Anonymous_User Absent Member.
Absent Member.
310 views

Problem when enabling SSL in a production environment


Hello,

I have a customer who wants to use their own root and wildcard
certificate for the User Application server. Untill now they have been
using a self-signed certificate with no problems. I've followed this
guide: http://tinyurl.com/nkh2q53 - and creating the keystore, importing
the root and wildcard certificate runs smooth, and even running the
"keytool -list -v -alias idm -keystore idm.keystore" to check whether
the keystore is as it should be, shows this output:


Code:
--------------------

Alias name: ltk
Creation date: May 27, 2013
Entry type: trustedCertEntry

Owner: CN=*.ltk.dk, O=*.ltk.dk, OU=Domain Control Validated, C=DK
Issuer: CN=GlobalSign Domain Validation CA, O=GlobalSign nv-sa, OU=Domain Validation CA, C=BE
Serial number: 100000000012baa28c1d0
Valid from: Thu Oct 14 11:30:38 CEST 2010 until: Wed Oct 14 11:30:34 CEST 2015
Certificate fingerprints:
MD5: CB:19:C2:A4:D4:09:D8:25:E2:77:18:0A:86:B9:FA:DB
SHA1: B2:1B:5B:C6:CE:F8:5C:15:CA:4B:E6:C4:30:C0:3D:0C:8E:C0:25:8B
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 15 66 70 34 EB 25 8C 96 63 DA F7 76 C1 F8 85 A6 .fp4.%..c..v....
0010: 84 76 12 2D .v.-
]
]

#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://secure.globalsign.net/cacert/dvhe1.crt]
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.globalsign.net/DomainVal1.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.4146.1.10]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 25 68 74 74 70 3A 2F 2F 77 77 77 2E 67 6C 6F .%http://www.glo
0010: 62 61 6C 73 69 67 6E 2E 6E 65 74 2F 72 65 70 6F balsign.net/repo
0020: 73 69 74 6F 72 79 2F sitory/

]] ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
1.3.6.1.4.1.311.10.3.3
]

#7: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#8: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
SSL server
]

#9: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 36 12 4E 9E 71 C4 26 41 F1 FA F1 29 4C BF 17 A4 6.N.q.&A...)L...
0010: 53 28 B6 EB S(..
]

]

#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.ltk.dk
DNSName: ltk.dk
]

--------------------


It seems to me that it is as it should be. After rebooting the JBoss
server, and go to the website, https://ip:8543/IDM - the certificate is
not trusted, as seen here: http://postimg.org/image/xtqz5varz/full/

It should not say ltk in issued to and issued by, it should say
something like issued to: GlobalSign Domain Validation CA and Issued by:
GlobalSign Root CA. The "ltk" is from the information I typed in when I
created the keystore.

Anyone know whats wrong?


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=47832

Labels (1)
0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Problem when enabling SSL in a production environment


jacmarpet;229825 Wrote:
> Hello,
>
> I have a customer who wants to use their own root and wildcard
> certificate for the User Application server. Untill now they have been
> using a self-signed certificate with no problems. I've followed this
> guide: http://tinyurl.com/nkh2q53 - and creating the keystore, importing
> the root and wildcard certificate runs smooth, and even running the
> "keytool -list -v -alias idm -keystore idm.keystore" to check whether
> the keystore is as it should be, shows this output:
>
>
> It seems to me that it is as it should be. After rebooting the JBoss
> server, and go to the website, https://ip:8543/IDM - the certificate is
> not trusted, as seen here: http://postimg.org/image/xtqz5varz/full/
>
> It should not say ltk in issued to and issued by, it should say
> something like issued to: GlobalSign Domain Validation CA and Issued by:
> GlobalSign Root CA. The "ltk" is from the information I typed in when I
> created the keystore.
>
> Anyone know whats wrong?


itq = ltk - one is production and one is test, i did not mix them up,
just to clarify 🙂


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=47832

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Problem when enabling SSL in a production environment


I've tried a couple of different things now, still doesn't work though.
Here some more information:

I have got the root certificate and the "real" certificate, which is a
wildcard certificate. Now according to this guide:
http://tinyurl.com/nkh2q53 - I do the following:

I create the keystore: /opt/novell/idm/jre/bin/keytool -genkey -alias
keystore1 -keyalg RSA -keystore keystore1.keystore -validity 3650

Now I am not sure what to type in as firstname & lastname(CN), O, OU and
C. Both the root and wildcard certificates only have CN,O,OU and C, they
dont have L and ST, which it asks for. If I leave them blank, it will
say unknown in them. I have looked at the root and wildcard
certificates, and tried to make keystore with the information from both
of them(two different keystores).

Then I import the root certificate into the keystore:
/opt/novell/idm/jre/bin/keytool -import -trustcacerts -alias root
-keystore keystore1.keystore -file root.cer

Then I import the wildcard certificate: /opt/novell/idm/jre/bin/keytool
-import -alias wildcardcert -keystore keystore1.keystore -file
wildcardcert.cer

I then check if the certificates has are correctly added to they
keystore:

/opt/novell/idm/jre/bin/keytool -list -v -alias root -keystore
keystore1.keystore
/opt/novell/idm/jre/bin/keytool -list -v -alias wildcardcert -keystore
keystore1.keystore

They seem alright.

Then I edit the server.xml to use the new keystore, and also edit the
password to match the keystore password.

Reboot JBoss.

When I go to the UA website, with https and port 8543, it does not trust
the certificate, even though I have installed both the root and wildcard
certificate on my computer. If I look at the certificate the website
tries to give to me, the SHA1 fingerprint does not match either the
fingerprint on the root or the wildcard certificate. Also, if I look at
the root certificate(when this is currently the one which information I
have mirrored in the keystore infomation), it says issued by: GlobalSign
Root CA and issued to GlobalSign Domain Validation CA. But the one the
website shows me says: issued by: GlobalSign Domain Validation CA and
issued to GlobalSign Domain Validation CA. So the issued by is not
right. If I set the keystore to use the information from the wildcard
certificate, it does the same(it shows this in the website certificate:
issued by: GlobalSign Domain Validation CA and issued to GlobalSign
Domain Validation CA but the real certificate is: issued by: GlobalSign
Domain Validation CA and issued to: *.companyname.dk. And also then does
the fingerprints not match. The fingerprint in the certificate which the
website gives me, matches nothing whatsoever.

It is as if the certificate the website tries to give me, is based on
the keystore information, and not the certificates inside the keystore.
What am I doing wrong?

Jacob.


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=47832

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Problem when enabling SSL in a production environment

On Mon, 27 May 2013 11:34:05 +0000, jacmarpet wrote:

> I have a customer who wants to use their own root and wildcard
> certificate for the User Application server.


I'm using an externally signed wildcard cert here with the UA. I'll dig
out my notes from configuring it.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Problem when enabling SSL in a production environment


Thank you very much!


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=47832

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Problem when enabling SSL in a production environment


Are the notes close by? 🙂


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=47832

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Problem when enabling SSL in a production environment


No worries, I figured it out! I imported the customer's pkcs12 keystore
into a new empty .jks keystore. That did the trick.


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=47832

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Problem when enabling SSL in a production environment

On Wed, 29 May 2013 12:54:02 +0000, jacmarpet wrote:

> No worries, I figured it out!


Oh, ok. Thanks for the followup.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.