I have an applet jar that I've signed using a key I created and stored using:
keytool.exe -genkey -keyalg rsa -alias myKey
Then I generated a certificate using:
keytool.exe -export -alias myKey -file myCertificate.crt
Finally I signed my applet jar using:
jarsigner.exe myJar.jar myKey
I assume the signing went well because I got only the following message:
Warning:
The signer certificate will expire within six months.
But when I tried to run the applet in Chrome using a simple html, my java console shows the following messages:
...
security: Trust in: *myJar.jar* expired: Wed Dec 31 19:00:00 COT 1969
...
basic: your security settings have blocked a self-signed application from running
ExitException[ 0]com.sun.deploy.security.BlockedException: your security settings have blocked a self-signed application from running
at com.sun.javaws.security.JNLPSignedResourcesHelper.performSecurityCheckForSandbox(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Why is the certificate supposed to be expired? Or what could be the problem? Any ideas?
Note: I also added my site to Java's site list in Security tab of Java Control Panel
Related
I have a java application developed in play framework. I know that we can use keystore to serve data through https for the play application.
I obtained a certificate of Let’s Encrypt using certbot for my domain. Then i made a pkcs12 file using openssl command and a keystore using keytool.
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 -CAfile cert.pem -caname root -passout pass:somepassword
keytool -importkeystore -srckeystore cert_and_key.p12 -srcstoretype pkcs12 -destkeystore keyStore.jks -deststoretype jks -storepass somepassword
I then pointed my play app to the keystore as follows on the application.conf file
play.server.https.keyStore.path = “/etc/letsencrypt/live/test.onlinemanpower.com/keyStore.jks”
play.server.https.keyStore.type = “JKS”
play.server.https.keyStore.password = “somepassword”
When i run the application it runs without a hitch. But when I open the application where it needs to validate through https I get following error:
[^[[31merror^[[0m] p.c.s.NettyServer - cannot load SSL context
java.lang.reflect.InvocationTargetException: null
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at play.core.server.ssl.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:96)
at play.core.server.ssl.ServerSSLEngine$.createSSLEngineProvider(ServerSSLEngine.scala:32)
at play.core.server.NettyServer.liftedTree1$1(NettyServer.scala:91)
at play.core.server.NettyServer.play$core$server$NettyServer$$sslEngineProvider$lzycompute(NettyServer.scala:90)
at play.core.server.NettyServer.play$core$server$NettyServer$$sslEngineProvider(NettyServer.scala:89)
at play.core.server.NettyServer$$anonfun$channelSink$1.apply(NettyServer.scala:158)
Caused by: java.lang.Exception: Unable to find HTTPS keystore at “/etc/letsencrypt/live/test.onlinemanpower.com/keyStore.jks”
at play.core.server.ssl.DefaultSSLEngineProvider.createSSLContext(DefaultSSLEngineProvider.scala:56)
at play.core.server.ssl.DefaultSSLEngineProvider.(DefaultSSLEngineProvider.scala:24)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at play.core.server.ssl.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:96)
at play.core.server.ssl.ServerSSLEngine$.createSSLEngineProvider(ServerSSLEngine.scala:32)
at play.core.server.NettyServer.liftedTree1$1(NettyServer.scala:91)
at play.core.server.NettyServer.play$core$server$NettyServer$$sslEngineProvider$lzycompute(NettyServer.scala:90)
The keystore file exists on the said location. I have tried giving the permission 777 just to check and it still does not work.
Any idea what I am missing on this?
I'm trying to set up an ssl connection to a mongodb instance I have running in a container on my machine and keep running into,
nioEventLoopGroup-2-4, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I created a self signed .pem for mongo with,
openssl req -x509 -newkey rsa:4096 -keyout mongo.key -out mongo.crt -days 365 -nodes
cat mongo.key mongo.cert > mongo.pem
Moved those into a folder, mounted it as a bind volume in my container and added
--sslMode requireSSL --sslPEMKeyFile /etc/boundfolder/mongo.pem
to the mongo startup. I can connect to this with the mongo client.
I am setting up my mongo client in scala like so,
val hostConf = ClusterSettings.builder().hosts(List(new ServerAddress(hostName)).asJava).build()
val clientSettings = MongoClientSettings.builder()
.streamFactoryFactory(NettyStreamFactoryFactory())
.clusterSettings(hostConf)
val withTLS = clientSettings.sslSettings(
SslSettings.builder()
.enabled(true)
.invalidHostNameAllowed(true)
.build())
MongoClient(withTLS.build())
Lastly, I created a keystore with,
keytool -importcert -trustcacerts -file mongo.crt -keystore mongo.keystore
and am starting the application with the following parameters,
-Djavax.net.ssl.keyStore=/path/to/mongo.keystore -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.debug=SSL
I'm pretty sure the issue is either what, or how, I'm adding the self signed cert to the keystore. Thanks for any help you can give.
I try to connect with Java 8 via HTTPS to a JNLP file on a an intranet server which has a self-signed TLS certificate.
When Java Web Start tries to load the first resource (a file from that server) specified in the JNLP try, it throws an exception:
javax.net.ssl.SSLHandshakeException: com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
...
Caused by: com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
... 39 more
Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
... 46 more
Any idea?
Indeed we did not specify the OCSP responder. But is this really a problem? Interestingly this works on the machine of my workmates (they only get a warning). Some days ago I temporarily installed Java 9 to test something. Is it possible that this mixed something up? I uninstalled it again, btw.
My current workaround is to set “Perform TLS certificate revocation checks on” in the Java Control Panel (Tab “Advanced”) to “Do not check (not recommended)”. But I do not like that.
I got past this today, was just an issue with my certificates - recreated my Keystore, but my truststore was missing the new root/intermediate cert that was specified in the website's certificate. I went back and added the certs to the truststore and restarted the site, and it worked.
keytool -import -trustcacerts -alias root -file NewRoot.cer -keystore cacerts
keytool -import -trustcacerts -alias "Intermed Name Here" -file NewInt.cer -keystore cacerts
-- I was going down a dead-end chasing the OCSP responder when Java was really checking CRL and OCSP, in that order. Fixing the Truststore / CAs was really all that was needed.
Brent
I have a keystore, which contains only 1 keypair (foo). From that keypair, I generated a csr, which was signed by a CA using the certificate bar (bar is the issuer of foo). The issue I have is that I'm unable to import back the certificate foo in my keystore with this command
keytool -importcert -alias foo -file foo.p7b keypass 123456 -keystore keystore.jks -storepass 123456
It failed with the error
Failed to establish chain from reply.
If add the public certificate bar in my keystore, then it is working fine.
Therefore, one will simply think that I absolutely need to insert the public certificate bar in my keystore, but what is bugging me here is that if I use KeyStore Explorer to import the certificate foo in my keystore (which is only containing the keypair foo), then it is working fine. In other word, I able to import the certificate with KeyStore Explorer ("Import CA reply"), but not keytool.
Is anyone have an idea what I'm doing wrong ?
I am currently testing with EJBCA while having a problem in accessing the administration page.
The EJBCA-4.0.13 is running on CentOS 6.2, with apache-ant-1.8.4, jboss-5.1.0-GA, mysql and mysql-connector-java. Installation is OK and no error occured in the jboss server log and I can access the EJBCA public web page with the url: https://:8443/ejbca. While I cannot access the administration page(https://:8443/ejbca/adminweb) with this information:
Authorization Denied
Cause: Your certificate is revoked or cannot be located in the database.
Any idea will be appreciated!
This is done in LocalCertificateStoreSessionBean.authenticate method. This could mean that you have not properly generated SuperAdmin certificate, or it is revoked, timed out or is issued by another CA that EJBACA's AdminCA.
Check your superadmin.p12 with:
openssl pkcs12 -nokeys -in ./superadmin.p12 -out superadmin.pem
openssl x509 -in ./superadmin.pem -text