SSL Certificates on Linux server

Hello there, I am new on working with Linux and importing certificates.  

I have imported the certificates to the keystore (L1Kchain, L1Kchainroot, L1Kroot and the site3 certificate), I have modified the server.xml file with the path to the keystore file and the pw for the keystore.

When I try to launch the webpage i get the page with the warning that the certificate is not trusted.

https://name.of.mysite.org:8443 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_unknown_issuer)

Obviously I am missing a step or two, can you point me to the right direction of what I am missing?
finradeAsked:
Who is Participating?
 
Dave HoweSoftware and Hardware EngineerCommented:
pfx file (actually, a sort of keystore, via pkcs standard #12) has the secret key - cer files don't.

here is an example syntax (all on one line, I have split it out here for clarity):

keytool -importkeystore
-srckeystore <pfxfile.pfx>
-srcstoretype PKCS12
-srcstorepass <pfxfilepasswd>
-destkeystore /usr/local/jss/tomcat/.keystore
-deststoretype JKS
-destkeypass <jksfilepasswd>
-destalias tomcat

obviously, substitute the things in <> with the real values :)
0
 
Dave BaldwinFixer of ProblemsCommented:
If your certificate is "self-signed", that is what you should see.  Or did you purchase a certificate from a vendor like Verisign or Godaddy?
0
 
finradeAuthor Commented:
Yes, we obtained the certs from a third party vendor (Entrust).  I am not sure why it is not detecting that the third party cert has been imported into the keystore.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Dave HoweSoftware and Hardware EngineerCommented:
The steps followed sound correct to me.

I would next verify it is actually tomcat listening on that port (

netstat -nap | grep LISTEN | grep 8443

will give you the process name and ID), shut down tomcat (then check again to make sure it actually stopped) and restart it.  you can also use the browser (or openssl s_client) to see what cert IS being served, which should give you a clue where to look.
0
 
finradeAuthor Commented:
This is what I get when running netstat -nap | grep LISTEN | grep 8443

tcp        0      0 0.0.0.0:8443                0.0.0.0:*                   LISTEN      26843/java

Is there another file that perhaps I need to modify?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
no. the 26843 is the process id - you can then do

ps -ef | grep 26843 and see what the command line for tomcat startup was. if tomcat successfully restarts, the process id will change (common cause of certs not "taking" is tomcat failing to restart, so running on the old settings)
0
 
finradeAuthor Commented:
This is what I've got:  30353 30325  0 14:19 pts/0    00:00:00 grep 26843.  so I guess that tomcat is failing to restart since the process id did not change as you mention.
0
 
finradeAuthor Commented:
Never mind, I restarted and the process id changed
0
 
finradeAuthor Commented:
Is it possible that I might have to modify another file besides server.xml and importing the certs to the keystore?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
no. that is the only place the reference is stored. you can go look to see what IS being served, if you use the openssl tool.

openssl s_client -connect <ip>:8443 -showcerts

I would also check that what you think is in that keystore is really the only key in there, and ideally is called "tomcat" - there is a nice, friendly gui tool for that here (at least until google code goes away)
0
 
finradeAuthor Commented:
I tried the openssl s_client -connect <ip>:8443 -showcerts command and it "only" shows the Self Signed Certificate not the other 4 certificates (L1Kchain, L1Kchainroot, L1Kroot and the site certificate),
0
 
Dave HoweSoftware and Hardware EngineerCommented:
then that is what the server is serving. try the Keytool IUI tool linked above on the datastore, and verify it has the site cert (and only the site cert)
0
 
finradeAuthor Commented:
The tool requires Java 1.6 and we cannot install anything below Java 1.7 :-(
Do you have any idea as to why only one cert would be detected?  When I check the keystore file 5 certs exist.
L1Kchain, L1Kchainroot, L1Kroot, site certificate and the private key (self signed cert)
0
 
Dave HoweSoftware and Hardware EngineerCommented:
I run the tool here on the current version of java without issue - have you tried it?
I also run it on a workstation, having sftp'd the keystore to local storage, which of course is another option if you need it.

When more than one cert exists in the keystore, tomcat will usually take the one with the alias "tomcat" if it is present, otherwise the first one it finds sequentially (which is going to be the self-signed in this case).  There is also the issue of ensuring that site-cert has the private key as well, and hasn't accidentally been imported as just a cert (which of course won't work for a server)

why not copy the file for safe keeping, then delete the extra (self signed) cert from the keystore and see what happens?
0
 
finradeAuthor Commented:
When I remove the self signed cert from the keystore, the webpage no longer comes up.  

I have tried importing the certs to the .kestore file and modifying the server.xml file.  I have also imported the certs to the kestore.jks file and modifying the server.xml file, no luck.
0
 
finradeAuthor Commented:
This is the entry in the server.xml file (not the actual pw at the end).

  <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->
    <Connector URIEncoding="UTF-8" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" port="8443" executor="tomcatThreadPool" SSLEnabled="true" maxHttpHeaderSize="8192" maxPostSize="0" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" protocol="HTTP/1.1" secure="true" keystoreFile="/usr/local/jss/tomcat/.keystore" keystorePass="notshared" />

Could I be missing something here?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
How did you import the site certificate? using the standard keytool, the ONLY way to get that to import including the secret key is to import it from a pfx (pkcs#12) file using the -importkeystore and -keystoretype PKCS12 options - otherwise, it imports just the certificate and not the entire keypair. My guess is that the site certificate IS there, but the secret key isn't (making it useless for the task you want it for)

Or, use the gui tool, which will let you do pretty much anything you want :)
0
 
finradeAuthor Commented:
I used the standard keytool.

This is the command I used for one of the certs: -trustcacerts -alias tomcat -file /usr/local/jss/tomcat/site.x.x.x -keystore /usr/local/jss/tomcat/keystore.jks -storepass XXXXX
0
 
finradeAuthor Commented:
This is what I meant, the command above is not the one I used.  This is the one of the commands I used:

keytool -import -trustcacerts -alias tomcat -file /usr/local/jss/tomcat/casper.x.org.crt -keystore /usr/local/jss/tomcat/.keystore -storepass notshared
0
 
Dave HoweSoftware and Hardware EngineerCommented:
ok, that's probably your problem then. you need to import the secret key (with the server requires) as well as the public certificate. if you have imported the certificate only, the server won't be able to use that (as it cannot decrypt traffic the client has encrypted using the public key from the cert)

use -importkeystore rather than -import, or the gui tool, and import from a pfx/pkcs12 not a crt.
0
 
finradeAuthor Commented:
I would love to use the tool but it it doesnt work for me, when I launch it, it gives me an application error; Unable to launch the application.

what you mean is that I have to convert the *.cert file to pkcs12 and then inport?
0
 
finradeAuthor Commented:
Windows servers use *.pfx files but I am working on Linux box that should use *.crt or *.cer, right?
0
 
finradeAuthor Commented:
Great info and feedback
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.