I'm using the new free SSL certificate https://www.sslforfree.com I registered my domain and everything good and I got the certificate files which are three files
( ca_bundle.crt , certificate.crt and private.key )
Three days following the problem I have read tens of examples in this site and in others but none of it works for me
First the examples I read there are four files ( COMODO for example ) not like in my case which there are two crt fiels and privatekey file
My question is is there something wrong with the website which didn't give me the complete certificate files ? and If not how can I deploy this certificate into my glassfish 4.x I'm using now 4.1.2
any help appreciated
In java you need to store your certificate in a *.jks file. Then point your server Tomcat/Glassfish to this *.jks.
How to configure Glassfish with certificate you can find here: https://ssl.comodo.com/support/certificate-installation-glassfish-4x.php
If that's not enough you should look at the resources below.
I think Let's Encrypt (https://letsencrypt.org/getting-started/) should answer your questions.
Start by looking at their docs: https://letsencrypt.org/docs/
and if that's not enough then move on to the forum: https://community.letsencrypt.org/
Related
I'm trying to call an Italian webservice, but I'm getting an SSLHandshakeException exception. I know this is a security trust problem and I should have a certificate to allow me to communicate using SSL. I would like to know if someone can help me to understand what should be the next steps and how can I generate a valid certificate to communicate with the webservice. Security is not my beach :)
The Italian webservice has a zip folder with a tool for developers and they have there two certificates, but I don't know what I should do with them. YOu can see here: https://sistemats1.sanita.finanze.it/portale/spese-sanitarie/documenti-e-specifiche-tecniche-strumenti-per-lo-sviluppo
Link to the Zip file: (https://sistemats1.sanita.finanze.it/portale/documents/20182/34450/kit730P_ver_20210301.zip/027086e7-385a-6071-ca86-f52077923a85)
You can see my experimental code here: https://github.com/nbentoneves/ws-spring-sts/blob/main/src/main/java/com/github/STSClient.java, feel free to clone and try it.
Note: In the development kit they have a soap project and I was able to call the webservice without needing anything.
STS Test Environment: https://invioSS730pTest.sanita.finanze.it/DocumentoSpesa730pWeb/DocumentoSpesa730pPort
Thanks,
Have a nice code time :)
You need to create a Trust Manager which does not validate certificate chains like the default ones.
Check this:
(How to solve javax.net.ssl.SSLHandshakeException Error?)
On my java application, that runs on Tomcat in a RedHat linux machine, I need to send a request to an API that uses ssl trust certificate. Our partners have already sent us two files that should be used to trust them: wse-tst_partner_com.crt and DigiCertCA.crt.
Our partners have sent these instructions: https://www.digicert.com/csr-ssl-installation/apache-openssl.htm#ssl_certificate_install
However, I'm stuck on step 2, since I didn't find an httpd.conf file, neither apache2.conf file. I wonder if these are not applicable to Tomcat (they didn't actually know what we have before creating the API and their security stuff).
I've also tried to look for installing trust certificates for Tomcat, but the instructions I've found were only to create a new certificate with keytool - I don't want to create a new certificate, I need to "trust" the ones our partners already created.
I've also found this question on serverfault. However, I don't have any .pem files, and I don't want to create new files - I just want to use the ones I mentioned on the beginning of this post.
I'm a noob in this subject - I don't think this should be a complicated task... Should I add something to my server.xml file? Or, maybe I'm looking for the conf files in the wrong place?
httpd.conf and apache2.conf are apache files not tomcat.
They assumed you were using apache instead of tomcat.
Either put an apache in front of tomcat and use that guide or create a keystore with keytool (A keystore is "like a box" containing the certificates) and add the certificates you were provided inside, you will need to add the intermediate and the root as well. And then configure tomcat (listeners, connectors) to use that keystore.
Follow the steps from this guide instead https://www.digicert.com/csr-ssl-installation/tomcat-keytool.htm but ignore the creation of certificate as the certificates are already provided. Make sure you have the key as well, otherwise you'll have to create the CSR in the server and provide that to whoever signs the certificates (your partner I guess) and they will get back to you with new certificates. Incorporate the certs to the keystore as suggested.
I have gotten 4 certs (1 root, 2 intermediate, and 1 domain to be deployed in that order) from my CA and I am curious about what the process is for getting the chain imported into a keystore correctly. I was able to get the domain cert installed and desktops/laptops can connect securely but not mobile (I get the red x and the crossed out https in mobile Chrome). Based on this post, it appears that my chain is somehow messed up. This is the first time I have done this, so I tried using the keytool tutorials that had me create a self signed cert and then add the CA certs to the keystore, but that didn't work so I resorted to using this article that uses openssl to import just the domain cert and then convert the p12 to a jks. This article is what got me to the point where I could connect from non-mobile devices securely. But I am still stuck in non-secured on mobile. My CA is Comodo and the link I am using is here. Thanks!
It looks like everything is working now. I used the accepted answer here. It's weird and kind of wonky to have to manually paste in cert info, but it worked! If anyone else has a better process I'd love to hear it though.
I installed JBOSS AS 7 and I need to configure it to work with https connections. My Authority can sign only pkcs format requests, so I need to generate a request in that format (I assume with openssl). On jboss documentation there are steps only for keytool (which does not generate in my desired format) so I need step by step guideline for pkcs. I'm a beginner in this area so, if someone could help me with steps on how to generate and configure my jboss for https, I would be so thankful. I know google exists, but I couldn't find anywhere all the steps for configuration and for the csr part I find so many options to do it and I don't know which one is the one that will work for me. I know I'll have to change some things in standalone.xml, but I don't know exactly what....
I finally did this by converting my key and my certificate (with it's chain), which were in PKCS format into a jks keystore (my key and my certificate chain).
I have certificate from GlobalSign.com ( .pem file). This file consists of 2 certificates inside (I've examined it with Portecle). Using Portecle I created BKS keystore and tried to use it in the app. I have read many different tutorials with similar topic. I've tried:
Security with HTTPS and SSL
One more solution
Using a Custom Certificate Trust Store on Android
Android: Trusting SSL certificates
others
Any solution didn't work, and I still have "Error: Not trusted server certificate". Maybe You have any idea what I'm doing wrong.
P.S. There are a lot of trust-all 'solutions', but I need proper solution
It is difficult to say exactly why you are having the issue but it sounds like you do not have the private key, the certificate you received from GlobalSign, I presume you generated the CSR? If so you will need to import the .pem file that you received back from GlobalSign the same method, if you did not generate the CSR from a private key within you BKS keystone then it would not be a trusted certificate.
That is what I think is going on anyway
Problem was solved. I have asked technical support of GlobalSign about certificates. They made some tests and took recommendations how to configure certificates on server side. Android part wasn't changed