0

We want a new WebService to connect via HTTPS, and we want to set the server certificate for doing so. I’m trying to explain the steps I’ve been doing till now, with detail:

  1. We created our server certificate, with this command:

    keytool -storepass * -keystore .my_keystore -keypass * -genkey -alias ALIAS -dname "CN=[FQDN here], OU=ID, O=*, L=*, ST=*, C=*" -keyalg RSA -keysize 2048 -validity 3000

  2. We generated a signing request for the certificate

    keytool -storepass * -keystore .my_keystore -certreq -alias ALIAS -file ALIAS.csr

  3. We sent the CSR to our company (which has its own CA), and got the signed certificate.

  4. We validated the certificate:

    openssl verify -CAfile CA_certificate.pem ALIAS_SIGNED.pem

    ALIAS_SIGNED.pem: OK

  5. We’ve imported this signed certificate on our keystore.

    keytool -importcert -keystore .my_keystore -alias ALIAS_SIGNED -file ALIAS_SIGNED.pem -storepass *

  6. We're trying to connect from another machine with the company’s CA certificate installed on Java’s cacerts file:

    $ openssl s_client -connect [IP]:[port]
CONNECTED(00000003)
depth=0 /C=*/ST=*/L=*/O=*/OU=ID/CN=[FQDN here]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=*/ST=*/L=*/O=*/OU=ID/CN=[FQDN here]
verify return:1
Certificate chain
 0 s:/C=*/ST=*/L=*/O=*/OU=ID/CN=[FQDN here]
   i:/C=*/ST=*/L=*/O=*/OU=ID/CN=[FQDN here]
Server certificate
-----BEGIN CERTIFICATE-----
ABcDefGHI...z
-----END CERTIFICATE-----
subject=/C=*/ST=*/L=*/O=*/OU=ID/CN=[FQDN here]
issuer=/C=*/ST=*/L=*/O=*/OU=ID/CN=[FQDN here]
No client certificate CA names sent
SSL handshake has read 1610 bytes and written 279 bytes
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 5790...EAB54
    Session-ID-ctx: 
    Master-Key: D07...3E13
    Key-Arg   : None
    Start Time: 1369086263
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
closed

But that error is all I get. I’ve tried to install all possible certificates (CA, signed and without signing) in any possible keystore, but the openssl client doesn’t validates it.

Can you provide any hint, please?

Sorry if there is any inconsistence in here (such as mixing keytool and openssl): we are rookies on this, and after many days of struggling, haven’t reached any working solution.

surajs1n
  • 1,493
  • 6
  • 23
  • 34
Jose
  • 13
  • 1
  • 6
  • *"We sent the CSR to our company (which has its own CA), and got the signed certificate...."* - your company should have rejected the CSR or fixed the resulting certificate. Do ***not*** place host names in the *Common Name (CN)*; place them in the *Subject Alternate Name (SAN)*. Also see [How do you sign Certificate Signing Request with your Certification Authority?](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) Your `s_client` problem is a different problem; use `-CAfile` to fix it. – jww Jul 21 '16 at 10:24
  • First of all, thanks. Regarding this, in the returned signed certificate, the info about the issuer and the subject is OK:`Owner: CN=[FQDN here], O=[CA ROOT HERE] Issuer: O=[CA ROOT HERE]` and the CAfile is asking for a private key, which I don't see where i generated it. – Jose Jul 21 '16 at 11:21
  • This is the result of updating the s_client instruction with the info abour the CA: The same error: `$ openssl s_client -connect [HOST]:[PORT] -CAfile ca_exported.pem` ... `depth=0 C = *, ST = *, L = *, O = *, OU = ID, CN = [FQDN here] verify error:num=18:self signed certificate verify return:1 Certificate chain 0 s:/C=*/ST=*/L=*/O=*/OU=ID/CN=[FQDN here] i:/C=*/ST=*/L=*/O=*/OU=ID/CN=[FQDN here]`... `Verify return code: 18 (self signed certificate)` – Jose Jul 21 '16 at 11:29
  • May the problem be in the way the server certificate was created? – Jose Jul 21 '16 at 11:37
  • We can't tell where the problem is. There's not enough information because information like host names, subjects and issuers have been removed. And you have not provided any code. There's not much we can do for you. About all we can do is close the question. – jww Jul 21 '16 at 12:00
  • If the certificate is signed by a CA then "verify" should not say "self signed certificate". and if you want to have a self signed certificate there is no need of getting it signed by CA. For creating a self signed certificate you can see this post https://nvcv22blog.wordpress.com/2016/06/15/creating-self-signed-certificates-openssl-keytool . – Neha Vari Aug 12 '16 at 10:56

1 Answers1

0

The alias should match the FQDN.

bbaassssiiee
  • 6,013
  • 2
  • 42
  • 55