Friday, September 18, 2015

How to install godaddy certificate on clib tomcat

Solved the issue by referring to this SO thread, and going back to the page on GoDaddy's HowTo For Tomcat4/5/6.x. Being an amateur to SSL Certificates, I did not realize the meaning of-inand-inkeyflags, and was trying to find a way by flanking them. Please excuse me if part of this appears increasingly matter-of-fact to a more trained eye.
I created a new keystore with
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore tomcat.keystore
The-aliasvalue oftomcatis important here, and so is thepassword, sayP, which will be used for this keystore. So,tomcat.keystorecontains 1 entry listed as:
$ keytool -list -keystore tomcat.keystore 
tomcat, Jun 17, 2014, PrivateKeyEntry, 
Certificate fingerprint (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
This keystore is of typeJKS. Then, I generated a CSR by:
keytool -certreq -v -alias tomcat -file myrequest.csr -keystore tomcat.keystore
gives amyrequest.csrfile, against which GoDaddy issues back azipfile of 3 certificates:
  • gd_bundle-g2-g1.crt- Go Daddy Certificate Bundles - G2 With Cross to G1, includes Root
  • gdig2.crt- Go Daddy Secure Server Certificate (Intermediate Certificate) - G2
  • mydomain.crt- The certificate for my domain
Previously, I was incorrectly importing them back into thetomcat.keystorewhich gave me akeytool error: java.lang.Exception: Failed to establish chain from replyerror.
But instead, for the instructions on GoDaddy's page, by referring to the SO thread linked above, I first combined my certificatemydomain.crtand the certificate bundlegd_bundle-g2-g1.crtfrom GoDaddy as
cat mydomain.crt gd_bundle-g2-g1.crt > combinedcerts
Then make a keyfile by first exporting the private key oftomcat.keystoreas aPKCS12keystore and then extracting the key from thePKCS12keystore as the final keyfile required as specified:
keytool -importkeystore -srckeystore tomcat.keystore -destkeystore tomcatkey.p12 -deststoretype PKCS12
Take care to keep the password of the newPKCS12keystore being created, i.e.tomcatkey.p12to be exactly same as that oftomcat.keystore. The import should complete successfully with the following message:
Entry for alias tomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
Then I extracted the key from the newPKCS12keystore as:
openssl pkcs12 -in tomcatkeystore.p12 -out tomcatkey.pem -nodes
At this point, we'll be again prompted for the password set in the step above, upon successful verification of which, the new key should be exported intotomcatkey.pemwith the following message:
MAC verified OK
With thecombinedcertsandtomcatkey.pemready, I now followed instructions on GoDaddy's HowTo Page as:
openssl pkcs12 -export -chain -CAfile gd_bundle-g2-g1.crt -in combinedcerts -inkey tomcatkey.pem -out new.tomcat.keystore -name tomcat -passout pass:yourpasswd
The new keystorenew.tomcat.keystoreis of the typePKCS12instead of the older one which wasJKS. To configure tomcat to use the new keystore, the values of the properties the SSL Connector are changed nominally as
keystoreFile=<path to>\new.tomcat.keystore
keystorePass="yourpasswd"
keystoreType="PKCS12"
After this, on restarting the tomcat, the new certificate worked.
I am sure there is a much more efficient usage of the options to get this done in lesser steps, but if the steps above seem unnecessary or can be optimized it's only due to my limited in my glaring lack of depth in understanding these tools. But hey, this works!
Posted by at No comments:

Friday, May 1, 2015

Import https certificate in java

Friday, December 12, 2008

How to solve javax.net.ssl.SSLHandshakeException?

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:441)
at javax.mail.Service.connect(Service.java:233)
at javax.mail.Service.connect(Service.java:134)

--------------------------------------------------------
The problem is that our webapp is now acting as a SSL client, and as a client, it needs to obtain and 'trust' the server's public key.
-----------------------------------------------------

The fix

Obtain the server's public key.

To quote Microsoft; "consult your system administrator". The public/private key pair will live somewhere on the server. The public key should be located and copied to the server hosting JIRA/Confluence. For example:
scp root@mail.yourcompany.com:/etc/ssl/certs/imapd.pem .
If you have openssl installed locally, the key can be retrieved with a command like:
jturner@teacup:~$ openssl s_client -connect imap.atlassian.com:imaps
CONNECTED(00000003)
depth=0 /C=AU/ST=NSW/L=Sydney/O=Atlassian/CN=imap.atlassian.com/emailAddress=info@atlassian.com
.....
.....
Server certificate
-----BEGIN CERTIFICATE-----
MIICiTCCAfKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB/MQswCQYDVQQGEwJBVTEM
MAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZTeWRuZXkxEjAQBgNVBAoTCUF0bGFzc2lh
bjEaMBgGA1UEAxMRY3ZzLmF0bGFzc2lhbi5jb20xITAfBgkqhkiG9w0BCQEWEmlu
Zm9AYXRsYXNzaWFuLmNvbTAeFw0wNTA5MjMwNjUyNTNaFw0wNjA5MjMwNjUyNTNa
MH8xCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5leTES
MBAGA1UEChMJQXRsYXNzaWFuMRowGAYDVQQDExFjdnMuYXRsYXNzaWFuLmNvbTEh
MB8GCSqGSIb3DQEJARYSaW5mb0BhdGxhc3NpYW4uY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDhwAgx/gDgKe9tBjUCj7JtVkwQSzj2Dq0PHiJu1AWUYWFW
ivbBWaWSYbt/w9vIRSL8OlGVOLnlFOH5o7QIpIBZvd3xBMv6DxMijM86/hu8QTPt
KcMuqBTGpu1T846SzNncj883wSE1hXxezCgEFCsqyC7dVX4l0Ay6zgzkt2wc3QID
AQABoxUwEzARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEEBQADgYEAJOgg
O4brCcQa3IgONo8UmLcHo6Rq+Py6ZA3ueUegy/uyQ358JUeL4kktXuYL9gAPCuMc
hsC1iyaOrWY/S9S67w2ZWqc+uYX9ophFHkxK1r3YiaiMpEzMyB12VWSrOITcR0LV
7NTWfxfPLUpkDbj+Mw/66QJkI0lqBvcKn3KXI74=
-----END CERTIFICATE-----
Cut and paste the certificate (including BEGIN and END lines) into a local file (eg. imapd.pem).


******Instead of this we can download the certificate from browser itself.

Import the public key.

To do this, you need to use the keytool program that comes with Java. If you haven't already, add $JAVA_HOME/bin to your PATH, and then run the following:
jturner@teacup:~$ sudo keytool -import -alias mail.yourcompany.com -keystore $JAVA_HOME/jre/lib/security/cacerts -file imapd.pem
Enter keystore password:  changeit
Owner: EMAILADDRESS=info@atlassian.com, CN=atlassian.com, O=Atlassian, L=Sydney, ST=NSW, C=AU
Issuer: EMAILADDRESS=info@atlassian.com, CN=atlassian.com, O=Atlassian, L=Sydney, ST=NSW, C=AU
Serial number: 0
Valid from: Fri Feb 11 14:09:05 EST 2005 until: Sat Feb 11 14:09:05 EST 2006
Certificate fingerprints:
MD5:  CB:AE:7D:5D:1A:08:06:77:93:3B:0F:53:BB:40:C0:D4
SHA1: 7C:02:44:0D:A9:8F:F9:FB:BB:7B:C6:F1:52:DE:CA:00:17:D9:3A:A0
Trust this certificate? [no]:  yes
Certificate was added to keystore
This will import the public key (imapd.pem) into Java's default keystore, and marks it as trusted.
On Windows the command is similar, eg.:
C:\Program Files\Java\jre1.6.0_05>bin\keytool -import -file c:\certs\imapd.pem -alias mail.yourcompany.com -keystore lib\security\cacerts
Enter keystore password:
Owner: CN=*.atlassian.com, OU=IT, O=ATLASSIAN SOFTWARE SYSTEMS PROPRIETARY LIMITED, L=Sydney, ST=NSW, C=au
Issuer: CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: a2d7047dc5d47ba988c9685e1efb860
Valid from: Thu Jan 10 11:00:00 EST 2008 until: Fri Jan 14 10:59:59 EST 2011
Certificate fingerprints:
        MD5:  9D:B4:9F:3D:0A:DE:6A:BD:BC:3D:95:BE:60:BD:70:02
        SHA1: 67:C6:E9:C8:3F:F1:7A:3C:66:E2:CE:62:78:A1:66:84:35:5E:62:1E
        Signature algorithm name: SHA1withRSA
        Version: 3
.....

Trust this certificate? [no]:  yes
Certificate was added to keystore

C:\Program Files\Java\jre1.6.0_05>

Restart the app server


Posted by at No comments:
Subscribe to: Posts (Atom)