --adminalias=myNewAlias --instancealias myNewAlias
asadmin restart-domain domain1
This way the untrusted connection message disappears and the certicate properly appears, but when I try the authentication throw an error:
https://myUrl:4848/j_security_check
According to the comments of the answer from the link, it is very similar what that guy had but I could not solve it doing:
Removing the s1as certificate from ~.gfclient/truststore
Restart the domain with my new alias cert
How could I change the s1as certificate properly? In order to my DAS works...
I'am using Ubuntu 14 with java-1.8.0-openjdk-amd64.
Step 1:
Step 2:
The server log showing these lines:
[2016-10-18T10:38:12.565+0200] [glassfish 4.1] [SEVERE] []
[org.glassfish.admingui] [tid: _ThreadID=51
_ThreadName=admin-listener(2)] [timeMillis: 1476779892565] [levelValue: 1000] [[ javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target;
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target; restRequest:
endpoint=https://localhost:4848/management/domain/anonymous-user-enabled
attrs={} method=GET]]
I finally solved it, why it was happening? Using the #Mike explanation:
That is because there is both a keystore and a truststore for
GlassFish, and the Admin console effectively uses 2-way SSL
authentication for the initial login. If you change the s1as
certificate, you will also need to change the glassfish-instance
certificate
In my case I was trying to use my own certificate but I did not delete the oldest certificates properly on cacerts.jks and keystore.jks files.
I was running the code bellow without firstly remove the s1as and glassfish-instance from files, that was my wrong step...
asadmin enable-secure-admin --adminalias=myNewAlias --instancealias myNewAlias
To your Domain Administration Server (DAS) on Glassfish 4.1.1 run with your own certificate you must follow these steps:
1) Insert your own certificate into cacerts.jks and keystore.jks files:
In my case I am using certificate pkcs12:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore myOwnCert.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias myOwnAlias
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore cacerts.jks -srckeystore myOwnCert.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias myOwnAlias
If you have another kind of certificate you must search how to insert inside this two files your certificate type:
$GLASSFISH_HOME/domains/domain1/config/cacerts.jks - truststore -
holding all the public keys
$GLASSFISH_HOME/domains/domain1/config/keystore.jks - keystore - holding all the private keys
References:
Session 6. Security configuration before first startup:
https://www.nabisoft.com/tutorials/glassfish/installing-glassfish-41-on-ubuntu
http://peter-butkovic.blogspot.com.es/2013/02/glassfish-default-keystore-and.html
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html?jn9ed3e997=3
https://glassfish.java.net/docs/4.0/security-guide.pdf
2) Delete the oldest self-signed certificates:
By default, when you run the command enabled-secur-admin the certificate assigned to this instance is s1as and the public is glassfish-instance, as explained by #Mike into another stack-overflow question the certificates remains even if you force to run with another certificate. Delete both using these commands:
#Restart your domain without secure-admin
$GLASSFISH_HOME/bin/asadmin disable-secure-admin
#Go to your domain config folder to remove the certificates:
cd $GLASSFISH_HOME/domains/domain1/config/
keytool -delete -alias s1as -keystore keystore.jks -storepass changeit
keytool -delete -alias glassfish-instance -keystore keystore.jks -storepass changeit
keytool -delete -alias glassfish-instance -keystore cacerts.jks -storepass changeit
keytool -delete -alias s1as -keystore cacerts.jks -storepass changeit
References:
Thanks #Mike: Right way to configure Glassfish SSL certificate nickname?
https://glassfish.java.net/docs/4.0/security-guide.pdf (page ~80)
3) Restart the security-admin with your own alias set on the first step
$GLASSFISH_HOME/bin/asadmin enable-secure-admin --adminalias=myOwnAlias --instancealias myOwnAlias
$GLASSFISH_HOME/bin/asadmin restart-domain
In theory, it is done, You'll be able to access the DAS with your own certificate... ;)
I configure SSL in my current spring-boot project this way:
generation of the keystore file:
keytool -genkey -alias ... -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validi
ty 3650 -dname "CN=Kleber Mota, OU=lojadesoftware, O=Itabuna, L=Brazil, ST=Unknows, C=BR" -keypass ... -storepass ...
application.properties (added this lines):
# EMBEDDED SERVER CONFIGURATION
server.port=8443
server.ssl.enabled=true
server.ssl.key-alias=...
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-type=PKCS12
server.ssl.key-store-password=...
server.ssl.key-password=...
after that, when I run the application and go to url localhost:8443 I only got an error "Empty response from server".
Anyone can give a hint of what I am missing here?
if your application is running and has explicit mapping for (/) try the following, it should work
curl k https://localhost:8443
curl -k https://localhost:8443 ( this one is insecure)
curl -k -1 https://localhost:8443
I'm trying to retrieve the index page of a forum that uses SSL certificates using java:
WebClient webClient = new WebClient(...);
HtmlPage sectionPage = webClient.getPage("https://rstforums.com/");
I've disabled SNI as recommended here programmatically prior to invoking any SSL related methods. Following the second answer to this question and the third from this one I added the forum's certificate to the certificate list:
C:\Program Files\Java\jdk1.8.0_65\jre\lib\security>keytool -import -alias RST_CERT -file forums_certificate -keystore cacerts
where forums_certificate contains:
-----BEGIN CERTIFICATE-----
MIIDmjCCAoKgAwIBAgIQLIJ9H3N2RZkAeZ8Jmma6RzANBgkqhkiG9w0BAQsFADBI
MRswGQYDVQQDExJFU0VUIFNTTCBGaWx0ZXIgQ0ExHDAaBgNVBAoTE0VTRVQsIHNw
b2wuIHMgci4gby4xCzAJBgNVBAYTAlNLMB4XDTE1MTEyNDEyNTI0MFoXDTE2MTEy
NDEyNTMyMlowWjELMAkGA1UEBhMCUk8xGjAYBgNVBAMTEXd3dy5yc3Rmb3J1bXMu
Y29tMS8wLQYJKoZIhvcNAQkBFiByc3Rmb3J1bXMuY29tQGRvbWFpbnNieXByb3h5
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK9jSCt9p+g3wdP9
KhmNQuB5NZMlDoL0A5ONzUat5RPf1iQ91+1EWfS1j93X6m5mMSs5+RMc259TjMPv
oxSq9lK7Z0ZwUdHPkjVmMDKOOlho2zh1ZTh7W26dT8UmeuofgFCxaJBuThalWkpg
qT5GgpcuIXWQVlB4vD43/wdPhWFUZ1QhFgK/HppiXVfKNbBRNM69iSbjzkBbstXI
68yLxtbzwOqEdIpJ5CWxQCr0+BCk7SPGHyXbJaVL1SuQ/7Th8PkJd43bBTLsVY5w
WemSZfEoqeCeHUxeMSdMy1FKkUBTlvZBn+KBVUAJ419rE+Jgrp4tikwjJxEjB/Ko
Uwdkb9ECAwEAAaNuMGwwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcDATAd
BgNVHQ4EFgQU9+VnJO4u71+3bAS9hYFiXtzG+FswKwYDVR0RBCQwIoIRd3d3LnJz
dGZvcnVtcy5jb22CDXJzdGZvcnVtcy5jb20wDQYJKoZIhvcNAQELBQADggEBAHxq
icR/mSh0TTQlb6SreCyxNyO4KflAOnp3yFnFStVo7wxI5Ixb2jCUP/IGxSwJeN2p
AEzAWXls9NoMVcEIbIfGcdsvJS1yyh6GeWVzBrMNOde1/2590ipsPKyQAk2j1zPl
96kWnPWTB6DtSbB3AI4dWeawwkh2D5+NL5HMjQwm3Lb3EhKQgBPLboygg12E+JXP
ydZjIZWC/42nN5ZMHXXrGnxac5F3tMwkyng0qDWLpSoa3c3ep43Tgwo08RFuZzuV
7hvvG006M4QMQj/nbQXzhbjko3cRVegvV9xKnNxe5oCArTK5HNkfPhEM/G48ed4h
z99OS5+RiB/NLTfzlPc=
-----END CERTIFICATE-----
The certificate has been successfully added and appears in the keystore when listing its entries:
rst_cert, Feb 3, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 25:39:98:FC:FF:DE:2D:24:BC:F0:78:93:D6:2E:5A:55:64:D5:09:8A
When I try to rerun the application making a new request, the same error is given:
sun.security.validator.ValidatorException: PKIX path building failed: sun.securi
ty.provider.certpath.SunCertPathBuilderException: unable to find valid certifica
tion path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
ava:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
pl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
agerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1491)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBu
ilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
PathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 15 more
I have the suggestions here (downloaded SSLPoke) but the error persists. Why isn't the certificate recognized?
I've managed to remove and add the certificate to the keystore using openssl (from cygwin (I am working on Win7)).
To retrieve the certificate using openssl:
openssl x509 -in <(openssl s_client -connect rstforums.com:443 -prexit 2>/dev/null) -out ~/rst_cert.crt
To remove the current rst_cert from the store:
keytool -delete -alias rst_cert -keystore cacerts
To add the certificate downloaded using openssl:
keytool -importcert -file ~/example.crt -alias example -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
The certificate downloaded using firefox was apparently invalid.
For localhost developers,
After hours of doing things like adding certificates to cacert, generating jks files, using InstallCert.java... Here is the solution, ignore the certificate, override the TrustManager, works like a charm:
http://www.rgagnon.com/javadetails/java-fix-certificate-problem-in-HTTPS.html