How to Get Apache to Accept a Self Signed Cert Made By Java's KeyTool

Question

Apache/PHP/Symphony is being used in my middle layer for authentication and routing. A request comes through on http then if the request authenticates the person making the request is authorized then makes a call to a backend web service over https. The back end web service is over https with a self signed certificate. I can hit the backend service directly and see my certificate information via chrome inspector. When I make the request directly to the backend via the url, everything works. When I try to go through the middle layer, I get a response back that is a 504:

{"code":504,"message":"A network communication error has occurred","error":{"code":77,"message":"SSL: can\u0027t load CA certificate file \/etc\/pki\/tls\/certs\/ca-bundle.crt"}}

I generated the certificate to:

/usr/local/jboss-eap-6.4/standalone/configuration/.keystore

Using the command:

keytool -genkey -keyalg RSA -alias jboss -keystore .keystore -storepass changeit -validity 9999 -keysize 2048

I also updated my standalone.xml to reference the file via:

<ssl name="ssl" key-alias="jboss" password="changeit" certificate-key-file="/usr/local/jboss-eap-6.4/standalone/configuration/.keystore" protocol="TLSv1" verify-client="false"/>

My dev machine is OSX.

It seems that apache or symfony is looking for the cert in /etc/pki/tls/certs/ca-bundle.cert which is a file that doesn't exist on my system. Searching for "pki" in /etc/apache2/httpd.conf yields no results.

How do I setup apache/symfony2 to trust this cert, or is there a different way to trust this cert more globally?

Answer 1

Create the CA Cert Bundle File

The system is looking for /etc/pki/tls/certs/ca-bundle.cert which is a standard path on linux, but not on osx. We get around this by generating the file.

I generated the .keystore file using keytool and used jboss for my alias. In order to build the ca bundle file, we need it to be in the pem format, so we need to add the -rfc to our export statement. Below are the commands:

cd /usr/local/jboss-eap-6.4/standalone/configuration
keytool -export -alias jboss -file local-sbx.dev.yourcompany.com.crt -keystore .keystore -rfc

After you have the file, you can cat it out and verify that the file has the BEGIN CERTIFICATE and END CERTIFICATE stuff in it. If so, its in the right format.

Lastly, create the directory structure, move the cert to act like the bundle (which is just a bunch of certs appended to each other) and then restart apache:

mkdir -p /etc/pki/tls/certs/
sudo cp local-sbx.dev.yourcompany.com.crt /etc/pki/tls/certs/ca-bundle.crt
sudo apachectl restart

Note: This was a sub problem of SSL: can't load CA certificate file /etc/pki/tls/certs/ca-bundle.crt so if you are still having issues, you might need to update your php setup too... directions are in the link provided.