i am using maven3.3, without any settings without import https's website's server certificate and root CA into java truststore. everything is working. how come??? I am expected https connection deny!
any hints will be more than welcome!
my maven3.3 is downloading artifacts successfully from maven central repository https://repo.maven.apache.org/maven2
the server certificate(repo.maven.apache.org ) is issued by DigiCert SHA2 Secure Server CA
none of them are imported into java (which is used by maven)'s key store.
The certificate DigiCert SHA2 Secure Server CA is an intermediate certificate which is signed by DigiCert Global Root CA. The latter is included in Java's default keystore (located in $JAVA_HOME/jre/lib/security). Use OpenSSL to show the certificate chain for repo.maven.apache.org:
openssl s_client -showcerts -connect repo.maven.apache.org:443 < /dev/null 2>/dev/null
(Look for "Certificate chain".)
Use Java's keytool to show the list of trusted certificates in the default keystore:
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
You will notice a certificate with the alias digicertglobalrootca which is the above mentioned DigiCert Global Root CA.
Related
I'm experimenting with Spring Boot to create a WebApp.
In order to create a SSL certificate I issue the following command:
keytool -alias devssl -keystore devssl.p12 -genkeypair -keyalg RSA -sigalg SHA256withRSA /
-keysize 2048 -storetype PKCS12 -validity 365 -dname "CN=Frankie, OU=Frankie O=Frankie, /
L=City, S=State, C=UK" -ext SAN=DNS:localhost,DNS:blueye,IP:127.0.0.1,IP:10.1.1.2"
Which from what I can understand means that such certificate will be valid for the following addresses:
localhost
blueye
127.0.0.1
10.1.1.2
The certificate is very easy to install on Spring:
server.ssl.key-store-type=PKCS12
server.ssl.key-store=devssl.p12
server.ssl.key-store-password=password
server.ssl.key-alias=devssl
security.require-ssl=true
After I install the certificate under Trusted Root Certification Authorities in Windows it also works great.
I just can't get it to work under iOS.
I email myself the certificate.
Install it on the iPhone.
But I always get the "this connection is not private".
Any idea how to make this work on iOS?
I was pushing on this trying to get iOS to accept a self-signed certificate as the single source of truth. I got to work around it by issuing a proper personal Certificate Authority. Making iOS trust that authority. And then signing the website with a certificate validated by that authority.
I will describe the needed commands as they may save someone a couple of hours. The following is a "birds eye" of what we'll do.
AUTHORITY - this will act as the source of trust for all certificates you sign. You will have to install the Authority on every single machine/phone you'll want with custom certificates
Generate a private key for a Certificate Authority (CA)
Generate a Certificate for the Certificate Authority (CA)
Install Certificate Authority on Windows
Install Certificate Authority on iOS
CLIENT - we can issue private keys for all our projects inside our network. Those private keys will be validated by our own generated and installed authority.
Generate a private key for the client
Generate a Certificate Sign Request (CSR)
Have CA sign the CSR thus generating the client Certificate
Merge the client certificate and the CA certificate into a pkcs12 file which is read by Spring
Now for the actual commands:
Generate a private key, we'll also use an identical command to generate one for the client:
openssl genrsa -des3 -out myCA.key 2048
Generate a certificate for your Certificate Authority. You'll be asked several questions, none of them really matter, they will only serve to identify your certificate to yourself.
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.crt
You now have three files. The myCA.key (private key) and the myCA.pem and myCA.crt which are the certificate file for your certificate authority.
Install on Windows:
Click the myCA.crt file on Windows and follow screen instructions. Then click Start -> Run -> `` certmgr.msc`. It will open the Windows Certificate Manager. You will find the certificate you installed under "Intermediate Certification Authorities". You'll want to drag that file to "Trusted Root Certification Authorities".
Install on iOS:
Email the myCA.pem file to yourself. Open the email on iOS using the Apple Mail App. Follow the instructions and certificate will be installed. To uninstall you can go to Settings -> General -> Profile. After proper installation iOS requires a second step for you to trust the certificate, you must go to Settings -> General -> About -> Certificate Trust Settings and Enable Full Trust For Root Certificate.
You now have a local CA (Certificate Authority) installed on both your Windows machine and your iOS phone. Lets create a website certificate.
Generate a private key for the website.
openssl genrsa -des3 -out myWebsite.key 2048
Generate a CSR (Certificate Sign Request):
openssl req -new -key myWebSite.key -out myWebsite.csr
Now that we have the website key and the certificate sign request we need to create a config file that openssl will use to generate our website certificate. Create a file called myWebsite.ext with the following info. The only thing you must make sure is the alt names. You can have both IP's and DNS. Be sure to enter all the alternatives that your site will use.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = mywebsite
DNS.3 = mywebsite.local
IP.1 = 10.1.1.3
IP.2 = 127.0.0.1
Now we'll use the CA certificate and private key together with the CSR (Certificate Sign Request) and the config file to generate a proper certificate for the website. Since iOS 13 Apple only allows a max of 825 days on certificates so that's what we'll use.
openssl x509 -req -in myWebsite.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out myWebsite.crt -days 825 -sha256 -extfile myWebsite.ext
You'll now have the following files:
myCA.key - certificate authority private key
myCA.pem - certificate authority certificate pem format
myCA.crt - certificate authority certificate crt format
myWebsite.key - website private key
myWebsite.csr - website certificate sign request
myWebsite.ext - website config file for openssl sign request
myWebsite.crt - website certificate crt format
The only thing missing is to convert the myWebsite.crt to p12 format which we can do with the following command:
openssl pkcs12 -export -in myCA.crt -inkey myCA.key -in myWebsite.crt -inkey myWebsite.key -name myWebsite -out myWebsite.p12
Now, to make Spring Boot use this certificate just open application.properties file and make sure it has these lines:
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate, place it src/main/resources
server.ssl.key-store=classpath:myWebsite.p12
# The password used to generate the certificate
server.ssl.key-store-password=PASSWORD-USED
# The alias mapped to the certificate (the -name myWebsite on the last command)
server.ssl.key-alias=myWebsite
# force SSL
security.require-ssl=true
And there you have it. A dev or internal project with proper SSL validation. Hope this saves someone some time.
It looks like you were having trouble creating the certificates correctly, for a great guide on how to do that, check out:
https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
If you follow it exactly, and know what your DNS name is, and what cipher you are using, you shouldn't have any problems. I provide my configuration files for making the certificates, along with a project that helps with sockets, below:
https://github.com/eamonwhiter73/IOSObjCWebSockets
I have configured HTTPS on a Keycloak server by placing a certificate A.crt in a Java keystore and configuring that keystore in standalone.xml. HTTPS access has worked well from a given client so far. The certificate is signed by an intermediate CA B, which is signed by a root CA C.
I now encounter problems when accessing Keycloak from another client. It says: "unable to get local issuer certificate" or "certificate signed by unknown authority" (depending on the client software). I'm quite sure the root cause is that CA certificate B.crt is not known to this client. A strong indication is that I can access Keycloak from that client with curl --cacert B.crt https://keycloak....
Since I cannot predict which clients will have what CA certificates installed I would like to configure a bundle consisting of A.crt, B.crt, and C.crt as root certificate. If this were a server that directly took a PEM certificate I would use the bundle resulting from cat A.crt B.crt C.crt > bundle.crt, but because of its use of a Java keystore this is not an option with Keycloak.
So how can I store a server certificate bundle (it that's the right terminology) into a Java keystore so that Keycloak can make use of it in such a way that "all" clients can access the service?
UPDATE I've tried adding the intermediate and root certificates B and C to the keystore already used by Keycloak, but this did not solve the current issue:
keytool -import -alias b -file B.crt -keystore $KEYSTORE
keytool -import -alias c -file C.crt -keystore $KEYSTORE
You said having a keystore configured in your standalone.xml where A.crt was imported, but do you have a truststore? You could try adding B.crt in your truststore.
I have a c# program and part of it creates a self-signed certificate.
The problem is when i try to import the certificate in MMC it says "This certificate has an invalid digital signature."
And when i try to add this certificate through command prompt using netsh http add it says:
SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.
I've tried all suggestions from other questions similar to this but to no luck.
I've also tried downloading Hotfix from Microsoft but it didnt work.
By the way, my machine is running in Windows7-64bit.
I ran into an answer here The basic issue is that DC authority cert creators get sloppy and create multiple certs for the same DC cert authority. I had my self-signed cert created using latest and grates DC cert authority certificate. I had to export and install both root cert and a self signed cert on my destination machine for it to recognize self signed cert used on the server. But the root cert I exported was a cert with the same name but different dates. Once I located the proper root cert and installed it on my destination computer everything worked flawlessly.
In my case it was due to an old self signed certificate with a small key length.
I found the solution here - https://security.stackexchange.com/a/82606/26742 to reduce the security (only in my dev environment)
certutil -setreg chain\minRSAPubKeyBitLength 512
I'm using the excellent Charles proxy to make web debugging easier. I'm using it's SSL proxying abilities, and have installed the generic CA Certificate that it comes bundled with. While this works, it's insecure because as long as my browser trusts this certificate, I am vulnerable to a MIM attack.
I'm trying to use OpenSSL to create a "Custom CA Certificate" since Charles allows to fix this. These are the steps I'm following:
NAME=daaku-ca
openssl genrsa -out $NAME.key 1024
openssl req -new -key $NAME.key -out $NAME.csr
openssl x509 -days 3650 -signkey $NAME.key -in $NAME.csr -req -out $NAME.crt
openssl pkcs12 -export -out $NAME.pfx -inkey $NAME.key -in $NAME.crt
Following these steps I end up with a Self signed root certificate $NAME.crt that I successfully imported into my Mac OS X keychain. And while the $NAME.pfx in Charles works and is being correctly used if I enter a password for it, it does not work if there's no password.
My question is how do I generate a certificate that works in Charles and does not need a password.
I blogged about how to use a Custom SSL Certificate with Charles and in the last section I address the problem of having to type in the password every time Charles launches.
http://codeblog.shape.dk/blog/2014/01/06/custom-ssl-certificate-with-charles-web-proxy/
Since Charles 3.10 came out this is not an issue anymore since each installation generates its own certificate. So even if you trust the Charles-generated Certificate, you won't be susceptible to MIM attacks by other Charles users.
Per version 3.10 release notes:
Version 3.10 21 March 2015
Major new features, improvements and bug fixes.
SSL changes
SSL certificate root certificate change to generate a unique
certificate for each installation of Charles (see SSL Proxying in the
Help menu) SSL Proxying now has its own settings menu item in the
Proxy menu Please note that these changes will affect the way you
currently use Charles for SSL Proxying. You will need to install and
trust a new certificate, which will be automatically generated for
you. You can install that certificate on your computer using the
options in the Help menu, under SSL Proxying. You can also export the
certificate, to send to other systems, or browse to download the
certificate to install on mobile devices such as iPhones.
For various reasons I have created a simple HTTP server, and added SSL support via OpenSSL. I'm using self-signed certificates. IE, Firefox and Chrome happily load content as long as I add the CA to the trusted root CAs.
However, wget (even when using the --no-check-certificate flag) reports:
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
If I run the OpenSSL client against my server using:
openssl s_client -connect dnvista:82 -debug
I get back:
verify error:num=19:self signed certificate in certificate chain
verify return:0
and then
5852:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1060:SSL alert number 40
5852:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:
Do wget and the OpenSSL client simply not work with self-signed certificates?
UPDATE:
For anyone that comes along later, adding this code helped with the OpenSSL client and Firefox:
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
I checked the man page of wget, and --no-check-certificate only seems to affect the server certificate. You need to specify your self-signed certificate as a valid CA certificate locally.
To do this, specify the certificate as --ca-certificate=... in wget and -CAfile in the s_client case.
You can also install trusted root CA certificates into OpenSSL in one of a number of ways:
Put your CA certificate in /etc/pki/tls/certs or equivalent directory, then create a link based on the certificate hash. See http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl for details.
Append your CA certificate to /etc/pki/tls/certs/ca-bundle.crt, /etc/pki/tls/cert.pem, or equivalent CA bundle.