Rest API SSL With certs signed by ca

Question

I have a problem with Secure Grizzly HttpServer, my method load the keystore file and truststore file and she works for the certs self-signed.

private static SSLContextConfigurator getSSLContextConfigurator() {
    final SSLContextConfigurator sslContextConfigurator = new SSLContextConfigurator();
    sslContextConfigurator.setKeyStoreFile("keystore_server");
    sslContextConfigurator.setKeyStorePass("password");
    sslContextConfigurator.setTrustStoreFile("truststore_server");
    sslContextConfigurator.setTrustStorePass("password");
    return sslContextConfigurator;
}

But when I want to import my certs signed by a CA into keystore or truststore, like:

keytool -genkey -keyalg RSA -keystore ./keystore_client -alias clientKey
keytool -export -alias clientKey -rfc -keystore ./keystore_client > ./client.cert
keytool -import -alias clientCert -file ./client.cert -keystore ./truststore_server

keytool -import certsigned.pem -keystore ./keystore_server -alias serverKey
keytool -export -alias serverKey -rfc -keystore ./keystore_server > ./server.cert
keytool -import -alias serverCert -file ./server.cert -keystore ./truststore_client

My application startup without error, but when I use curl/browser I have a client error:

curl: (35) Unknown SSL protocol error in connection to domain.com:8090
Browser: ERR_CONNECTION_CLOSED

How to properly import my certs signed with keytool?

EDIT

My certificates already work in a website, so he isn't invalid.

score 1 · Answer 1 · answered Jan 28 '18 at 15:05

1

Curl does not use the system CA store. You either need to tell curl where your CA cert is using the

--cacert [file]

command line option or use one of the other options mentioned here.

answered Jan 28 '18 at 15:05

JJF

2,681
2
18
31

Thank you for your reply, the main problème isn't curl but Keytool. When I use curl with the self-signed certificates, it work, I just add the argument -k for the insecure call. Other example with my web browser, it work with self signed certificates. I think that's my generation of keystore or truststore for my Web Service Rest who is really bad. – Genskao Jan 28 '18 at 16:51
For what it's worth [here](https://stackoverflow.com/questions/33175879/jetty-how-to-programatically-enforce-security-constraint-in-web-xml/33261787#33261787) is a code sample from another question I answered that shows how to create a keystore in embedded Jetty server from a cert file and a key file. – JJF Jan 29 '18 at 12:54

score 0 · Accepted Answer · answered Jan 29 '18 at 20:26

I solved my problem! In fact convert certificate chain + private key to the PKCS#12 file format, and convert PKCS#12 file into Java keystore format. And the keystore file work ! More information here.

openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore_server
rm keystore.pkcs12

Rest API SSL With certs signed by ca

2 Answers2