Thursday 15 October 2015

SSL Certificates in Glassfish

There are two files in glassfish1, to wit:
  • ./glassfish/domains/domain1/config/keystore.jks
  • ./glassfish/domains/domain1/config/cacerts.jks
The way I read it, it means your private keys are stored in the keystore.jks, and the root certificates and intermediate certificates of Certificate Authorities (CA) are stored in cacerts.jks. When configured correctly, these two files should contain all the certificates needed to create a necessary chain of trust.

Checking out the keystore, can be done using the following commandline:
keytool -list -v -keystore keystore.jks
The default keystore password is "changeit".
You get the following:
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: glassfish-instance
Creation date: May 15, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost-instance, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Issuer: CN=localhost-instance, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Serial number: 43ce5f77
Valid from: Wed May 15 07:33:41 CEST 2013 until: Sat May 13 07:33:41 CEST 2023
Certificate fingerprints:
MD5: C0:FA:88:64:36:7A:1B:62:1B:F1:BD:8F:5A:7A:9A:E7
SHA1: B1:FA:A8:2B:7C:83:18:A8:9B:C6:46:50:41:EC:FC:7C:DF:69:B3:33
SHA256: 52:AB:1F:37:75:68:92:8F:3D:02:49:D7:3C:8E:BC:53:76:9B:68:E2:B8:83:AF:ED:4C:39:99:FE:45:F1:F1:67
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 56 50 2C 8F D9 A2 55 80 18 8F 3D 90 AC 77 28 C3 VP,...U...=..w(.
0010: FE A0 55 F6 ..U.
]
]
*******************************************
*******************************************
Alias name: s1as
Creation date: May 15, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Issuer: CN=localhost, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Serial number: 4a9972f
Valid from: Wed May 15 07:33:38 CEST 2013 until: Sat May 13 07:33:38 CEST 2023
Certificate fingerprints:
MD5: 79:0D:FC:CF:99:32:2B:BE:77:36:40:4A:14:E1:2D:91
SHA1: 4A:57:58:F5:92:79:E8:2F:2A:91:3C:83:CA:65:8D:69:64:57:5A:72
SHA256: AB:48:B2:E6:C4:4C:50:86:7F:B3:70:30:83:F1:CE:E8:06:F4:B5:75:F0:E3:AD:5B:23:38:10:02:A8:85:F5:56
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4C 05 82 BD 8C 02 B8 05 00 04 14 0A FB 29 AA F7 L............)..
0010: 48 6C CB 86 Hl..
]
]

*******************************************
*******************************************
There's also a keystore that comes bundled with your java installation, usually it can be found somewhere in the security directory.
You can view all the certificates in there using:
keytool -list -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.60-2.b27.el7_1.x86_64/jre/lib/security/cacerts

Backup your keystore.jks

Just a simple copy will do.
cp keystore.jks keystore.jks.backup

Delete the default self-signed certificate

keytool -delete -alias s1as -keystore keystore.jks -storepass

Generating a certificate request

This request we are about to generate, is submitted to the Certificate Signing Authority. See for more information chapter "To Sign a Certificate by Using keytool" in [1]. Using RSA, gives a default keysize of 2048.
[glassfish@vps386 config]$ keytool -genkeypair -keyalg RSA -keystore keystore.jks -validity 365 -alias s1as
Enter keystore password:
What is your first and last name?
[Unknown]: www.hostname.org
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=www.hostname.org, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Enter key password for
(RETURN if same as keystore password):
[glassfish@vps386 config]$
The CSR (Certificate Signing Request) can then be generated into the file s1as.csr:
keytool -certreq -alias s1as -file s1as.csr -keystore keystore.jks -storepass changeit
Viewing the generated file should look something like the following:
-----BEGIN NEW CERTIFICATE REQUEST-----
XMEgkqefRUGOwopicufCMEREvY4LF23dRN6d9LaqkmWnKWUiPFqaPDQYv2qPsbXdk2GKxni2nJne
SprQ1APylEUHpS9UXH61Y2Kr28tNHB9PS9ZcRhmIQHKAoNq4MCvHiu1JtuLBrYHOlWjJqIBR7Ngk
laiGkCRoDyTbjRsdeDRdL7MFZ3Gr7Nc2g6CNKCN6z83jbMp4pKnJ05Cx5motTuStsLhSxmAKf6us
1ADDirZFHCkIMFcAoEde5qHh0bFirHY6crlehSNfUSrvw5PY9f9uPmLplbFSY5KZOXO6bOAstxhh
SSGbTrTHiY7ojnobY38Vzcu0DAMF9UrY7akrXwGE4KqExA0hJtwKPy7CJuyumXntpNnmz7pc9U4K
iVBc4PNYB4srm6lCUuDwJAeoK7m38vHu1hkhP2m9XnG3Ii4UguW7Jc8sZiCAylR7xYWEXU8gEi8r
glpdQUIRFcOezICZOFzhriZUmRAtDcyAyOS0B14hCQWMa4pR5mCfAHUPtPTpWspd8P6kf0RjNfRJ
tPXJ5xpT9rZz55atyO1bO8i3lhOouwczVF17Kf2BrmZ5fnqk0sAZJuOE49q1dlVg0k7Yh7v1pwPC
n0n3h0gzEesCA0KcJ1jTkEbz6IULJUDBtmlYbdGVZegbO9TRts75OnYVWjbl1IxYM4wGnwA6UL46
0jEATrURG7cX3xRaUYfK3uyzBHpdpCzOlhppfVGfr56owkkxQqrS0qgr8tLn6eWKl51QZcdL7Db1
XpiLMzuFGVQa4oDaZIGbeAw87XmqvAN872DZiTtWy49Bm1MDZTsoIl42lN9CTu4FhttXDyADbXUy
0BvZJOaTEwALYpGMvYSbVseqqjuhcbae02t7vrzqjyYJMC4BNGO3pg0FZnBV5r3oyGiBH0utET7c
vDMqmyOEJ5DHs8ltQrhGmtyXcfseKXSILQXxAx5CJOX0nljXO7kZdtZTkcOwOMM=
-----END NEW CERTIFICATE REQUEST-----

Submit the CSR to a Certificate Authority

I did this using GoDaddy.Com. Most CAs have a web interface that provides this functionality.

Download the CA certificates and any intermediate CA certificates

This is where it gets a little problematic. I keep hearing that a lot of CAs do not provide all or the proper certificates in the download, and you are forced to check out their public repository for the right files.

Then there are all the possible formats in which the certificates can be stored.

Downloading the zip file from GoDaddy.com, gave me the following files:
gd_bundle-g2-g1.crt
the root and intermediate certificates of your CA
b9683876305fc322.crt
your private certificate that should be kept private

Check out the CA certificates

keytool -printcert -v -file gd_bundle-g2-g1.crt

Import the CA certificate and any intermediate CA certificates

keytool -import -v -trustcacerts -alias godaddy -file /home/glassfish/junk/gd_bundle-g2-g1.crt -keystore cacerts.jks -storepass changeit
Certificate was added to keystore
[Storing cacerts.jks]

Replace the original self-signed certificate with the certificate you obtained from the CA

keytool -import -v -trustcacerts -alias s1as -file /home/glassfish/junk/b9683876305fc322.crt -keystore keystore.jks -storepass changeit

Verify the certificate chain

Unfortunately, not providing all the required certificates, to build up the chain will cause an exception when adding your private key4.

openssl s_client -connect www.karchan.org:4848
Shows the following Certificate chain:
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=www.karchan.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Another way to verify the chain, is by using Microsoft Windows:
In Linux, I find the Keystore-Explorer5 to fulfill my needs:

References

[1] GlassFish Server Open Source Edition Security Guide Release 4.0
https://glassfish.java.net/docs/4.0/security-guide.pdf
[2] GlassFish Server Open Source Edition Administration Guide Release 4.0
https://glassfish.java.net/docs/4.0/administration-guide.pdf
[3] Java Dude Blog - Glassfish V3.1.2 and SSL
https://javadude.wordpress.com/2013/03/22/glassfish-v3-1-2-and-ssl//
[4] StackOverflow - Keytool error java lang exception failed to establish chain from reply
http://stackoverflow.com/questions/23611688/keytool-error-java-lang-exception-failed-to-establish-chain-from-reply
[5] SourceForge - Keystore-Explorer
http://keystore-explorer.sourceforge.net/





No comments:

Post a Comment