rss

ssl certificates and truststore: minimal howto

This post is a kind of minimal 'how to' for SSL, certificates and truststore :


Tomcat HTTPS application : how to use a valid and trusted self-signed certificate for localhost

Context

As WebDevelopper, I use Tomcat and I need to work with localhost with a secure web application. The issue with the latest browser update (ex. ggchrome) is that an invalid or untrusted self signed certificate could block the navigation or AJAX exchanges.
For example, you could get the folloowing error :

NET::ERR_CERT_AUTHORITY_INVALID
:: certificate validation chain is not trusted
ERR_INSECURE_RESPONSE
:: unable to trust a server answer

to workaround this issue, you could follow these steps:
  • generate a self-signed certificate for localhost
  • tell to tomcat to use this certificate
  • append this certificate to your workstation certificates manager

Generate a self signed certificate

$ keytool -genkey -keyalg RSA -alias tomcat \
  -keystore $HOME/.keystore -storepass changeit -validity 360 -keysize 2048
Warning: answer "localhost" to the first question

more documentation: tomcat8 ssl howto - sslshopper create self signed cert

Tomcat ssl configuration

Connector's attributes example from server.xml:
SSLEnabled="true" clientAuth="false" keystoreFile="${user.home}/.keystore" keystorePass="changeit" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"

Append this certificate to your workstation certificates manager

  • navigate to your tomcat application ; example : https://localhost:8443
  • (example using google chrome), right click on address bar lock / click on "certificate informations (...)" link / "details" tab
  • Choose "copy certificate into file" - keep default format X509 DER.
  • right click on the just created file to "Install certificate"
  • Select the following target : "Trusted root certification authorities"("Autorités de certification racines de confiance")
  • You could verify the certificate installation : Windows Start / Execute / certmgr.msc ; this will open Windows certificates manager
  • Restart your browser (use CTRL + ALT + Q for Google Chrome instead of closing the window).
  • navigate to your tomcat application ; example : https://localhost:8443 : your certificate should be trusted now

SSL Client : "PKIX path building failed" error

Java error

javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Java workarounds

  • (bad and quick way) Disable all ssl check by configuration cf. UnsafeSSLHelper (from javabox github project)
  • (right way) Update the ssl verification chain. For example by importing new valid certificate(s) to your truststore.

Windows

  • Windows / List certificates:

    Start / Execute / certmgr.msc
  • Google Chrome / List certificates:

    go to Parameters, the search "ssl" (chrome://settings/search#ssl)


  • Import a certificate in a truststore file:

    Make a backup :
    cp %JAVA_HOME%/jre/lib/security/cacerts %JAVA_HOME%/jre/lib/security/cacerts.orig 
    
    Import a certificate :
    keytool -import -alias MyCert -keystore %JAVA_HOME%/jre/lib/security/cacerts \
         -trustcacerts -file MyCert.cer
    
    (cf. commandes+keytool ...)
  • Implort a certificate in JDK truststore:
    create a little batch like this one :
    set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_65
    set PATH=%JAVA_HOME%\bin;%PATH%
    REM set JRE_CACERTS=%JAVA_HOME%\lib\security\cacerts
    set JDK_CACERTS=%JAVA_HOME%\jre\lib\security\cacerts
    set PASSWORD=changeit
    set DIR=certsdir
    
    for %%f in (%DIR%\*.cer) do keytool -keystore "%JRE_CACERTS%" -storepass %PASSWORD% -noprompt -importcert -alias "%%~nf" -file %%f
    for %%f in (%DIR%\*.cer) do keytool -keystore "%JDK_CACERTS%" -storepass %PASSWORD% -noprompt -importcert -alias "%%~nf" -file %%f
    

    This script install all certificates under certsdir to the JDK (or JRE).

Aucun commentaire:

Enregistrer un commentaire