Ubuntu – java keystore can’t validate URL

certificate-authorityjavakeystoresslUbuntu

With the same url, this ends up giving a verify return code 20 (unable to get local issuer of certificate):

openssl s_client -connect $URL:443 -showcerts -CAfile /etc/ssl/certs/java/cacerts

This gives a verify return code of 0:

openssl s_client -connect $URL:443 -showcerts -CApath /etc/ssl/certs

As does ... -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem.

But that cert is already in the java keystore. I need to be able to access the url from Java-land and I can't figure out what's going on. I'm a total n00b here so any help would be appreciated.

Best Answer

Tha cacerts file is a JKS-format keystore, which OpenSSL doesn't support (it's the standard keystore format for Java, but isn't commonly supported by non-Java utilities)

If you want to use openssl s_client with the certs from that keystore, you can extract them into a usable form with

keytool -list -rfc -keystore /etc/ssl/certs/java/cacerts > cacerts.pem

(the default password for the cacerts file is "changeit", but if you just want to see the public certs you can just enter a blank password and it will be fine)

Related Solutions

Ssl – Why can’t openSSL verify google’s certificate

On another Linux distribution I use, the naked -connect verb doesn't actually import the root CA packages installed on the system. To get that, you need to add -CApath /etc/ssl/wherever/, where the path is the location of the root CA certificate bundles.

Without CAPath:

CONNECTED(00000003)
depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 ---

With CAPath:

CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification     Authority
verify return:1
depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mail.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---

Ssl – Getting JMX working under Tomcat 7 with SSL and a self-signed cert

It took me a while to figure this out but I eventually got it. The key is how the keystore & truststore files are set up when creating self-signed certs. Here's a bash script I wrote to make it easy to remember:

DNAME="CN=foo JMX, OU=prodops, O=foo.com, L=Somewhere, S=XX, C=US"
DAYS=3650
PASSWORD=<password>
CACERTS="/path/to/java/jre/lib/security/cacerts"

rm -f jconsole* tomcat*

# First, create the keystore and truststore for the application, tomcat in this case.  Use $CACERTS as the basis for the new keystore & truststore so that all public CA's remain intact:

keytool -genkey -alias tomcat -keyalg RSA -validity ${DAYS} -keystore tomcat.keystore -storepass ${PASSWORD} -keypass ${PASSWORD} -dname "${DNAME}"
cp ${CACERTS} tomcat.truststore
keytool -storepasswd -keystore tomcat.truststore -storepass changeit -new ${PASSWORD}
keytool -genkey -alias tomcat -keyalg RSA -validity ${DAYS} -keystore tomcat.truststore -storepass ${PASSWORD} -keypass ${PASSWORD} -dname "${DNAME}"

# And do the same for the JMX client, jconsole in this case:

keytool -genkey -alias jconsole -keyalg RSA -validity ${DAYS} -keystore jconsole.keystore -storepass ${PASSWORD} -keypass ${PASSWORD} -dname "${DNAME}"
cp ${CACERTS} jconsole.truststore
keytool -storepasswd -keystore jconsole.truststore -storepass changeit -new ${PASSWORD}
keytool -genkey -alias jconsole -keyalg RSA -validity ${DAYS} -keystore jconsole.truststore -storepass ${PASSWORD} -keypass ${PASSWORD} -dname "${DNAME}"

# Then, export the public certificates from the keystores:

keytool -export -alias tomcat -keystore tomcat.keystore -file tomcat.cer -storepass ${PASSWORD}
keytool -export -alias jconsole -keystore jconsole.keystore -file jconsole.cer -storepass ${PASSWORD}

# Finally, import the certificates into the truststores. Again, this allows the application (tomcat) to trust the client (jconsole), and vice-versa:

keytool -import -alias jconsole -file jconsole.cer -keystore tomcat.truststore -storepass ${PASSWORD} -noprompt
keytool -import -alias tomcat -file tomcat.cer -keystore jconsole.truststore -storepass ${PASSWORD} -noprompt

rm -f *.cer

Best Answer

Related Solutions

Ssl – Why can’t openSSL verify google’s certificate

Ssl – Getting JMX working under Tomcat 7 with SSL and a self-signed cert

Related Topic