I registered a domain and would like to set up SSL encryption for it. My domain provider offered me to get a SSL certificate from COMODO. I generated a key and a csr file using openSSL:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
The command produced a private key, myserver.key and the csr file. I uploaded the content of the csr to comodo, and after verification, they sent me the following files:
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - mydomain.crt
I'm lost on where to go from here. I followed these instructions:
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/638/0/certificate-installation-java-based-web-servers-tomcat-using-keytool
and created a domain.keystore file, but I'm not sure if that's the right thing to do or not. My configuration in Jboss now looks like this:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="mydomain" password="*****" protocol="TLSv1" certificate-key-file="../standalone/configuration/domain.keystore"/>
</connector>
But that doesn't seem to work. I get no error in the server log, the page simply times out. If i use http it works normally. Any advice?
EDIT:
I took a different approach, I generated my keystore in this way:
keytool -genkey -alias domain -keyalg RSA -keysize 2048 -keystore domain.keystore
then I uploaded the new csr info to comodo and got the three .crt certificates back. I imported them into the keystore with this command:
keytool -import -trustcacerts -alias domain -file domain.crt -keystore domain.keystore
and then I used the keystore in the standalone.xml in this way:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="domain-ssl" key-alias="domain" password="******" certificate-key-file="../standalone/configuration/domain.keystore" protocol="TLSv1"/>
</connector>
The server starts, but when I try to connect to it, my browser says that the connection is untrusted:
domain uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_ca_cert_invalid)
I finally managed to get the installation right! Here's how you do it:
Install the COMODO certificates into your keystore wit this command:
keytool -import -trustcacerts -alias <filename> -file <filename>.crt -keystore domain.keystore
in the following order:
» Root: AddTrustExternalCARoot.crt
» Intermediate 1: COMODOAddTrustServerCA.crt
» Intermediate 2: COMODOExtendedValidationSecureServerCA.crt
Then install your domain certificate:
keytool -import -trustcacerts -alias mykey -file yourDomainName.crt -keystore domain.keystore
You should use the same alias instead of mykey, that you used to generate your keystore. If you do everything correctly, you should get this output:
Certificate reply was installed in keystore
Anything else means, you probably didn't use the correct alias. The final thing you need to do is to modify your standalone.xml like this:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="<domain>-ssl" key-alias="<domain>" password="******" certificate-key-file="../standalone/configuration/<domain>.keystore"/>
</connector>
And you should be good to go!
My domain provider offered me to get a SSL certificate from COMODO...
...
Any advice?
Don't pay for the certificate. You can get a free Class 1 certificate from Startcom. The Class 1 is good for server authentication without a wildcard domain. If you want an extended validation certificate or a wilcard certificate, then you will have to buy a Class 2 or higher.
Also, while Startcom issues the certificate for free, they charge for revocation because that's where the cost lies.
I'm lost on where to go from here...
Convert Intermediate CA Certificate - COMODORSAAddTrustCA.crt, Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt and Your PositiveSSL Certificate - mydomain.crt to PEM files. PEM are the ones that start with ----- BEGIN CERTIFICATE ----- and finish with ----- END CERTIFICATE -----.
Then, concatenate your three PEM files into a single file. The file will have three certificates in it. Call it mydomain-chain.pem, and load that into your server. Also load myserver.key into your server.
Don't do anything with Root CA Certificate - AddTrustExternalCARoot.crt. Clients have to use it as a root. There's no {use|need} to send it to the client in the ServerHello.
You can test your setup with the following. Notice how the client uses the root:
openssl s_client -connect myserver:443 -CAfile AddTrustExternalCARoot.crt
The command should end with Verify (0) OK or similar.
Failed to load keystore type JKS with path ../standalone/configuration/mydomain-chain.pem due to Invalid keystore format: which mean your keystore is not valid. Dont create new one use the keystore file you were created while submitting csr file to them. Use same keystore if you change the keystore its not accept.
Related
I have configured wildfly 8.0.0 server with JDK 1.8 u162 for providing HTTPS support to my application by creating self signed certificate. To configure it successfully I have specified keystore password in clear text in the standalone.xml file and it is working properly.
Now I want to make the keystore password in encrypted mode instead of clear text. To do that I have used VAULT script and performed all the require steps to generate the VAULT.dat file and tag. After specifying require settings in the standalone.xml file, when I started my wild-fly server it has given me java.io.IOException: Invalid keystore format exception and due to that system was not deployed.
I have performed following steps:
1) To generate keystore file I have used following command and followed the instructions.
keytool -genkey -keyalg RSA -alias vault -keystore osp_keystore.jks -validity 365 -keysize 2048
2) I have opened the VAULT window (vault.bat) to encrypt the keystore password. I have performed all the require steps which has given me following information for configuring in the standlone.xml file.
<vault>
<vault-option name="KEYSTORE_URL" value="D:\osp\standalone\configuration\osp_keystore.jks"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-ZCA9zDtIIr7BbsQlgnChk"/>
<vault-option name="KEYSTORE_ALIAS" value="ospvault"/>
<vault-option name="SALT" value="ASDF1234"/>
<vault-option name="ITERATION_COUNT" value="50"/>
<vault-option name="ENC_FILE_DIR" value="D:\osp\standalone\configuration\vault\"/>
</vault>
Vault Block:keystore
Attribute Name:password
VAULT::keystore::password::1
3) I have configured standalone.xml file with following tags.
a) Specified above tag in between the </extensions> and <management> tags.
b) Under the <security-realm name="ApplicationRealm"> tag added following tag.
<server-identities>
ssl><keystore path=" osp_keystore.jks" relative-to="jboss.server.config.dir" keystore-password="${VAULT::keystore::password::1}" /></ssl>
</server-identities>
c) Under the <subsystem xmlns="urn:jboss:domain:undertow:1.0"> tag bind the ApplicationRealm with HTTPS.
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm"/>
the keystore for the server-identities and the keystore for the vault, are two different keystores.
Example for generating a keystore:
keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault123 -keypass vault123 -validity 365 -keystore ${jboss-config}\vault\vault.keystore
and then in standalone.xml:
<vault-option name="KEYSTORE_URL" value="${jboss-config}/vault/vault.keystore"/>
Highly recommended to read:
https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform/6.1/html/security_guide/Create_a_Java_Keystore_to_Store_Sensitive_Strings
I want to enable SSL for my spring boot application.
I generated a keystore with this command:
keytool -genkey -alias myapp -keyalg RSA -keystore tomcat.keystore
application.properties contains:
server.port = 8443
server.ssl.key-store = classpath:tomcat.keystore
server.ssl.key-store-password = ###
server.ssl.key-password = !&*
server.ssl.enabled=true
First I had created JKS key store with this command:
keytool -genkey -alias tomcat -keystore keystore.jks -validity 3650
But I received error when visited https://localhost:8443:
This site can’t provide a secure connection
localhost uses an unsupported protocol.
Why it's working now and not then ?
I have a few other questions:
1.I looked at a few tutorials and they all suggested to put the keystore file in src/main/resources. Is this really a good idea?
2.What is the key-store-password? what is the key-password?
3.Is this all we have to do to enable SSL ? what about crt and cer files? where are they used ?
About localhost uses an unsupported protocol. make sure the server is supporting a cipher which client can support.
This site can’t provide a secure connection, the message could be becasue the connection is not trusted! of course. here you would simply tell the client to ignore it.
You also set an alias in your JKS file, make sure you tell the server to load the correct alias.
placing the JKS in src/main/resources could be a good practice, but not essential, just make sure it's safe and accessible.
crt and cer are not required explicitly for java, but once you get a signed certificate by a CA, you would import the cert into the JKS to let the server finds the intermediate and root certs(if exists, root is not essential)
Once you generate a key by keytool, just keep the file safe. You need to generate the CSR value, also the same jKS is needed for trusted cert importing.
I also suggest to get some hand of OpenSSL(if possible) over JSSE.
i want to configure SSL for mutual authentication.
I work with eclipse + tomcat 8.
I do this passages:
I created private keys in this way:
openssl genrsa -des3 -out client_key.pem 2048
openssl genrsa -des3 -out server_key.pem 2048
I created self-signed certificates:
openssl req -new -x509 -key client_key.pem -out client.pem -days 365 -config <path to>\openssl.cnf
openssl req -new -x509 -key server_key.pem -out server.pem -days 365 -config <path to>\openssl.cnf
I created truststore and import certificates:
keytool –importcert -trustcacerts –keystore clienttruststore.jks –storetype jks –storepass <truststore_password> -file <path-to-file>\server.pem
keytool –importcert -trustcacerts –keystore servertruststore.jks –storetype jks –storepass <server_truststore_password> -file <path-to-file>\client.pem
I combined the certificate and the private key for the server and client respectively:
openssl pkcs12 –export –inkey client_key.pem –in client.pem –out client.p12
openssl pkcs12 –export –inkey server_key.pem –in server.pem –out server.p12
and finally i converted the keystore in pkcs12 format:
keytool –importkeystore –srckeystore client.p12 –srcstoretype pkcs12 –destkeystore client.jks –deststoretype jks
keytool –importkeystore –srckeystore server.p12 –srcstoretype pkcs12 –destkeystore server.jks –deststoretype jks
After this, i configured configure SSL/TLS support on Tomcat. So, i configured server.xml in Servers folder and setup the connector in this way:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="path\to\server.jks" keystorePass="*******" keystoreType="JKS"
truststoreFile="path\to\servertruststore.jks" truststorePass="********" truststoreType="JKS" />
Finally i clean and build the project.
I created a Dynamic Web Project in Eclipse that called "myproject". It works well.
The problem is that when myproject runs on server at URL https://localhost:8443/myproject
Google Chrome shows the red triangle (This page is insecure (broken HTTPS)).
What's wrong?
Where do i put client.jks e clienttruststore.jks in my project?
This picture shows problem:
Your certificates are self signed, meaning they are not signed by CA, meaning Chrome cannot trust them unless you approve them manually.
When generating certificate did you provide CN? It must match the hostname that you are using (in your case it's localhost), if CN doesn't match, Chrome will not allow SSL unless you approve it manually.
You said you want the mutual authentication, but you configured clientAuth="false" It should be true. As for the keystore, you supposed to use the same keystore for the certificates, therefore when client connects with it's certificate, tomcat will validate that corresponding certificate is located in the keystore.
Hope it helps.
I am installing a wild Card SSL certificate to my keystore which will be used for Apache Tomcat web server.
Description :
My Tomcat Server is installed on windows 2012 server.
And I have certificates provided from COMODO.
The wildcard cert I'm using has already been used previously on a few servers. so I am directly installing same on my apache tomcat server .
so what I've generated a public keystore using keytool providing the same information used while purchasing the certificate using following tool command.
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
Then I have attached my certificates to the generated keystore using following commond
For "Comodo" certificates
i.keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystoreselfservice.keystore
And I have used correct chain of installation of certificate like root , all intermediate, primary from above command.
And while installing each certificate i received the following message
"Certificate added to keystore"
Though I have not got any error .
And when i have opened my keystore there were no certificate chain , means there is individual entry of each certificate . but there is no chain hierarchy of certificates like Root then intermediate then primary.
And in my final PI or certifcate, i am getting provider as local first name instead of Comodo .
EXAMPLE :
CN=nims.ABC.com,OU=abcCommunications,O=abc Group LLC, L=Roseville,ST=Minnesota,C=US
Provider must be
CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
So I would like to know which steps I have missed or used any extra steps .
Please provide a solution to install a wild card certificate .
Thanks in advance
You did everything correctly. The trust chain is important for another aspect. If you trust one 'certificate' of the chain, you trust the following 'certificates' of the chain too. So to trust all certs of a CA you just have to trust the root CA's cert.
What you realy need to make the wild card certificate work on you server is to import the private key part of it.
I assume you mean Tomcat using Java SSL (JSSE) not APR/Native (OpenSSL). If you want Tomcat-APR, change your question.
If the cert you want to use is already in use on other servers, and you "generated a public keystore using" the keytool command you showed on the NEW server, you generated a NEW KEY which is different from the key the other servers used and different from the key included in the certificate, thus the certificate DOES NOT MATCH that new key and cannot be used with that new key. You also implicitly generated (and have not replaced) a self-signed cert, with both subject and issuer (what you call provider) identifying you rather than a CA like Comodo. This certificate is not good for general use but can be useful for some testing, which is why keytool does it implicitly.
You need to get the certificate, the ALREADY EXISTING private key that MATCHES the certficate, and the needed chain cert(s) into your JKS as a privateKey entry. If an existing SSL server is Java (using JSSE), just copy its JKS. If you want or need to change the password(s) on the copy for your new server, see keytool -storepassword and keytool -keypasswd.
If an existing server is OpenSSL (including Apache httpd and nginx), convert the OpenSSL PEM format to PKCS#12 (preferably on the old server); depending on that server's file layout this is something like
openssl pkcs12 -export -in certfile -inkey keyfile -certfile chaincert -out xxx
and then use keytool to convert PKCS#12 to JKS (preferably on the new server)
keytool -importkeystore -srckeystore xxx -srcstoretype pkcs12 -destkeystore yyy
Note you must use a password on the PKCS#12. This does not need to be the same as the old server keyfile (if any) or the new server JKS, but it's usually more convenient if it is.
If an existing server is IIS, you should be able to export the cert WITH private key AS PFX/PKCS#12 from the Certificate snapin of mmc, and then convert the PKCS12 to JKS as just above.
If an existing server is something else, add it to the question.
I have a test scenario, where a root certificate authority called Root signs a certificate signing request created by an intermediate certificate authority called Intermediate, which in turn signs a certificate signing request created by a subject called Subject.
I use Tomcat as my web server and I've configured it to use the Subject key store (which contains the Root certificate, the Intermediate certificate, the Subject certificate chain and the Subject private key) and I start it to listen on the ports 80 (HTTP) and 443 (HTTPS).
I install the Root certificate (as a trusted certificate) in Firefox and I hit up my domain and this is what I get:
subject.usip.me uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
Obviously, Firefox couldn't verify the trust of chain, or something similar. Now, before I go into details about my configuration and the steps that I took: I've changed my Tomcat configuration so that it use the Intermediate key store instead of using the Subject key store (the Intermediate key store contains the Root certificate, the Intermediate certificate chain and the Intermediate private key). Using this configuration everything works fine.
I use the following tools:
Java: 1.7.0_05
Tomcat: 7.0.29
Firefox: 14.0.1
I create the key stores in question with the following script pasted over here (it's quite lengthy). Anyone with a Java keytool can run it (it probably won't be too speedy operation because of the 4096 RSA key size).
After the script runs I can verify that my Subject key store contains the complete chain of trust (as I see it):
c:\>keytool -list -keystore c:\subject.jks -storepass changeit -rfc
It prints out the following (again, quite lengthy) output which is pasted over here. It seems OK to me (at least, after hours of struggling I can't seem to start seeing anything wrong with it).
I set up Tomcat (following this how-to) via its server.xml like this (I change nothing aside from this single tag, which is by default commented-out).
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="c:/subject.jks"
keystorePass="changeit"
keystoreType="jks"
keyAlias="subject"
keyPass="changeit" />
(After I start up Tomcat, connect to it - while it's using the Subject or the Intermediate key store - there are no errors logged.)
While looking for solutions I found that with openssl I can verify my service, as a novice user of the tool I ran the following command against my domain (using Cygwin):
$ openssl s_client -connect subject.usip.me:443 -CAfile /cygdrive/c/root.pem -showcerts &> /cygdrive/c/openssl.log
Yet again, I've pasted the lengthy output over here.
It says that Verify return code: 24 (invalid CA certificate), which is strange as it refers (as I see) to the Root certificate. Now, when I've said I reconfigured Tomcat to use the Intermediate key store previously I've also run this same command and then it checked out with Verify return code: 0 (ok). So I guest the Root certificate is OK.
The domain and sub-domain names I've mentioned through the post and pastes are free domains registered at http://freedns.afraid.org/ and each of them points to my current address (I thought I'd mention it, maybe it matters).
Any ideas what I'm doing wrong?
OK, I've managed to figure it out. I didn't specify some important X.509 certificate extensions when I generated the replies to my certificate signing requests.
There is some info on this in Java's keytool documentation. (Search for -ext.)
The key points are the proper generation, signing of the Intermediate certificate
keytool -gencert^
-alias root^
-ext BasicConstraints:critical=ca:true,pathlen:0^
-ext KeyUsage:critical=keyCertSign,cRLSign^
-infile intermediate.csr^
-keypass changeit^
-keystore root.jks^
-outfile intermediate.pem^
-rfc^
-sigalg sha512withrsa^
-storepass changeit^
-storetype jks^
-v
and the Subject certificate
keytool -gencert^
-alias intermediate^
-ext BasicConstraints:critical=ca:false^
-ext ExtendedkeyUsage:critical=serverAuth,clientAuth^
-ext KeyUsage:critical=digitalSignature,keyEncipherment^
-infile subject.csr^
-keypass changeit^
-keystore intermediate.jks^
-outfile subject.pem^
-rfc^
-sigalg sha512withrsa^
-storepass changeit^
-storetype jks^
-v
I'll update my answer when I have the time and post my complete solution.
Update
I've set up a little example repository at GitHub, which contains the scripts I wrote for generating the necessary key store files, certificates, etc. I re-wrote my scripts in Bash and added a lot of configuration parameters to it. It can be run without any configurations at all. In this case it'll create certificates for the root.lvh.me, intermediate.lvh.me and subject.lvh.me domains (the second level, lvh.me domain points to 127.0.0.1 by default). Using the Subject key store with Tomcat and installing the Root certificate into Firefox will result in a verified, secure connection to https://subject.lvh.me (and nowhere else, so https://intermediate.lvh.me won't verify).