I have Java application running on two different servers. On the 1st server while the application is trying to insert a X.509 certificate to NSS keystore it is getting the following error:
Failed to store public key certificate in keystore. Cause: Could not create trust object
java.security.ProviderException: Could not create trust object
at sun.security.pkcs11.Secmod$TrustAttributes.<init>(Secmod.java:658)
at sun.security.pkcs11.Secmod$Module.setTrust(Secmod.java:529)
at sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1045)
at sun.security.pkcs11.P11KeyStore.engineSetCertificateEntry(P11KeyStore.java:516)
at java.security.KeyStore.setCertificateEntry(Unknown Source)
Using certutil to list the NSS DB entry I can see the certificate entry, but the trust flag says "CTu,Cu,Cu".
On the 2nd server, inserting a X.509 certificate to NSS keystore doesn't throw the same exception. It is working fine and using certutil I can see the certificate entry, and the trust flag says: "CT,C,C".
My questions:
Why on the 1st server inserting a X.509 certificate threw an exception?
What cause the trust flag to be different between the two certificate? The X.509 certificate is imported thru the same API.
Both servers are running Java 8u121. Thank you.
Related
THIS IS STILL AN ISSUE ANY HELP WOULD BE APPRETIATED
I am having an issue setting up TLS through a custom CA between Kibana and Enterprise search. I have the default x-pack security set up for the interconnection of my Elasticsearch nodes with both Kibana and Enterprise search, which was done according to the following docs: minimal security basic security ssl/tls config. I can successfully run Enterprise search through http, however my issue arises when I enable ssl/tls for ent-search..
When I have https configured for ent-search using this doc, the server is "running", however I receive an error after boot and Kibana throws an error when attempting to connect.
ent-search error (non corresponding with Kibana's hit to the ent-search hostname, this error raises shortly after ent-search is "starting successfully", but isn't fatal)
[2022-06-14T20:37:45.734+00:00][6081][4496][cron-Work::Cron::SendTelemetry][ERROR]: Exception:
Exception while performing Work::Cron::SendTelemetry.perform()!: Faraday::ClientError: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
Kibana error (directly corresponding to when I ping http://obfuscated-dns:5601/app/enterprise_search/overview)
[2022-06-14T20:43:51.772+00:00][ERROR][plugins.enterpriseSearch] Could not perform access check to
Enterprise Search: FetchError: request to https://obfuscated-dns:3002/api/ent/v2/internal/client_config
failed, reason: unable to get issuer certificate
The steps I took to generate said certificate were: I created a csr on my server using elasticsearch-certutil csr along with a yml file which specified the distinguished name, I sent the unzipped csr to my CA (Digicert), uploaded the signed certificate and intermediate certificate provided by Digicert to my server, used openssl to generate a keystore using the signed cert and that private key generated along-side the original csr, then finally converted the keystore to .jks format using keytool.
From my understanding, the path of this keystore is what is needed for the configuration file for enterprise-search and the intermediary cert is what is used in the Kibana certificate authority config field (ca.pem). I have also tried to stuff both the signed and intermediate cert in the same .pem, as well as the private-key, signed and intermediate cert. Below are the relevant configurations:
kibana.yml
enterpriseSearch.host: https://ofuscated-dns:3002
enterpriseSearch.ssl.verificationMode: certificate
enterpriseSearch.ssl.certificateAuthorities:
- /path/ca.pem
enterprise-search.yml
ent_search.external_url: https://obfuscated-dns:3002
ent_search.listen_host: 0.0.0.0
ent_search.listen_port: 3002
ent_search.ssl.enabled: true
ent_search.ssl.keystore.path: "/path/keystore.jks"
ent_search.ssl.keystore.password: "pass"
ent_search.ssl.keystore.key_password: "pass"
I'm starting to feel like I fundamentally misunderstand something here. A lot of the jargon behind SSL/TLS certificates seems to lack standardization. While we are at it, what is a root cert in relation to what I have listed? Is it the intermediate cert? I see there is a master "root certificate" for the Digicert CN I certified under, however I'm unsure where this fits in. The config variable "certificateAuthorities" doesn't document what this .pem file should contain specifically and when searched the concept of a certificate authority is never associated with file contents, but instead is simply abstracted to the entity which provides certification (duh).
To put it succinctly: What does this variable "certificateAuthorities" explicitly entail?
UPDATE 09/28/2022
I have now confirmed that SSL is working when calling enterprise-search outside of the VM its running in. I can utilize its endpoint with my flutter and react app, however Kibana is till throwing the error mentioned above. I have checked that the root/intermediate CA provided to kibana's configuration is indeed the certificate linked with the signed cert provided to enterprise search and even confirmed so using SSLPoke.. This leaves me with the suspicion that perhaps Java is a bad actor in the mix? I've added the root/intermediate CA to the cacerts keystore in the ssl/java directory of the Linux VM, but still no luck. Any thoughts?
I saw there are two type of certificate which is elastic-stack-ca.p12 and elastic-certificates.p12. What are the differences between these two certificate.
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html#generate-certificates
Also I noticed we have HTTP certificate
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-https.html#encrypt-http-communication
why there are so many certificate.
If I want to send data from beats which certificate should be used? I saw it need .cer and .key
can someone help me to understand this.
You need both, and each one has a specific role.
***ca.p12 is the certificate to the new Certificate Autohirity which is created since Elastic certificated is auto assigned.
***certificate.p12 is the certificate to each single instance of your elasticsearch cluster.
I would recommend you to follow the steps here https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html
Source:
https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html#certutil-ca
ca.p12 -> CA Mode
The ca mode generates a new certificate authority (CA). By default, it produces a single PKCS#12 output file, which holds the CA certificate and the private key for the CA. If you specify the --pem parameter, the command generates a zip file, which contains the certificate and private key in PEM format.
certificates.p12 -> Cert Mode
The cert mode generates X.509 certificates and private keys. By default, it produces a single certificate and key for use on a single instance.
To generate certificates and keys for multiple instances, specify the --multiple parameter, which prompts you for details about each instance. Alternatively, you can use the --in parameter to specify a YAML file that contains details about the instances.
Could you please help me setup the SSL on the Nifi Application.
To explain about the steps taken so far.
I have used the following link intructions to use the CA signed certs provided to us (This include root,intermediate and Server cert). I have sucessfully configured Nifi to run on SSL on server end but i am not getting the steps to create a client cert so that using the client cert we can login to Nifi.
Help in this regard will be highly appreciated.
You'll need to generate a Certificate Signing Request (CSR) or request from your security/IT team who provided the CA-signed server certs that they provide a client certificate (and private key) signed by the same intermediate or root CA. You could also generate your own client certificate signed by a self-signed CA and put the public certificate of that CA in the NiFi truststore. More documentation around this process can be found in the NiFi Toolkit Guide.
I've acquired a signed certificate for use in a secure connection in Tomcat 7(.0.42). Here is what I'm given:
An x.509 certificate, primary-intermediate and secondary-intermediate x.509 certificates, an PKCS#7 chained certificate, and a private key.
I imported the certificates as specified in this guide using the x.509 certificates, then configured my SSL Connector to use the keystore, but got this error:
java.io.IOException: Alias name the_alias does not identify a key entry
I was advised to use the (also) provided PKCS#7 chained certificate, but when attempting to import it using keytool, it failed saying that it wasn't an x.509 certificate.
I understand from online lit that in the first step I was missing the "1" alias for the private key, but I have no idea how to import it. Also, I understand the PKCS#7 certificate is supposed to work fine on Tomcat, but I don't know how to import it to a keystore. I'm rather new to this, please advise!
Many thanks,
Victor.
I can not check how you implement the guide, but I do recommend to start from the self-signed certificate according to instruction here:
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
Ensure that keyAlias points to the alias of the server certificate in keystoreFile.
The default alias for the self signed certificate is tomcat.
<Connector port="8443"
…
keyAlias="tomcat"
…
keystoreFile="server.keystore" keystorePass="changeit"
truststoreFile="trust.keystore" truststorePass="changeit"/>
When it will work, replace the keyAlias with the alias of the signed certificate.
I use a Java client using JMS/JNDI. The connection is working when using one-way SSL authentication SSLCAUTH(OPTIONAL). The first step I did is to export the public certificate of the client:
keytool -export -keystore keystore -storepass storepass -alias CLIENT -file client.cer
Then I added this certificate to the MQ key repository.
gsk7cmd -cert -add -db keydb.kdb -pw password -label ibmwebspheremqclient -file client.cer -format binary
And I finally switched to SSLCAUTH(REQUIRED) mode.
I get the following error log. The message is pretty clear, it can't find my client certificate. I read that my client certificate should have a label ibmwebspheremq<client_user_id>. What is this user id since I am connecting via Java?
AMQ9637: Channel is lacking a certificate.
As per the Technote Specifying the userid in the SSL certificate label for an MQ client the Java and JMS clients do not find their certificate based on the label.
What is often the problem is a mis-match between the trust store and the key store. I have seen two problems fairly commonly.
The application specifies a trust store but not a keystore. This works great for anonymous (one-way) SSL but not for mutual authenticated SSL. The app must specify both key store and trust store for mutual auth.
Sometimes the app specifies a trust store file but the private certs are in the key store. Or the app specifies the same file for both trust store and the key store and the personal certs are actually in a separate trust store file.
Does either of these solve the problem? If not, please update the question with a keytool -cert -list for both the key store and the trust store and the part of the command line or code that sets up the keystore/truststore.