rss

ssl certificates and truststore: minimal howto

This post is a kind of minimal 'how to' for SSL, certificates and truststore :

Tomcat HTTPS application : how to use a valid and trusted self-signed certificate for localhost

Context

As WebDevelopper, I use Tomcat and I need to work with localhost with a secure web application. The issue with the latest browser update (ex. ggchrome) is that an invalid or untrusted self signed certificate could block the navigation or AJAX exchanges.
For example, you could get the folloowing error :

NET::ERR_CERT_AUTHORITY_INVALID
:: certificate validation chain is not trusted
ERR_INSECURE_RESPONSE
:: unable to trust a server answer

to workaround this issue, you could follow these steps:
  • generate a self-signed certificate for localhost
  • tell to tomcat to use this certificate
  • append this certificate to your workstation certificates manager

Generate a self signed certificate

$ keytool -genkey -keyalg RSA -alias tomcat \
  -keystore $HOME/.keystore -storepass changeit -validity 360 -keysize 2048
Warning: answer "localhost" to the first question

more documentation: tomcat8 ssl howto - sslshopper create self signed cert

Tomcat ssl configuration

Connector's attributes example from server.xml:
SSLEnabled="true" clientAuth="false" keystoreFile="${user.home}/.keystore" keystorePass="changeit" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"

Append this certificate to your workstation certificates manager

  • navigate to your tomcat application ; example : https://localhost:8443
  • (example using google chrome), right click on address bar lock / click on "certificate informations (...)" link / "details" tab
  • Choose "copy certificate into file" - keep default format X509 DER.
  • right click on the just created file to "Install certificate"
  • Select the following target : "Trusted root certification authorities"("Autorités de certification racines de confiance")
  • You could verify the certificate installation : Windows Start / Execute / certmgr.msc ; this will open Windows certificates manager
  • Restart your browser (use CTRL + ALT + Q for Google Chrome instead of closing the window).
  • navigate to your tomcat application ; example : https://localhost:8443 : your certificate should be trusted now

SSL Client : "PKIX path building failed" error

Java error

javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Java workarounds

  • (bad and quick way) Disable all ssl check by configuration cf. UnsafeSSLHelper (from javabox github project)
  • (right way) Update the ssl verification chain. For example by importing new valid certificate(s) to your truststore.

Windows

  • Windows / List certificates:

    Start / Execute / certmgr.msc
  • Google Chrome / List certificates:

    go to Parameters, the search "ssl" (chrome://settings/search#ssl)


  • Import a certificate in a truststore file:

    Make a backup : 
    cp %JAVA_HOME%/jre/lib/security/cacerts %JAVA_HOME%/jre/lib/security/cacerts.orig
    Import a certificate : 
    keytool -import -alias MyCert -keystore %JAVA_HOME%/jre/lib/security/cacerts \
     -trustcacerts -file MyCert.cer
    (cf. commandes+keytool ...)
  • Implort a certificate in JDK truststore:
    create a little batch like this one : 
    set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_65
set PATH=%JAVA_HOME%\bin;%PATH%
REM set JRE_CACERTS=%JAVA_HOME%\lib\security\cacerts
set JDK_CACERTS=%JAVA_HOME%\jre\lib\security\cacerts
set PASSWORD=changeit
set DIR=certsdir

for %%f in (%DIR%\*.cer) do keytool -keystore "%JRE_CACERTS%" -storepass %PASSWORD% -noprompt -importcert -alias "%%~nf" -file %%f
for %%f in (%DIR%\*.cer) do keytool -keystore "%JDK_CACERTS%" -storepass %PASSWORD% -noprompt -importcert -alias "%%~nf" -file %%f

    This script install all certificates under certsdir to the JDK (or JRE).

Envoyé par le
Mots clés : , , , , , , , , ,

Aucun commentaire:

Enregistrer un commentaire

Mots clés du blog

10.1 4G acceptancetest adb androï Android androïd Android7 api appender appengine application applications archive array assistantematernelle astuce auth0 authentication authority automation Axis bash bearer blog boot bootloader bower build bundle c calendrier camille combal cdi certificate cf client cloudfoundry collaboratif command commandes connexion console css cyanogen decrypt démasquées démasquer développement dll dump easter eggs écologie écrit employeur EMUI EMUI5.0 encrypt enfant évènement export-package ExtJS fab fastboot fiche find firefox gadget galaxytab gelf gem git gmail gnupg gooelappengine google gparted gpg gpg2 gps graylog grenoble Grid gui harddrive heroku hover howto HTML http https IE ihm immobilier imprimante innovation insolite instance integration Java JavaScript jenkins jeu jobs json json-schema-validator key keystore labs linux livre log log4j logger logs lombok masquées masquer maven maven-gae-plugin Mémoire microsoft mobile mockito mondialisation monitor MUSE musique en ligne myopera nodejs npm NT NTEventLogger onglet openstack osgi paas package parameters parent php politique prosyst prototype proxies proxy quartz radio rappel recherche regex repository resize RIA ridge rock ROM route ruby rubygems s8500 samsung scheduler scm secret secure sel selenium Serializer server shared shell sign signature slf4j smartphone so société song spy ssh ssl struct swagger swig tâches téléphone téléréalité test thunderbird timeout token Tomcat tooltip tooltips truststore TWRP ubuntu unit test validator verify virgin virtualbox wave waze web WebApp wiki wikimedia wikipédia wikipen wiko windows windows10 yahoo youtube yum