Following the go-daddy documentation :
https://www.godaddy.com/help/tomcat-4x5x6x-renew-a-certificate-5355
The flow:
I've create myDomain.csr and send it to GoDaddy , got reply from them with 3 files ( gd_bundle-g2-g1.crt , gdig2.crt.pem ,59a41eaec32d2046.crt)
I mentioned that the old cert which was expired has a chain structure , unfortunately Go-daddy give me only "flat" certificates.
I tried to make a chain by myself :
cat 59a41eaec32d2046.crt gd_bundle-g2-g1.crt gdig2.crt.pem >> myDomain.crt
after that :
sudo keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file myDomain.crt
sudo keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gdig2.crt
sudo keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file gd_bundle-g2-g1.crt
and change the server.xml exactly as in the documentation
I Attach pictures of how in my opinion it should appear
But Actually after my chain I had :
When I open the Browser GOT:
Secure Connection Failed
An error occurred during a connection to talenttribe.me. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Learn more…
Report errors like this to help Mozilla identify and block malicious sites
Don't understand what I'm missing...is it Chain creation or tomcat issues ??
BR,
You just need to replace tomcat certificate if your renew from existing vendor.
certificate name hexcode.crt Other no need to change. Its works for me.
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file filepath
The issue is that the tomcat.keystore is not being created with chaining intact. To correct that, you will need to isolate the root and intermediate certificates in separate files, and then import them in a specific order. To create a working example, here are some simplifying assumptions:
The 59a41eaec32d2046.crt file contains only the SSL certificate issued by Go Daddy, presumably for an internet facing web server.
The "gd_bundle-g2-g1.crt" file is a concatenation of the Go Daddy intermediate and root certificates.
The "gdig2.crt.pem" file contains a redundant copy of the Go Daddy root certificate.
There is only one intermediate certificate, and it is also the Issuer of your SSL certificate.
The crt files are the base 64 encoded, or "pem", format.
The tomcat.keystore file uses JKS format.
Here are the steps to create the tomcat.keystore, given the assumptions above:
List the contents of gd_bundle-g2-g1.crt:
sudo keytool -printcert -file gd_bundle-g2-g1.crt
The output will include delimiters for each certificate in the bundle. The delimiter for the first certificate will be "Certificate[1]:", and the delimiter of the second certificate will be "Certificate[2]:". Immediately following "Certificate[1]:", you will see the Owner and Issuer records for the first certificate. Likewise, following "Certificate[2]:", you will see the Owner and Issuer records for the second certificate. Also note:
The root certificate is unique in that the Owner is the same as the Issuer (in other words, it is self-signed).
The root certificate is also the Issuer of the intermediate certificate.
List the contents of gd_bundle-g2-g1.crt in "rfc" format:
sudo keytool -printcert -file gd_bundle-g2-g1.crt -rfc
Again, note the delimiters "Certificate[1]:" and "Certificate[2]:" are used with the same meaning as above. But in rfc format, the certificates are listed using base 64 "pem" format starting with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----". That is format that will be needed in the separate root and intermediate certificate files.
Redirect the output of step 2 to a temporary file. Then use a text editor to save the Go Daddy root certificate in a separate file named gd_root.crt.
Be certain to include the entirety of the text beginning with "-----BEGIN CERTIFICATE-----" and ending with "-----END CERTIFICATE-----".
Likewise, save the Go Daddy intermediate certificate in a separate file named gd_intermediate.crt.
Use the "keytool -importcert" command to create the keystore incrementally:
sudo keytool -importcert -noprompt -file gd_intermediate.crt -alias intermed -keystore tomcat.keystore -storepass '!q#wDDfll'
sudo keytool -importcert -noprompt -file gd_root.crt -alias root -keystore tomcat.keystore -storepass '!q#wDDfll'
sudo keytool -importcert -noprompt -file 59a41eaec32d2046.crt -alias tomcat -keystore tomcat.keystore -storepass '!q#wDDfll'
The order of the commands above is important. You need to create the keystore first using the intermediate certificate used by the CA to issue (sign) your SSL certificate. (If there are additional intermediate certificates, those would be added next, until the final intermediate certificate, which is signed by the root certificate, is added.) Next, you add the root certificate. And finally, you add the SSL certificate issued by the CA for your application.
This will fix the issue with the tomcat.keystore file. You might also consider building a custom trust store file, which requires the truststoreFile and truststorePass options within the connector element, as an alternative to relying on Java's cacerts trust store. The commands to do that are similar to the fist 2 commands above, substituting the trust store file name along with the trust store password.
Related
I am trying to establish node to node encryption. I am following datastax online guidance available for ssl encryption on below link- https://docs.datastax.com/en/security/5.1/security/secSetUpSSLCert.html
as per the documentation i have skipped first two steps and followed from step-3.
so, I have created the keystore, using below command-
keytool -genkeypair -keyalg RSA -alias node1 -keystore cassandra.jks -storepass cass123 -keypass cass123 -validity 365 -keysize 2048 -dname "CN=host1, OU=cluster1, O=org, C=US"
after creating the keystore, here the public certificate authority have two level of encryption or certs. first is root.cert and another is intermediate.cert.
when i have checked through below command, intermediate.cert is signed or verifyed by root.cert.
openssl verify -CAfile root.cert intermediate.cert , Got OK in Response.
after than with keystore(cassandra.jks), i have raise the certificate signed request (CSR):
keytool -keystore cassandra.jks -alias node1 -certreq -file cassandra.csr -keypass cass123 -storepass cass123 -dname "CN=host1, OU=cluster1, O=org, C=US"
then after uploading this CSR file (cassandra.csr) to public certificate authority i got in response one Cert.cer file.
so, then i checked whether the Cert.cer file get signed by root.cert or not.
openssl verify -CAfile root.cert Cert.cer
Got unable to load certificate in Response, with error message-
140044398696338:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c707:Expecting TRUSTED CERTIFICATE
Even I have Checked the Cert.cer with intermediate.cert-- got the same above error message.
Is this mean the Cert.cer which i got in response to csr request in not properly signed by certificate authority.
So i have stopped further steps here, which needed for cassandra ssl implementation.
Please, let me know, if i miss something or doing in wrong manner. much appreciated all help and suggestions
This issue is resolved, due to platform issue certs generated have extras carriage characters ^M. after removing this and merging root and intermediate certs together it works fine.
I have generated the CSR request on our wintel server ( we need to bind our application hosted on this server for Https) using below commands in keytool:
Keytool -genkey -alias <server name> -keyalg RSA -keysize 2048 -keystore <server name>.keystore
Enter keystore password - changeit
Confirm the password – changeit
Common Name: ******
Organization: ***
Organization Unit: **
Locality: ****
State: ***
Country: **
Enter key password or hit enter to keep same as keystore password
keytool -certreq -keyalg RSA -alias <server name> -file certreq.csr -keystore <server name>.keystore
Two files are generated
certreq.cer
.keystore
I send the two files to the concerned team, they got the SSL certificate and installed it on the same server.
Now the certificate is there in console root\certificates (local computer)\personal\certificates but its not appearing in IIS for binding. The team is now asking me for the private key to resolve the issue.
Can someone let me how to get the private key from the .cer and .keystore file?
And if you can point out the reason why certificate is not appearing in IIS and how to resolve it, I would really appreacite that.
P.S: I am not sure if this is the right place for this question. Help me out to know the right place if this is not.
Edit: For someone stuck with same questions, check out the answer
by garethTheRed here- https://serverfault.com/questions/943496/how-to-install-cer-and-p7b-certificates-to-use-in-iis/943500#943500
In my case, the certificate received from CA was directly installed, thats why it was not private key verified, and was not appearing in IIS also. We had to import the public key(the .cer file) to the keystore
keytool -importcert -file certificate.cer -keystore <server name>.keystore -alias <server name>
and then convert the keystore to a PKCS#12, with:
keytool -importkeystore -srckeystore <server name>.keystore -destkeystore <server name>.pfx -srcstoretype JKS - deststoretype PKCS12 -deststorepass <new password>
Then we imported the pfx in certificate store.
I have generated the certificate and added to trust store using the below commands
keytool -genkey -alias CERT-ALIAS -keyalg RSA -keysize 2048 -validity 365 -keystore Certificate_Online
keytool -certreq -v -alias CERT-ALIAS -keystore Certificate_Online.jks -file Certificate_Online.csr
keytool -export -alias CERT-ALIAS -file Certificate_Online.cer -keystore Certificate_Online
i modified my server.xml as below
server.xml:
<Connector port="2222" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/jdk1.6.0_32/bin/Certificate_Online.jks" keystorePass="changeit" />
still when i try to open the link in the broswer
it is showing This site can’t be reached ,ip refused to connect. please help me out . tried a lot but could find where the problem is.
thanks a lot in advance .
The reason that this is not working is that the certificate is not trusted. You generated a Certificate Signing Request, but it does not appear to have been signed (by a Certificate Authority).
In order to get around this for testing you can add your certificate to your own trusted certificate store. In Linux you should be able to do this by using the keytool -import command in your JRE. Something like this:
keytool -import -file /jdk1.6.0_32/bin/Certificate_Online.cer -alias CERT-ALIAS -keystore "/jre/lib/security/cacerts" -storepass changeit
In Windows you can double click on the .cer file, click "Install Certificate" and place the certificate in the "Trusted Root Certification Authorities" store.
I added a self-signed certificate to my Teamcity BuildServer to introduce https support so that it can now be accessed at
https://ServerUrl:8443
(More details about how here )
The result was that I was able access the server via https, but my build agent was now disconnected. How to fix this?
The build agent works as a client to the build server and communicates with it using http/https, and it turns out that when you add a self-signed certificate the build agent does not accept it.
I needed to
Let the build agent know the new path for communicating with the server
Let the build agent know that it could trust the self-signed certificate
To change the path I did the following (see this post for more details )
Locate the file:
$TEAMCITY_HOME/buildAgent/conf/buildAgent.properties
Change the property
serverUrl=http:\://localhost\:8080 to your new url
To let the build agent know that it could trust the new certificate I had to import it into the build agent's key store.This was done using keytool:
keytool -importcert -file <cert file>
-keystore <agent installation path>/jre/lib/security/cacerts
( unless you've changed it, the keystore is protected by password: changeit)
The TeamCity team describes this process in slightly more details here
NOTE
If you need to retrieve your certificate from the TeamCity buildserver keystore, you can also use keytool to do this :
keytool -export -alias <alias name>
-file <certificate file name>
-keystore <Teamcity keystore path>
Here is a link to the TeamCity v8 documentation on the keytool.
I was doing this on a Windows Build Agent and had a self-signed SSL cert on my Amazon Linux Build Server. Here were the steps I took:
Went to build server in browser on Build Agent i.e. https://teamcity.example.com
Clicked on the certificate error in the URL and downloaded the cert to the local machine
Exported the certificate from the certificate explorer in windows into a cer file.
Used the keytool exactly as specified in the documentation
> keytool -importcert -file <cert file where it was exported to>
-keystore <path to JRE installation>/lib/security/cacerts
password: changeit
Restarted the build agent and viola!
Created Private Key & Self signed certficate in a Key Store
keytool -genkey -alias mydomain -keystore mydomain.ks -dname cn=mydomain.com -keyalg RSA -sigalg SHA1withRSA
Created Certificate Request and sent to Internal CA
keytool -certreq -alias mydomain -keystore mydomain.ks -file mydomain_project.csr
Once Internal(Company) CA issues the certificate - which looks like something like this
e.g.
-----BEGIN CERTIFICATE-----
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAmowggHXAhAF
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNVBAYTAlVTMSAw
E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6
-----END CERTIFICATE-----
Copied this to a .pem file
Update the self signed certifcate in (identity) KeyStore with CA signed certificate & Created a new Java Key Store(Trust) CA signed certificate(using the .pem file)
keytool -import -alias mydomain -trustcacerts -file company_cert.pem -keystore mydomain.ks
keytool -import -alias mydomain -trustcacerts -file company_cert.pem -keystore trust.jks
On Weblogic I imported the keystores as follows and Enabled SSL.
Identity - mydomain.ks (with Private Key + CA certificate)
Trust - trust.jks (which has CA certificate)
Issue: Once I hit my internal site deployed on the weblogic. I get a message - Not a trusted certificate.
I then download the certifcate from the browser only then https works.but the certificate shows it is signed bythe domain name I gave, instead of my Internal CA name.
Question: I expected it to work(with out actually downloading again) as I already have Internal CA certificates and other internal applications work on https. Did I do any thing wrong?
I am not sure how/where you imported the certificate as you say but the browser has a different truststore than java.
So you have to add it as an exception to its truststore the first time you access the site.
As far as the domain name that is displayed the browser pops up the certificate as send by the server
I solved my problem. Thanks user384706.
Basically once you get a signed .pem file(with START & END) from CA.
Before you import this signed certificate to replace the self-signed in your keystore(Identity Keystore to be configured on WebLogic). We need to make sure
1) CA root certificates(Verisign's or your company signed CA certificates) are imported to the same Keystore. You can find CA root certs on your windows box (run-certmgr.msc).
2) Also make sure that all these alias names are the same -
self-signed cert
cert request
while importing CA cert