How to prepare and add Godaddy SSL wildcard certificate to Wildfly/JBoss

godaddyjbossssl-certificatewildcardwildfly

I have a done some research into how to prepare the wildcard certificate and add it in a manner in which it could be used within WildFly/JBoss (I'm using WildFly 16, but it should be the same for JBoss).

Files I have (and what they are – gathered from Discerning GoDaddy SSL Certificate Types):

<series of numbers>.crt: My certificate
gd_bundle-g2-g1.crt: GoDaddy Certificate Bundles – G2 With Cross to G1, includes Root
gdig2.crt.pem: GoDaddy Secure Server Certificate (Intermediate Certificate) – G2
privatekey.txt: Private Key for my certificate

Through a series of research and assistance from a coworker, I found I could prepare and add the certificates via the following commands:

openssl pkcs12 -export -in <series of numbers>.crt -inkey privatekey.txt -out outfile.pkcs12 -name yourdomain.com -CAfile gd_bundle-g2-g1.crt -caname root
<enter a password>
keytool -importkeystore -trustcacerts -deststorepass <newpass> -destkeypass <newpass> -destkeystore new.keystore -srckeystore outfile.pkcs12 -srcstoretype PKCS12 -srcstorepass <password entered above> -alias yourdomain.com

So, this all works, from a browser anyway. I can browse to pages hosted via WildFly and they work fine and the browser reports no SSL errors. However, an application that I have which uses WebSocket connections failed to verify the certificate. To look into this more I used the following against my site:

openssl s_client -connect yoursite.yourdomain.com:443

This resulted in the following:

Verification error: unable to verify the first certificate

After researching this, I found that Firefox will perform "certificate discovery" and resolve the chain to verify the server's certificate, even if it wasn't provided. So here I am trying to determine what's missing…

Best Answer

While trying to resolve this, I suspected the excluded files were necessary for the resolution of the chain, but couldn't easily determine how to get them in. I did some trial and error and tested with openssl s_client each time until I figured out what worked. This was the series of commands that resolved the chain directly from the server:

cat <series of numbers>.crt gdig2.crt.pem > bundle.crt
openssl pkcs12 -export -in bundle.crt -inkey privatekey.txt -out outfile.pkcs12 -name yourdomain.com -CAfile gd_bundle-g2-g1.crt -caname root
<enter a password>
keytool -importkeystore -trustcacerts -deststorepass <newpass> -destkeypass <newpass> -destkeystore new.keystore -srckeystore outfile.pkcs12 -srcstoretype PKCS12 -srcstorepass <password entered above> -alias yourdomain.com

A simple addition resolved the problem. I hope this is helpful for somoene!

Related Solutions

Ssl – Wildcard SSL certificate for second-level subdomain

RFC2818 states:

If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

Internet Explorer behaves in the way outlined by the RFC, where each level needs its own wildcarded certificate. Firefox is happy with a single *.domain.com where * matches anything in front of domain.com, including other.levels.domain.com, but will also handle the *.*.domain.com types as well.

So, to answer your question: it is possible, and supported by browsers.

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Best Answer

Related Solutions

Ssl – Wildcard SSL certificate for second-level subdomain

SSL Certificate – How to Download SSL Certificate from a Website

Related Topic