I installed JBOSS AS 7 and I need to configure it to work with https connections. My Authority can sign only pkcs format requests, so I need to generate a request in that format (I assume with openssl). On jboss documentation there are steps only for keytool (which does not generate in my desired format) so I need step by step guideline for pkcs. I'm a beginner in this area so, if someone could help me with steps on how to generate and configure my jboss for https, I would be so thankful. I know google exists, but I couldn't find anywhere all the steps for configuration and for the csr part I find so many options to do it and I don't know which one is the one that will work for me. I know I'll have to change some things in standalone.xml, but I don't know exactly what....
I finally did this by converting my key and my certificate (with it's chain), which were in PKCS format into a jks keystore (my key and my certificate chain).
Related
On my java application, that runs on Tomcat in a RedHat linux machine, I need to send a request to an API that uses ssl trust certificate. Our partners have already sent us two files that should be used to trust them: wse-tst_partner_com.crt and DigiCertCA.crt.
Our partners have sent these instructions: https://www.digicert.com/csr-ssl-installation/apache-openssl.htm#ssl_certificate_install
However, I'm stuck on step 2, since I didn't find an httpd.conf file, neither apache2.conf file. I wonder if these are not applicable to Tomcat (they didn't actually know what we have before creating the API and their security stuff).
I've also tried to look for installing trust certificates for Tomcat, but the instructions I've found were only to create a new certificate with keytool - I don't want to create a new certificate, I need to "trust" the ones our partners already created.
I've also found this question on serverfault. However, I don't have any .pem files, and I don't want to create new files - I just want to use the ones I mentioned on the beginning of this post.
I'm a noob in this subject - I don't think this should be a complicated task... Should I add something to my server.xml file? Or, maybe I'm looking for the conf files in the wrong place?
httpd.conf and apache2.conf are apache files not tomcat.
They assumed you were using apache instead of tomcat.
Either put an apache in front of tomcat and use that guide or create a keystore with keytool (A keystore is "like a box" containing the certificates) and add the certificates you were provided inside, you will need to add the intermediate and the root as well. And then configure tomcat (listeners, connectors) to use that keystore.
Follow the steps from this guide instead https://www.digicert.com/csr-ssl-installation/tomcat-keytool.htm but ignore the creation of certificate as the certificates are already provided. Make sure you have the key as well, otherwise you'll have to create the CSR in the server and provide that to whoever signs the certificates (your partner I guess) and they will get back to you with new certificates. Incorporate the certs to the keystore as suggested.
I'm using the new free SSL certificate https://www.sslforfree.com I registered my domain and everything good and I got the certificate files which are three files
( ca_bundle.crt , certificate.crt and private.key )
Three days following the problem I have read tens of examples in this site and in others but none of it works for me
First the examples I read there are four files ( COMODO for example ) not like in my case which there are two crt fiels and privatekey file
My question is is there something wrong with the website which didn't give me the complete certificate files ? and If not how can I deploy this certificate into my glassfish 4.x I'm using now 4.1.2
any help appreciated
In java you need to store your certificate in a *.jks file. Then point your server Tomcat/Glassfish to this *.jks.
How to configure Glassfish with certificate you can find here: https://ssl.comodo.com/support/certificate-installation-glassfish-4x.php
If that's not enough you should look at the resources below.
I think Let's Encrypt (https://letsencrypt.org/getting-started/) should answer your questions.
Start by looking at their docs: https://letsencrypt.org/docs/
and if that's not enough then move on to the forum: https://community.letsencrypt.org/
I have gotten 4 certs (1 root, 2 intermediate, and 1 domain to be deployed in that order) from my CA and I am curious about what the process is for getting the chain imported into a keystore correctly. I was able to get the domain cert installed and desktops/laptops can connect securely but not mobile (I get the red x and the crossed out https in mobile Chrome). Based on this post, it appears that my chain is somehow messed up. This is the first time I have done this, so I tried using the keytool tutorials that had me create a self signed cert and then add the CA certs to the keystore, but that didn't work so I resorted to using this article that uses openssl to import just the domain cert and then convert the p12 to a jks. This article is what got me to the point where I could connect from non-mobile devices securely. But I am still stuck in non-secured on mobile. My CA is Comodo and the link I am using is here. Thanks!
It looks like everything is working now. I used the accepted answer here. It's weird and kind of wonky to have to manually paste in cert info, but it worked! If anyone else has a better process I'd love to hear it though.
I have certificate from GlobalSign.com ( .pem file). This file consists of 2 certificates inside (I've examined it with Portecle). Using Portecle I created BKS keystore and tried to use it in the app. I have read many different tutorials with similar topic. I've tried:
Security with HTTPS and SSL
One more solution
Using a Custom Certificate Trust Store on Android
Android: Trusting SSL certificates
others
Any solution didn't work, and I still have "Error: Not trusted server certificate". Maybe You have any idea what I'm doing wrong.
P.S. There are a lot of trust-all 'solutions', but I need proper solution
It is difficult to say exactly why you are having the issue but it sounds like you do not have the private key, the certificate you received from GlobalSign, I presume you generated the CSR? If so you will need to import the .pem file that you received back from GlobalSign the same method, if you did not generate the CSR from a private key within you BKS keystone then it would not be a trusted certificate.
That is what I think is going on anyway
Problem was solved. I have asked technical support of GlobalSign about certificates. They made some tests and took recommendations how to configure certificates on server side. Android part wasn't changed
I have never done https so far, but trying to get grips with it. I understand how to do self-signed certificates which is from what I understood is completely pointless as browsers will fire up straight away the warning. "As one cannot say trust me because I am honest."
From SO posts I understood that Tomcat or any other server environment is responsible for configuration. All clear and good.
The confusion is how these certificate signed when not self-signed. In other words, how do I point my keystore to CA provider.
I am following guide:
http://consultingblogs.emc.com/richardtiffin/archive/2010/10/15/applying-ssl-to-a-spring-web-application-on-tomcat.aspx
The problem is that I don't know what happens after I buy certificate from CA. Do I get a file which I need to point my keystore to or I import keystore itself remotely?
For self-signed we do:
"
Generating a keystore file (Self Certification)
The keystore file is the one which would store the details of the certificates necessary to make the protocol secured, to-do this we'll use the keytool provided as part of JDK 1.6, the following should create the keystore :-
From your Java installation directory %JAVA_HOME%/bin
keytool -genkey -alias emc -keypass password -keystore emc_tomcat.bin -storepass password"
This implies that for not self-signed the details must come from CA provider? So need to add something to the line(URL path?)? Or is it the client responsibility to verify whether my certificate is valid...then how do I link my certificate to the one I purchased. I am completely confused.
Rephrasing other way: how to install CA from official CA providers?
Or I am telling complete rubbish and missing something fundamental. :-)
My apologies if there is duplicate, I've spent quite good bit of time of researching SO and reading wikipedia articles, but the internal mechanics are very difficult for novice users. I've marked bold the actual questions for people short on time. Thanks.
All the information you are asking for is readily provided by any reputable ("trusted") CA. See for example http://www.digicert.com/ssl-certificate-installation.htm
Quoting:
After you create your CSR, purchase your certificate, and the SSL
Certificate validation and processing are complete, you are ready to
install your SSL Certificate(s).
Your certificate will be provided via email or will be available to
download in your DigiCert Management Console. The SSL Certificate is a
text file with encrypted data that your server will use once the
certificate is installed
And following down the Tomcat link:
Tomcat SSL installations can be a bit tricky, but don't worry. Our
knowledgeable support staff is familiar with both the keytool utility
as well as common Tomcat installation methods. We will be happy to
help you generate your Certificate Signing Request (or CSR), install
the certificate to your Java keystore, and configure your server to
use it via either the Tomcat Admintool utility, or by editing the
server.xml configuration file directly.
It seems that this answers all your questions... "buy it and you will see how easy it is".