All geek questions in one place

Self-signed certificate not working on GlassFish 4.0 server

I created the signed certificate myself and added it to keystore.jks, but after setting in http-listener-2 through the admin console it does not work. The "s1as" certificate works correctly by default.

Server Information:

Install directory: C:\Program Files\glassfish-4.0\glassfish Installed version: GlassFish Server Open Source Edition 4.0 (build 89)

What I've done:

Open cmd as administrator

Add keytool to PATH

 set PATH=%PATH%;c:\Program Files\Java\jdk1.8.0_20\bin"

Generate key

 C:\Program Files\glassfish-4.0\glassfish\domains\domain1\config>keytool -keysize 2048 -genkey -alias autofirmado -keyalg RSA -keystore keystore.jks -validity 360 Introduzca la contraseña del almacén de claves: ¿Cuáles son su nombre y su apellido? [Unknown]: Myname ¿Cuál es el nombre de su unidad de organización? [Unknown]: test ¿Cuál es el nombre de su organización? [Unknown]: test2 ¿Cuál es el nombre de su ciudad o localidad? [Unknown]: locality ¿Cuál es el nombre de su estado o provincia? [Unknown]: province ¿Cuál es el código de país de dos letras de la unidad? [Unknown]: es ¿Es correcto CN=Myname, OU=test, O=test2, L=locality, ST=province, C=es? [no]: si Introduzca la contraseña de clave para <autofirmado> (INTRO si es la misma contraseña que la del almacén de claves): <ENTER>

Check the new generated key inside keystore.jks

 C:\Program Files\glassfish-4.0\glassfish\domains\domain1\config>keytool -list -k eystore keystore.jks -alias autofirmado -v Introduzca la contraseña del almacén de claves: Nombre de Alias: autofirmado Fecha de Creación: 21-dic-2014 Tipo de Entrada: PrivateKeyEntry ...

Then configured http-listener-2:

 alias: autofirmado keystore: keystore.jks truststore: cacerts.jks

Then I restarted the server and tried to access via https localhost 8181, but I got a firefox message:

"Connection was aborted"

If I configure the GlassFish server with the default "s1as", it works correctly.

+5
source share
1 answer

Since I found this question due to another error, I am writing here some possible causes of problems in similar situations.

Invalid certificate name

This refers to this issue. In Chrome, I got the following message:

 NET::ERR_CERT_AUTHORITY_INVALID

You need to set CN = localhost for it to work.

 What is your first and last name? [Unknown]: localhost

This is also indicated in the GlassFish Security Guide:

To verify the HTTPS host name, it is important to ensure that the certificate name (CN) matches the fully qualified host name of your site (fully qualified domain name). If the names do not match, clients connecting to the server will see a security warning stating that the certificate name does not match the site name.

Invalid Key Algorithm

I used the keytool -genkey without specifying the -keyalg option, and this created a certificate with SHA1withDSA .

Chrome said ERR_CONNECTION_CLOSED , and in my server log I found

 javax.net.ssl.SSLHandshakeException: no cipher suites in common

I solved this by specifying keytool -genkey -keyalg RSA

Change also the Glassfish instance certificate

From the GlassFish Security Guide:

DAS uses the s1as alias for SSL / TLS authentication, and instances use the glassfish-instance alias

According to the comment, another answer is “If you change the s1as certificate, you will also need to change the certificate of the Glassfish instance instance.”

Invalid keystore file

Remember, that:

  • The keystore.jks file contains the GlassFish Server certificate, including its private key .
  • The cacerts.jks file contains trusted GlassFish server certificates, including public keys for other objects.

Sometimes distraction can cause you to put the public key in the wrong file. This should be the correct sequence:

 # Generate a key pair in keystore.jks keytool -genkeypair -alias s1as -keystore keystore.jks -keypass changeit -storepass changeit -keyalg RSA # Export the certificate keytool -export -keystore keystore.jks -alias s1as -file s1as.cer -storepass changeit # Import it into the truststore.jks keytool -import -noprompt -trustcacerts -file s1as.cer -alias s1as -keystore cacerts.jks -storepass changeit

How to check

This command displays certificate information:

 keytool -v -list -alias <the_alias> -keystore <filename>.jks

If you look at the original self-signed certificates provided by GlassFish, you:

  • CN :
    • Owner: CN=localhost for s1as
    • Owner: CN=localhost-instance for glassfish-instance
  • RSA : Signature algorithm name: SHA256withRSA
  • Record Type :
    • Entry type: PrivateKeyEntry for keystore.jks
    • Entry type: trustedCertEntry for cacerts.jks
+1
source

Source: https://habr.com/ru/post/1209669/

More articles:


All Articles