rss

ssl certificates and truststore: minimal howto

This post is a kind of minimal 'how to' for SSL, certificates and truststore :


Tomcat HTTPS application : how to use a valid and trusted self-signed certificate for localhost

Context

As WebDevelopper, I use Tomcat and I need to work with localhost with a secure web application. The issue with the latest browser update (ex. ggchrome) is that an invalid or untrusted self signed certificate could block the navigation or AJAX exchanges.
For example, you could get the folloowing error :

NET::ERR_CERT_AUTHORITY_INVALID
:: certificate validation chain is not trusted
ERR_INSECURE_RESPONSE
:: unable to trust a server answer

to workaround this issue, you could follow these steps:
  • generate a self-signed certificate for localhost
  • tell to tomcat to use this certificate
  • append this certificate to your workstation certificates manager

Generate a self signed certificate

$ keytool -genkey -keyalg RSA -alias tomcat \
  -keystore $HOME/.keystore -storepass changeit -validity 360 -keysize 2048
Warning: answer "localhost" to the first question

more documentation: tomcat8 ssl howto - sslshopper create self signed cert

Tomcat ssl configuration

Connector's attributes example from server.xml:
SSLEnabled="true" clientAuth="false" keystoreFile="${user.home}/.keystore" keystorePass="changeit" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"

Append this certificate to your workstation certificates manager

  • navigate to your tomcat application ; example : https://localhost:8443
  • (example using google chrome), right click on address bar lock / click on "certificate informations (...)" link / "details" tab
  • Choose "copy certificate into file" - keep default format X509 DER.
  • right click on the just created file to "Install certificate"
  • Select the following target : "Trusted root certification authorities"("Autorités de certification racines de confiance")
  • You could verify the certificate installation : Windows Start / Execute / certmgr.msc ; this will open Windows certificates manager
  • Restart your browser (use CTRL + ALT + Q for Google Chrome instead of closing the window).
  • navigate to your tomcat application ; example : https://localhost:8443 : your certificate should be trusted now

SSL Client : "PKIX path building failed" error

Java error

javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Java workarounds

  • (bad and quick way) Disable all ssl check by configuration cf. UnsafeSSLHelper (from javabox github project)
  • (right way) Update the ssl verification chain. For example by importing new valid certificate(s) to your truststore.

Windows

  • Windows / List certificates:

    Start / Execute / certmgr.msc
  • Google Chrome / List certificates:

    go to Parameters, the search "ssl" (chrome://settings/search#ssl)


  • Import a certificate in a truststore file:

    Make a backup :
    cp %JAVA_HOME%/jre/lib/security/cacerts %JAVA_HOME%/jre/lib/security/cacerts.orig 
    
    Import a certificate :
    keytool -import -alias MyCert -keystore %JAVA_HOME%/jre/lib/security/cacerts \
         -trustcacerts -file MyCert.cer
    
    (cf. commandes+keytool ...)
  • Implort a certificate in JDK truststore:
    create a little batch like this one :
    set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_65
    set PATH=%JAVA_HOME%\bin;%PATH%
    REM set JRE_CACERTS=%JAVA_HOME%\lib\security\cacerts
    set JDK_CACERTS=%JAVA_HOME%\jre\lib\security\cacerts
    set PASSWORD=changeit
    set DIR=certsdir
    
    for %%f in (%DIR%\*.cer) do keytool -keystore "%JRE_CACERTS%" -storepass %PASSWORD% -noprompt -importcert -alias "%%~nf" -file %%f
    for %%f in (%DIR%\*.cer) do keytool -keystore "%JDK_CACERTS%" -storepass %PASSWORD% -noprompt -importcert -alias "%%~nf" -file %%f
    

    This script install all certificates under certsdir to the JDK (or JRE).

Aucun commentaire:

Enregistrer un commentaire

Mots clés du blog

acceptancetest androï Android androïd Android7 api appender appengine application applications archive array assistantematernelle astuce auth0 authentication authority automation Axis bash bearer blog bower build bundle c calendrier camille combal cdi certificate cf client cloudfoundry collaboratif command commandes connexion console css démasquées démasquer développement dll dump easter eggs écologie écrit employeur EMUI EMUI5.0 enfant évènement export-package ExtJS fiche find firefox gadget gelf gem git gmail gooelappengine google gparted gps graylog grenoble Grid gui harddrive heroku hover howto HTML http https IE ihm immobilier imprimante innovation insolite instance integration Java JavaScript jenkins jeu jobs json json-schema-validator key keystore labs linux livre log log4j logger logs lombok masquées masquer maven maven-gae-plugin Mémoire microsoft mobile mockito mondialisation monitor MUSE musique en ligne myopera nodejs npm NT NTEventLogger onglet openstack osgi paas package parameters parent php politique prosyst prototype proxies proxy quartz radio rappel recherche regex repository resize RIA rock route ruby rubygems s8500 samsung scheduler scm sel selenium Serializer server shared shell slf4j smartphone so société song spy ssh ssl struct swagger swig tâches téléphone téléréalité test thunderbird timeout token Tomcat tooltip tooltips truststore ubuntu unit test validator virgin virtualbox wave waze web WebApp wiki wikimedia wikipédia wikipen windows yahoo youtube yum