I'm trying to install SSL-certificate into Glassfish 4.1.1.
I've done the following:
keytool -importkeystore -srckeystore /home/user/domain.com.jks -destkeystore /opt/glassfish4/glassfish/domains/domain1/config/keystore.jks
keytool -import -trustcacerts -keystore keystore.jks -alias root -file root.crt
keytool -import -trustcacerts -keystore keystore.jks -alias intermediate1 -file 1_cross_Intermediate.crt
keytool -import -trustcacerts -keystore keystore.jks -alias intermediate2 -file 2_issuer_Intermediate.crt
keytool -import -trustcacerts -keystore keystore.jks -alias domain_com -file 3_user_domain.com.crt
Then I renamed SSL-reference for http-listener-2 from 's1as' to 'domain_com' at server-config using Administration Console.
And restarted domain via Administration Console and button 'restart'.
After that, I cannot access my application at https://domain.com:8181. Error:
ERR_CONNECTION_RESET
And even cannot access Administration Console at https://domain.com:4848 with
ERR_CONNECTION_CLOSED
Where can I see what happends and how can I properly configure SSL.
One more remark: passwords for keystore and master-password for glassfish are both default passwords (changeit) and match each other. I've verified.
Can you provide some clues of where to look?
Thank you in advance!
UPDATE: In glassfish-logs I'm having the following exceptions:
[2016-08-17T10:29:53.142+0000] [glassfish 4.1] [WARNING] [] [javax.enterprise.network.config] [tid: _ThreadID=43 _T$
GRIZZLY0050: SSL support could not be configured!
java.io.IOException: A MultiException has 2 exceptions. They are:
1. java.lang.Error: java.security.UnrecoverableKeyException: Cannot recover key
2. java.lang.IllegalStateException: Unable to perform operation: post construct on com.sun.enterprise.security.ssl.$
at org.glassfish.grizzly.config.ssl.JSSE14SocketFactory.init(JSSE14SocketFactory.java:162)
at org.glassfish.grizzly.config.SSLConfigurator.initializeSSLContext(SSLConfigurator.java:249)
at org.glassfish.grizzly.config.SSLConfigurator.configureSSL(SSLConfigurator.java:131)
at org.glassfish.grizzly.config.SSLConfigurator$InternalSSLContextConfigurator.createSSLContext(SSLConfigur$
at org.glassfish.grizzly.ssl.SSLEngineConfigurator.createSSLEngine(SSLEngineConfigurator.java:209)
at org.glassfish.grizzly.ssl.SSLEngineConfigurator.createSSLEngine(SSLEngineConfigurator.java:186)
at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:293)
[2016-08-17T10:29:53.143+0000] [glassfish 4.1] [WARNING] [] [org.glassfish.grizzly.filterchain.DefaultFilterChain] $
GRIZZLY0013: Exception during FilterChain execution
java.lang.NullPointerException
at org.glassfish.grizzly.ssl.SSLEngineConfigurator.createSSLEngine(SSLEngineConfigurator.java:214)
at org.glassfish.grizzly.ssl.SSLEngineConfigurator.createSSLEngine(SSLEngineConfigurator.java:186)
at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:293)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:283)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:200)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:132)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:111)
You forgot to insert your certificates in cacerts.jks
Include root and intermediate certificates in cacerts like this
keytool -import -trustcacerts -keystore cacerts.jks -alias root -file root.crt
keytool -import -trustcacerts -keystore cacerts.jks -alias intermediate1 -file 1_cross_Intermediate.crt
keytool -import -trustcacerts -keystore cacerts.jks -alias intermediate2 -file 2_issuer_Intermediate.crt
Domain certificate not necessary to insert in cacerts.jks
Probably, still need to work on your keystore. You could use KSE to edit the key, much easier to handle certificates.
Are you sure that the keystore, and the certificate entry, both have the
password "changeit"?
Is the certificate chain right for this certificate entry?
Related
I have generated with OpenSSL self signed certificates:
Root CA: cacert.crt (the root CA certificate), and root_key.pem (for
root private key).
Client: client_cert.crt (the client certificate), and client_key.pem (for private key).
Server: server_cert.crt (the server certificate), and server_key.pem (for private key).
Both client and server certificates are signed with the root key.
As I understand it, for two way SSL the server truststore should include the client certificate and the client truststore should include the server certificate.
My question is how to generate with keytool, the two pair of client/server trusstore/keystore starting from these certificates/keys
After some research, I found the following steps:
For client keystore:
openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_cert.crt
For client truststore:
keytool -import -file cacert.crt -alias cacert -keystore ClientTruststore
keytool -import -file client_cert.crt -alias servercert -keystore ClientTruststore
For server keystore:
openssl pkcs12 -export -out server_key.p12 -inkey server_key.pem -in server_cert.crt
SET PASSWORD=MyPassword
keytool -genkey -alias server -keyalg RSA -validity 3650 -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD%
keytool -importcert -alias rootCA -keystore server.keystore -storepass %PASSWORD% -keypass %PASSWORD% -file cacert.crt
keytool -v -importkeystore -srckeystore server_key.p12 -srcstoretype PKCS12 -destkeystore server.keystore -deststoretype JKS -deststorepass %PASSWORD%
For server truststore:
keytool -import -file cacert.crt -alias cacert -keystore ServerTruststore
keytool -import -file client_cert.crt -alias client -keystore ServerTruststore
I tested it with a very simple SSL Client/Server by running the program:
java -Djavax.net.ssl.keyStore=server.keystore -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ServerTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloServer.jar
java -Djavax.net.ssl.keyStore=client.pfx -Djavax.net.ssl.keyStorePassword=MyPassword -Djavax.net.ssl.trustStore=ClientTruststore -Djavax.net.ssl.trustStorePassword=MyPassword -jar HelloClient.jar
It is working fine.
Any suggestions of improvements are welcomed.
I'm trying to setup eureka discovery server with https enabled in different machine (say 192.168.1.10) with
keytool -genkey -keystore eurekaserver.jks -alias eurekaserver -storepass server1 -keypass server1 -dname "CN=server1, OU=server1, O=server1, L=kvp, S=TN, C=IN"
keytool -export -alias eurekaserver -file eurekaserver.crt -keystore eurekaserver.jks
keytool -import -alias localhost -file client1.crt -keystore eurekaserver.jks
And tried to view eureka dashboard in another machine's browser (say 192.168.2.20)
keytool -genkey -keystore client1.jks -alias client1 -storepass client1 -keypass client1 -dname "CN=client1, OU=client1, O=client1, L=kvp, S=TN, C=IN"
keytool -export -alias client1 -file client1.crt -keystore client1.jks
keytool -import -alias eurekaserver -file eurekaserver.crt -keystore client1.jks
and converted jks to p12 format and added in certificate
But in browser error recevied as
ERR_BAD_SSL_CLIENT_AUTH_CERT
Can anyone help. what possibly I'm doing wrong ?
This is the command I am running in cmd:
keytool -importcert -noprompt -trustcacerts -alias microsoftgraph -file C:\Users\myuser\Desktop\cacerts.jks -keystore C:\Program Files\Java\jdk1.8.0_161\jre\lib\security\cacerts -storepass changeit
The error is illegal option: Files\Java\jdk1.8.0_161\jre\lib\security\cacerts Has anyone got an idea as to what is going wrong?
Use
keytool -importcert -noprompt -trustcacerts -alias microsoftgraph -file C:\Users\myuser\Desktop\cacerts.jks -keystore "C:\Program Files\Java\jdk1.8.0_161\jre\lib\security\cacerts" -storepass changeit
I have signed a JAR file using a certificate i received from a trusted CA.
I followed the complete code-signing process by creating a keystore, create CSR,
submitting the CSR to CA and receive the certificate , importing the certificates into keystore (root, chain and code-signing certificates) and then sign the JAR file.
I have the above in below steps
keytool -genkey -keyalg rsa -keysize 2048 -alias myalias -dname "CN=##,O=##,L=##,ST=##,C=##" -keystore mykeystore -storepass mypass
keytool -certreq -alias myalias -file certreq1.pem -keystore mykeystore
keytool -import -trustcacerts -alias myalias1 -file root.crt -keystore mykeystore
keytool -import -trustcacerts -alias myalias2 -file chain.crt -keystore mykeystore
keytool -import -alias myalias3 -file certificate.crt -keystore mykeystore
jarsigner -keystore mykeystore Applet.jar myalias
But still when i open it in the browser, i am getting the publisher as 'UNKNOWN'.
What am i doing wrong here?
I found what i did incorreclty. While importing the code-signing certificate, i should use the same alias as the original one.
keytool -import -alias **myalias** -file certificate.crt -keystore mykeystore
Once this is done, it works.
I have a Java application accessing a service that uses a StartCom SSL certificate. For this to work, I need to add the StartCom CA certs to Java's truststore, because they're not in there by default yet. I've succesfully done that on linux using these commands
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca -file ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class2 -file sub.class2.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class3 -file sub.class3.server.ca.crt
sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class4 -file sub.class4.server.ca.crt
(From this script)
The same command (adapted appropriately) doesn't work on Windows however. I get:
keytool error: java.lang.RuntimeException: Usage error, trustcacerts is not a legal command
How to make it work?
It was a simple typo. In converting the command I forgot a dash before "trustcacerts". :(
On Mac OS X Mavericks 10.9 I did this:
I always make a tmp directory that I delete later, but you don’t have to:
mkdir ~/tmp
cd ~/tmp
Then download the certs:
curl http://www.startssl.com/certs/ca.crt -O
curl http://www.startssl.com/certs/sub.class1.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class2.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class3.server.ca.crt -O
curl http://www.startssl.com/certs/sub.class4.server.ca.crt -O
Get your Java home:
$ /usr/libexec/java_home
/Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home
Use keytool to install it:
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca -file ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit -noprompt -alias startcom.ca.sub.class1 -file sub.class1.server.ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class2 -file sub.class2.server.ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class3 -file sub.class3.server.ca.crt
sudo keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/securitycacerts -storepass changeit -noprompt -alias startcom.ca.sub.class4 -file sub.class4.server.ca.crt
Remove -trustcacerts
Yes, -trustcacerts is the right syntax.
But for the linked script to work under Cygwin you need to remove sudo from all keytool lines - sudo is unavailable in Cygwin.