How do you setup SSL with Grails? We have our signed certificate from our provider, and have tried creating a keystore under .grails/1.3.7/ssl/keystore. With just putting our key in, we start grails and get:
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)
at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:742)
Maybe we have to import the .crt file with a different command? I used:
keytool -import -v -trustcacerts -alias riseup.org.nz -file /etc/ssl/telethon/telethon.crt
When I use and alias other than riseup.org.nz, it complains the alias doesn't match the crt.
After running the command, it does ask me if I trust the information, which makes me think of:
Note: it is not required that you execute a -printcert command prior to importing a certificate, since before adding a certificate to the list of trusted certificates in the keystore, the -import command prints out the certificate information and prompts you to verify it.
from: http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html
Related
My reward in this life for past deeds is to provide admin for some very ancient applications running on Java 1.7 (mostly 1.7.0_79). After the last round of certificate updates the applications stopped talking to the CAS auth server (couldn't validate the CA cert). Unfortunately when I try to install the current CA certs, I get:
[root#example.com bin]# ./keytool -import -alias isrgrootx1 -file ~/isrg-root-x1-cross-signed.pem -keystore ../jre/lib/security/cacerts
Enter keystore password:
keytool error: java.lang.Exception: Input not an X.509 certificate
Openssl on the same box (CentOS 5.11) has no issue reading the file (4096 bit RSA + sha256). And I did check that the file contained only a single certificate. I've seen a number of posts here about the same error message:
DER format does not apply
It's not a JKS file
It's not a CSR
It does not have an extra blank line at the end
Is this the end of the road or is there a way I can convince this version of Java to accept this certificate?
I want to enable SSL for my spring boot application.
I generated a keystore with this command:
keytool -genkey -alias myapp -keyalg RSA -keystore tomcat.keystore
application.properties contains:
server.port = 8443
server.ssl.key-store = classpath:tomcat.keystore
server.ssl.key-store-password = ###
server.ssl.key-password = !&*
server.ssl.enabled=true
First I had created JKS key store with this command:
keytool -genkey -alias tomcat -keystore keystore.jks -validity 3650
But I received error when visited https://localhost:8443:
This site can’t provide a secure connection
localhost uses an unsupported protocol.
Why it's working now and not then ?
I have a few other questions:
1.I looked at a few tutorials and they all suggested to put the keystore file in src/main/resources. Is this really a good idea?
2.What is the key-store-password? what is the key-password?
3.Is this all we have to do to enable SSL ? what about crt and cer files? where are they used ?
About localhost uses an unsupported protocol. make sure the server is supporting a cipher which client can support.
This site can’t provide a secure connection, the message could be becasue the connection is not trusted! of course. here you would simply tell the client to ignore it.
You also set an alias in your JKS file, make sure you tell the server to load the correct alias.
placing the JKS in src/main/resources could be a good practice, but not essential, just make sure it's safe and accessible.
crt and cer are not required explicitly for java, but once you get a signed certificate by a CA, you would import the cert into the JKS to let the server finds the intermediate and root certs(if exists, root is not essential)
Once you generate a key by keytool, just keep the file safe. You need to generate the CSR value, also the same jKS is needed for trusted cert importing.
I also suggest to get some hand of OpenSSL(if possible) over JSSE.
I have a blah.p7b certificate type PKCS#7 which i want to import it to a java keystore using keytool in order to enable HTTPS on tomcat , i don't have the alias name and keystore when the certificate was generated i took it from the client whose want to enable https on our web-application server that they use, can this works without having the original alias name and keystore ?
when i tried to import the certificate i used this command
keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass <mypasswd> -alias "myalias"
but it gives me this error
keytool error: java.lang.Exception: Certificate reply does not contain public key for <mydomain>
Please help...
If you haven't got the original KeyStore you are hosed. You have to generate a new KeyStore, a new keypair, a new CSR, get it signed, and then import the signed cert and its chain into the KeyStore using the same alias as the keypair.
I am installing a wild Card SSL certificate to my keystore which will be used for Apache Tomcat web server.
Description :
My Tomcat Server is installed on windows 2012 server.
And I have certificates provided from COMODO.
The wildcard cert I'm using has already been used previously on a few servers. so I am directly installing same on my apache tomcat server .
so what I've generated a public keystore using keytool providing the same information used while purchasing the certificate using following tool command.
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
Then I have attached my certificates to the generated keystore using following commond
For "Comodo" certificates
i.keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystoreselfservice.keystore
And I have used correct chain of installation of certificate like root , all intermediate, primary from above command.
And while installing each certificate i received the following message
"Certificate added to keystore"
Though I have not got any error .
And when i have opened my keystore there were no certificate chain , means there is individual entry of each certificate . but there is no chain hierarchy of certificates like Root then intermediate then primary.
And in my final PI or certifcate, i am getting provider as local first name instead of Comodo .
EXAMPLE :
CN=nims.ABC.com,OU=abcCommunications,O=abc Group LLC, L=Roseville,ST=Minnesota,C=US
Provider must be
CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
So I would like to know which steps I have missed or used any extra steps .
Please provide a solution to install a wild card certificate .
Thanks in advance
You did everything correctly. The trust chain is important for another aspect. If you trust one 'certificate' of the chain, you trust the following 'certificates' of the chain too. So to trust all certs of a CA you just have to trust the root CA's cert.
What you realy need to make the wild card certificate work on you server is to import the private key part of it.
I assume you mean Tomcat using Java SSL (JSSE) not APR/Native (OpenSSL). If you want Tomcat-APR, change your question.
If the cert you want to use is already in use on other servers, and you "generated a public keystore using" the keytool command you showed on the NEW server, you generated a NEW KEY which is different from the key the other servers used and different from the key included in the certificate, thus the certificate DOES NOT MATCH that new key and cannot be used with that new key. You also implicitly generated (and have not replaced) a self-signed cert, with both subject and issuer (what you call provider) identifying you rather than a CA like Comodo. This certificate is not good for general use but can be useful for some testing, which is why keytool does it implicitly.
You need to get the certificate, the ALREADY EXISTING private key that MATCHES the certficate, and the needed chain cert(s) into your JKS as a privateKey entry. If an existing SSL server is Java (using JSSE), just copy its JKS. If you want or need to change the password(s) on the copy for your new server, see keytool -storepassword and keytool -keypasswd.
If an existing server is OpenSSL (including Apache httpd and nginx), convert the OpenSSL PEM format to PKCS#12 (preferably on the old server); depending on that server's file layout this is something like
openssl pkcs12 -export -in certfile -inkey keyfile -certfile chaincert -out xxx
and then use keytool to convert PKCS#12 to JKS (preferably on the new server)
keytool -importkeystore -srckeystore xxx -srcstoretype pkcs12 -destkeystore yyy
Note you must use a password on the PKCS#12. This does not need to be the same as the old server keyfile (if any) or the new server JKS, but it's usually more convenient if it is.
If an existing server is IIS, you should be able to export the cert WITH private key AS PFX/PKCS#12 from the Certificate snapin of mmc, and then convert the PKCS12 to JKS as just above.
If an existing server is something else, add it to the question.
I am getting this weird error from my java code:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
The command I used to generate the keystore:
keytool -genkey -alias tomcat -keystore keystore.jks
Here is my java code:
import java.security.cert.PKIXParameters;
import java.security.KeyStore;
import java.io.FileInputStream;
public class MyKeyTest {
public static void main(String[] args) throws Exception {
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
String password = "mypass";
ks.load(new FileInputStream("keystore.jks"), password.toCharArray());
new PKIXParameters(ks);
}
}
I tried to google around for this error but mostly it says this happens when keystore was not found or is not permissive to be read.
But neither of these two cases is true in my case. Any ideas?
Some brief and simplified background just case it's not clear. The PKIXParameters object is used for client certificate validation. This is a way for you to allow or disallow access to your web resources. The way this typically works is that
you have a list of certificate authority (CA) certificates you trust (this is your trust store).
your application asks the client to provide a digital certificate (the client certificate)
the client cert will include the CA certificate which signed the client cert. If the CA certificate is on your list, the client passes the validation.
The keystore.jks file is your trust store. Your trust store does not currently contain any certificates(just a useless private key). To add a ca certificate you would use this command
keytool -import -alias <an alias for the CA cert> -file <the trusted CA cert> -keystore <your keystore>
As an example, export a CA certificate from your browser to a file and then import it into your trust store
Go to your control panel/internet options/Content tab and click on certificates.
select the "Trusted Root Certificate Authorities" tab and select a certificate (for example the "Microsoft Root Certificate Authority")
click export and save it to file (for this example I used "msroot.cer").
at your command prompt run the following command
keytool -import -alias msroot -file msroot.cer -keystore keystore.jks
Now when your run your java code using this updated keystore.jks, it should run just fine.