I am trying to contact a service over https using RestTemplate. I have got their crt and I added it to java cacerts truststore and everything worked.
But now If I wanted to remove it from cacerts and add it to my a trust store that exist in resource folder
so I have the following in the properties file
server.ssl.trust-store=classpath:service1.truststore
server.ssl.trust-store-password={pass}
I added the crt to service1.truststore
This does not work..... I get
SunCertPathBuilderException: unable to find valid certification path to requested target
Can someone explain the difference here between adding the cert to my truststore vs cacerts?
I have the same CAs in both truststores.
Related
I have .cer and .p7b certificate I tried to apply it on my ssl config file but my apache suddenly crash so I retain the previous settings which is ca.crt and the apache return to active status.
Question 1 should I need to convert my .cer file to .crt before applying it on my ssl config?
Question 2 How to convert the file and make it compatible with my server/ssl?
If you need more details, let me know. Thank you!
I am trying to install native-image for my GraalVM in Windows environment. In cmd, I used the below command,
gu install native-image
But it shows this error,
Downloading: Release index file from oca.opensource.oracle.com
Error: Error reading component list: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
As the error states your environment from which gu is estabilishing a secure connection to the remote repository cannot verify the certification path of the repository. In other words your JVM does not trust oca.opensource.oracle.com.
The $JAVA_HOME/lib/security/cacerts file contains the collection of trusted CA used by JVM when running gu. Apparently this file in your JDK is missing the certificate chain of your repository.
Adding new trusted certificate
Download oca.opensource.oracle.com repository's root certificate.
Open $JAVA_HOME/lib/security/cacerts file in elevated mode with e.g. KeyStore Explorer or modify it with keytool. Default password is changeit.
Add new trusted CA from 1.
Save and close.
Useful sources
SSL and cert keystore
Difference Between a Java Keystore and a Truststore
In our organization the issue was in the man-in-the-middle SSL firewall product as mentioned by prunge.
Is there any example/tutorial to build and configure TLS-secured restful service using quarkus.io?
Unfortunately I can not find one neither at quarkus documentation, no here.
Thanks mr. Guillaume Smet, I found the solution. Here is "from zero to hello in 5 minutes with Quarkus and SSL guide". This is done by quarkus undertow plugin. Also you will need text editor, jdk 1.8+ and maven installed.
Frist, create the project.
mkdir restls
cd restls
mvn io.quarkus:quarkus-maven-plugin:create -DprojectGroupId=org.acme -DprojectArtifactId=restls -DclassName="org.acme.HelloResource" -Dpath="/hello" -Dextensions="undertow"
Open your application config file src/main/resources/application.properties with any editor and add lines:
quarkus.http.port=80
quarkus.http.ssl-port=443
quarkus.http.ssl.certificate.key-store-file=keystore.jks
Create keystore containing self-signed certificate (answer all questions and specify password namelly "password"):
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 365 -keysize 2048
The file keystore.jks must be in the src/main/resources/ folder.
Build the project:
mvnw clean package quarkus:build
Now try it out:
java -jar target/restls-1.0-SNAPSHOT-runner.jar
Navigate to https://localhost/hello and allow your browser to trust certificate. That's all.
You can override options in invocation time like this:
java -Dquarkus.http.ssl.certificate.key-store-file=/path-to-keystore/keystore-name.jks -jar target/restls-1.0-SNAPSHOT-runner.jar
Finally, here is the concerning options list:
quarkus.http.ssl.certificate.file -- The file path to a server certificate or certificate chain in PEM format.
quarkus.http.ssl.certificate.key-file -- The file path to the corresponding certificate private key file in PEM format.
quarkus.http.ssl.certificate.key-store-file -- An optional key store which holds the certificate information instead of specifying separate files.
quarkus.http.ssl.certificate.key-store-file-type -- An optional parameter to specify type of the key store file. If not given, the type is automatically detected based on the file name.
You can specifiy either certificate + key files in PEM format or keystore.
It is indeed supported by our Undertow extension but, unfortunately, not documented.
You can define things like the following:
quarkus.http.ssl.certificate.file=...
quarkus.http.ssl.certificate.key-file=...
...
in your application.properties.
The config entry point is ServerSslConfig (see https://github.com/quarkusio/quarkus/blob/master/core/runtime/src/main/java/io/quarkus/runtime/configuration/ssl/ServerSslConfig.java#L41). You then add the nested properties with dots and transform camel-case to dashes.
If you want to build a native executable, there's a good chance you will have to add quarkus.ssl.native=true too.
If you have feedback or if you want to contribute a guide for that, feel free to join us on Zulip or open issues/PRs on GitHub.
When try to connect to update sites under help->Install New Software I get:
Unable to read repository at https://dl.google.com/eclipse/plugin/4.4/content.xml.
Unable to read repository at https://dl.google.com/eclipse/plugin/4.4/content.xml.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have tried to import the certificate into the truststore as well as set it in the sts.ini file but to no avail.
Any help greatly appreciated!
I encountered a similar issue while trying to add templates to STS (3.6.2). The issue was my organization's usage of an SSL inspection tool that presents its certificate instead of the real one (GitHub.com).
The solution was to export the SSL inspection's certificate (using IE for example) and add it to the cacerts file. Use this article for the procedure.
Then update the sts.ini file and add the following lines:
-Djavax.net.ssl.trustStore=C:\Program Files\Java\jdk1.7.0_07\jre\lib\security\cacerts
-Djava.net.ssl.trustStorePassword=changeit
Finally - restart STS.
I have a c# program and part of it creates a self-signed certificate.
The problem is when i try to import the certificate in MMC it says "This certificate has an invalid digital signature."
And when i try to add this certificate through command prompt using netsh http add it says:
SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.
I've tried all suggestions from other questions similar to this but to no luck.
I've also tried downloading Hotfix from Microsoft but it didnt work.
By the way, my machine is running in Windows7-64bit.
I ran into an answer here The basic issue is that DC authority cert creators get sloppy and create multiple certs for the same DC cert authority. I had my self-signed cert created using latest and grates DC cert authority certificate. I had to export and install both root cert and a self signed cert on my destination machine for it to recognize self signed cert used on the server. But the root cert I exported was a cert with the same name but different dates. Once I located the proper root cert and installed it on my destination computer everything worked flawlessly.
In my case it was due to an old self signed certificate with a small key length.
I found the solution here - https://security.stackexchange.com/a/82606/26742 to reduce the security (only in my dev environment)
certutil -setreg chain\minRSAPubKeyBitLength 512