We are trying to install a third party CA cert on our WSO2 ESB server (Linux). We are unable to install CA certificate. Always falling back to default certificate.
While the WSO2 service is started, it shows that the new cert is being referred and loaded, but at client browser, it gives error and shows the default inbuilt cert.
Can someone guide us to where we need to look for errors?
We followed the instructions from
http://wso2.org/library/knowledge-base/2011/08/adding-ca-certificate-authority-signed-certificate-wso2-products
All steps are followed correctly,
Sreejith, the document you're following is correct. I've used the same to configure our servers.
you can get the certificate being used by your server by executing this from a consumer host (client):
echo -n | openssl s_client -connect esb.yourdomain.co.nz:8243 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.cert
Then you can see if the certificate being used is the one you expect.
To replace the default certificate, you'll need to replace the WSO_HOME$/repository/resources/security/wsocarbon.jks keystore and modify WSO2_HOME$/repository/conf/carbon.xml and $WSO2_HOME/repository/conf/axis2/axis2.xml with the new keystore (along with alias and passwords) whenever necessary.
According with my experience the keystore need to be replaced. You can not simply add your certificate to the existent keystore, you need to force wso2 server to use your certificate by making it the only certificate in the keystore. Also the certificate CN and alias must match your server hostname (as in the url) for this to work.
Then add the certificate to the WSO_HOME$/repository/resources/security/client-truststore.jks keystore.
And don't forget to restart the server after the changes.
Regards
Related
I just tried creating a trusted developer certificate on my local machine (Windows 10).
I follow the below listed commands.
Frist to verify any certs exists.
C:\>dotnet dev-certs https --check
No valid certificate found.
Then I create the trusted certificate:
C:\>dotnet dev-certs https --trust
Trusting the HTTPS development certificate was requested. A confirmation prompt will be displayed if the certificate was not previously trusted. Click yes on the prompt to trust the certificate.
The HTTPS developer certificate was generated successfully.
I clicked on the prompt to trust the certificate.
Then I ran the following command to verify the created certificate on the machine
C:\>dotnet dev-certs https --check
No valid certificate found.
Looks like the certificate has not been created.
Has anyone experianced the same? Any fix or workaround for this?
Any thoughts?
Thanks
~RSF
I experienced the same issue today.
I had to:
Close all browsers. I closed VS Code to be safe also.
Remove all of the certificates for my Windows current user in the certificate store.
dotnet dev-certs https --clean
dotnet dev-certs https --trust
dotnet dev-certs https --check
I did that based upon Windows - certificate not trusted
I have a server that is giving me TLS problems and I would like to view the cert it is presenting in order to help diagnose the issue. Normally, I would use openssl to display the cert like so:
$ openssl s_client -connect facebook.com:443
However, I don't know what CA signed this server's cert. I thought it was our internal CA but testing suggests otherwise. Thus I cannot use openssl's -CAfile or -CApath flags to specify the CA.
One more restriction. The server is not an HTTP server (it's postgres), otherwise I would just use curl --insecure.
I tried using the -verify flag because according to OpenSSL's documentation:
The verify depth to use. This specifies the maximum length of the server certificate chain and turns on server certificate verification. Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure.
It claims to continue after all errors so all problems can be seen. However, all I get is:
1737:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
That is the error message I get with or without -verify.
So how can I view the certificate presented by the server?
I'm working on Jboss 5 and WAS 7.
I was able to run my application via Mutual Authentication on Jboss following this doc,
https://community.jboss.org/wiki/SSLSetup/
Following the above doc I created server.keystore and server.truststore files that I injected into the Jboss server and everything works fine.
Now, I want to run the same application via Mutual Auth on WAS.
On WAS, the trust store and keystore are specified by navigating to
Security > SSL certificate and key management > SSL configurations > New > Key
stores and certificates
But there I don't see any type related to .keystore and .truststore.(snap below)
My question - what is the equivalent of .keystore and .truststore that can be used in WAS OR what's the way to set up a Browser based Mutual Authentication on a WAS server.
I'm using WAS 7.0.0.21.
Keystores and truststores are the same format in WebSphere. You choose the file format, but any of those formats can be used for either store.
You then point a configuration at specific files.
Security > SSL certificate and key management > Manage endpoint security configurations
Alternatively, what has been simpler for us is to use the existing default stores WebSphere already has and add our certificates to those.
Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore
Or CellDefaultTrustStore or NodeDefaultKeyStore, etc.
The link helped me setup SSL on WAS. I just had to add a couple of steps to enable it for Browser based Mutual Authentication.
Since, I had to do a POC hence I'm using Self Signed Certificates.
In a ideal scenario Certificates will be signed by a Certificate Authority and the Certificate of Certificate Authority will be imported to the Trust Store of a WAS Server.
Here are the steps,
Change the password for Default KeyStore and Default TrustStore in WAS
Create a Client Certificate in WAS
Create a Server Certificate in WAS
Export the Client Certificate in PKCS format, e.g. client.p12
Export the Server Certificate in PKCS format, e.g. server.p12
Import the Client Certificate to Default TrustStore
Import the Server Certificate to Default TrustStore
Enable SSL on WAS.
i. Make sure the to select server certificate for both Default server certificate alias and the Default client certificate alias.
ii. In the Quality of protection (QoP) settings, choose Client Authentication as Required.
Create a Web Container Transport Chain with a new SSL port, e.g. 9444.
Add the newly created SSL port to the virtual Host.
Restart the Server.
Import the Client Certificate created in Step 4 client.p12 to the Browser.
We are using JBoss 5.1. We have deployed a web service and wish to add certificate functionality. We have created a CA and a certificate signed by that CA (we used openssl and the java keytool to create the .keystore file). We imported both the CA and the certificate in the .keystore file and pointed the connector (in server.xml) on that .keystore:
The common name used for the CA is aname.com while the common name for the certificate is hostname. The validity period of the certificate is almost one year while for the CA is a little more.
Trying to access the web service url (https://hostname:8443/path_to_webservice) with Internet Explorer we get the error that our certificate is not issued by a trusted certificate authority.
When we select to view the certificate in the browser, we get a certificate that is issued for hostname, issued by hostname and its validity period is only 3 months. Obviously, the certificate we get from Internet Explorer is very different than the one we created.
How can I solve this issue? Is it a certificate issue or do I need to make some changes in JBoss?
Is it a certificate issue or do I need to make some changes in JBoss?
While I'm not able to provide you a precise answer, I'll provide you some guiding questions that may help you solve the problem :-) Are you able to import this certificate (the pem file, which you used to create the keystore file) in a browser? What about the fingerprint, does it looks the same as the one stored in the JBoss? Does this bogus certificate reminds you of any previous attempt?
I'd say that this is most certainly a problem with the certificate itself, as I don't believe JBoss is able to fake your certificate :-)
I need to create a New certificate on Squid reverse proxy to replace an expired one.
Does anyone know how?
You can use OpenSSL, see especially HOWTO certificates, and note paragraph 4, Creating a self-signed test certificate.
The squid doc OpenSSL Configuration for CA and Certificate Generation
provides full details on using OpenSSL for generating a certificate and using it with Squid.