This post is a kind of minimal 'how to' for SSL, certificates and truststore :
For example, you could get the folloowing error :
to workaround this issue, you could follow these steps:
more documentation: tomcat8 ssl howto - sslshopper create self signed cert
- Tomcat HTTPS application : how to use a valid and trusted self-signed certificate for localhost
- SSL Client : "PKIX path building failed" error
Tomcat HTTPS application : how to use a valid and trusted self-signed certificate for localhost
Context
As WebDevelopper, I use Tomcat and I need to work with localhost with a secure web application. The issue with the latest browser update (ex. ggchrome) is that an invalid or untrusted self signed certificate could block the navigation or AJAX exchanges.For example, you could get the folloowing error :
NET::ERR_CERT_AUTHORITY_INVALID :: certificate validation chain is not trusted ERR_INSECURE_RESPONSE :: unable to trust a server answer
to workaround this issue, you could follow these steps:
- generate a self-signed certificate for localhost
- tell to tomcat to use this certificate
- append this certificate to your workstation certificates manager
Generate a self signed certificate
$ keytool -genkey -keyalg RSA -alias tomcat \ -keystore $HOME/.keystore -storepass changeit -validity 360 -keysize 2048Warning: answer "localhost" to the first question
more documentation: tomcat8 ssl howto - sslshopper create self signed cert
Tomcat ssl configuration
Connector's attributes example fromserver.xml
:
SSLEnabled="true" clientAuth="false"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
maxThreads="150" port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true" sslProtocol="TLS"
Append this certificate to your workstation certificates manager
- navigate to your tomcat application ; example :
https://localhost:8443
- (example using google chrome), right click on address bar lock / click on "certificate informations (...)" link / "details" tab
- Choose "copy certificate into file" - keep default format X509 DER.
- right click on the just created file to "Install certificate"
- Select the following target : "Trusted root certification authorities"("Autorités de certification racines de confiance")
- You could verify the certificate installation : Windows Start / Execute /
certmgr.msc
; this will open Windows certificates manager - Restart your browser (use CTRL + ALT + Q for Google Chrome instead of closing the window).
- navigate to your tomcat application ; example :
https://localhost:8443
: your certificate should be trusted now
SSL Client : "PKIX path building failed" error
Java error
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Java workarounds
- (bad and quick way) Disable all ssl check by configuration
cf. UnsafeSSLHelper (from javabox github project)
- (right way) Update the ssl verification chain. For example by importing new valid certificate(s) to your truststore.
Windows
- Windows / List certificates:
Start / Execute /certmgr.msc
- Google Chrome / List certificates:
go to Parameters, the search "ssl" (chrome://settings/search#ssl
)
- Import a certificate in a truststore file:
Make a backup :
cp %JAVA_HOME%/jre/lib/security/cacerts %JAVA_HOME%/jre/lib/security/cacerts.orig
Import a certificate :
keytool -import -alias MyCert -keystore %JAVA_HOME%/jre/lib/security/cacerts \ -trustcacerts -file MyCert.cer
(cf. commandes+keytool ...)
- Implort a certificate in JDK truststore:
create a little batch like this one :set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_65 set PATH=%JAVA_HOME%\bin;%PATH% REM set JRE_CACERTS=%JAVA_HOME%\lib\security\cacerts set JDK_CACERTS=%JAVA_HOME%\jre\lib\security\cacerts set PASSWORD=changeit set DIR=certsdir for %%f in (%DIR%\*.cer) do keytool -keystore "%JRE_CACERTS%" -storepass %PASSWORD% -noprompt -importcert -alias "%%~nf" -file %%f for %%f in (%DIR%\*.cer) do keytool -keystore "%JDK_CACERTS%" -storepass %PASSWORD% -noprompt -importcert -alias "%%~nf" -file %%f
This script install all certificates under
certsdir
to the JDK (or JRE).
Aucun commentaire:
Enregistrer un commentaire