The reason for this followup, is that signing of websites and code seems to be a very error prone and manual process, that is done infrequently enough for all of us to forget afterwards.
It basically follows the same path as the previous blog post, but I find it convenient to write stuff down, in case I forget.
Now my certificate on my website had expired, and it took me a while, before I found the time and the motivation to extend the certificate.
I'm still with GoDaddy.com4. Thankfully, the CSR was already transmitted last year, and I can just reuse that one.
Once I submit the CSR, I am required to verify that I am the owner of the Domain. This time, thank goodness, it requires nothing more than the clicking of a link sent to the email address that is stored in the WHOIS information.
Nothing like putting a file in the rootmap of the webserver or some such, like the first time.
Once that is done, I need to download the new certificates from godaddy.com. They ask for the type of web server that they need to generate the certificates for. Glassfish is not mentioned anywhere, so I select "Other".
The zip file I then receive, contains the same files as mentioned in my previous blogpost1.
As I already installed all the root certificates, I choose to ignore the gd_bundle-g2-g1.crt file.
The more interesting file is the 2375839yrghfs5e7f.crt file.
Replace the original self-signed certificate with the certificate you obtained from the CA
[glassfish@server config]$ keytool -import -v -trustcacerts -alias s1as -file /home/glassfish/junk/2375839yrghfs5e7f.crt -keystore keystore.jks -storepass changeit
Certificate reply was installed in keystore
[Storing keystore.jks]
Certificate reply was installed in keystore
[Storing keystore.jks]
Verifying the keystore.jks
You can verify that all is well, by using the above command to check the keystore. You will see something like the following:Alias name: s1as
Creation date: Feb 1, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 4
Certificate[1]:
Owner: CN=www.server.org, OU=Domain Control Validated
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 8446c5db57d376ed
Valid from: Wed Feb 01 14:27:00 CET 2017 until: Thu Feb 01 14:27:00 CET 2018
Certificate fingerprints:
MD5: 75:7a:73:67:72:6a:6b:73:65:72:6e:79:20:62:61:77
SHA1: 75:7a:73:67:72:6a:6b:73:65:72:6e:79:20:62:61:77:79:20:72:67
SHA256: 75:7a:73:67:72:6a:6b:73:65:72:6e:79:20:62:61:77:79:20:72:67:68:20:61:77:65:72:3c:6f:3b:20:59:38
Signature algorithm name: SHA256withRSA
Version: 3
Which shows that as of today, the keystore has a valid certificate that is exactly valid for one year.Creation date: Feb 1, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 4
Certificate[1]:
Owner: CN=www.server.org, OU=Domain Control Validated
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: 8446c5db57d376ed
Valid from: Wed Feb 01 14:27:00 CET 2017 until: Thu Feb 01 14:27:00 CET 2018
Certificate fingerprints:
MD5: 75:7a:73:67:72:6a:6b:73:65:72:6e:79:20:62:61:77
SHA1: 75:7a:73:67:72:6a:6b:73:65:72:6e:79:20:62:61:77:79:20:72:67
SHA256: 75:7a:73:67:72:6a:6b:73:65:72:6e:79:20:62:61:77:79:20:72:67:68:20:61:77:65:72:3c:6f:3b:20:59:38
Signature algorithm name: SHA256withRSA
Version: 3
To apply your changes, restart GlassFish Server, according to chapter "To Sign a Certificate by Using
keytool2".
Verifying after reboot
Earlier, when issuing the openssl command:openssl s_client -connect www.server.org:4848
The result was:SSL handshake has read 15360 bytes and written 339 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5891E20F7C4FA7CBFA6ABF7E0EC6EC2D40C2CB4A148EFCEAE7F3179F5F80763F
Session-ID-ctx:
Master-Key: B8C7BA7AC15244DC581749AC9702609F8EB1BCE03F5B0CD53ECEE382D93877EBF6D5E3FE9F603D6D8253521A29EEB494
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1485956532
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
Notice especially that last bit.---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5891E20F7C4FA7CBFA6ABF7E0EC6EC2D40C2CB4A148EFCEAE7F3179F5F80763F
Session-ID-ctx:
Master-Key: B8C7BA7AC15244DC581749AC9702609F8EB1BCE03F5B0CD53ECEE382D93877EBF6D5E3FE9F603D6D8253521A29EEB494
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1485956532
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
Once the glassfish was rebooted, the same command yields:
SSL handshake has read 15370 bytes and written 339 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5891E99B097CCC082475F5949A55ABD71C7AED902725AA6E98E77EAA3FC7BF01
Session-ID-ctx:
Master-Key: 9465D76CDC8D4CA19E46B2367ECD35382BA8049707BBF1D4D06E0389E85F724BA646F3C2C9FD45CF256C12ED9A0714F0
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1485958464
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Again, I would like to draw your attention to the last line.---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5891E99B097CCC082475F5949A55ABD71C7AED902725AA6E98E77EAA3FC7BF01
Session-ID-ctx:
Master-Key: 9465D76CDC8D4CA19E46B2367ECD35382BA8049707BBF1D4D06E0389E85F724BA646F3C2C9FD45CF256C12ED9A0714F0
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1485958464
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
And that's it for now!
References
- [1] SSL Certificates in Glassfish
- http://randomthoughtsonjavaprogramming.blogspot.nl/2015/10/ssl-certificates-in-glassfish.html
- [2] GlassFish Server Open Source Edition Security Guide Release 4.0
- https://glassfish.java.net/docs/4.0/security-guide.pdf
- [3] GlassFish Server Open Source Edition Administration Guide Release 4.0
- https://glassfish.java.net/docs/4.0/administration-guide.pdf
- [4] GoDaddy: Hosting, domainregistration, websites and more...
- http://www.godaddy.com
- SSLShopper - most common java keytool keystore commands
- https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
- SSLShopper - SSL Certificate Verification https://www.sslshopper.com/ssl-checker.html
No comments:
Post a Comment