Re: SLL Certificate Chain

2011-05-25 Thread Dipl.-Ing. Mag. Bernhard Hobiger
Thanks Christopher Schultz and Crypto Sal for your replies!

The key hint was the certificate chain length. My problem seemed to be that I 
got the server certificate as PKS12 file (including the private key). I 
imported it using "-importkeystore -srcstoretype PKCS12". "-trustcacerts" 
doesnt seem to have any effects with "-importkeystore". Since the PKS12 file 
containd only the server certificate, it was imported with certificate chain 
length 1.

So here is what worked for me:

I converted the root and intermediate certificates to human readable form by 
importing them into a keystore and then exporting them again using "-export 
-rfc".

I imported my server certificate into a new keystore and adapted alias and 
passwords for use with my Tomcat configuration

I exported the server certificate again using "-export -rfc"

I opened the newly created export file of my server certificate and inserted 
the contents of the intermediate and the root certificates at the bottom of the 
file. This created a valid certificate chain in PKCS7 format.

I imported the altered certificate file into the same keystore using the same 
alias. This replaced the single certificate with the complete certificate chain 
(private key remained unaltered).

Now I have a valid keystore with my server certificate and the intermediate and 
root certificates and the certificate chain length is 3. Tomcat deliveres the 
chain correctly and I finally got rid of the annoying security warnings in 
Firefox.

Thanks for your help!
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SLL Certificate Chain

2011-05-23 Thread Crypto Sal

On 05/23/2011 04:53 AM, Dipl.-Ing. Mag. Bernhard Hobiger wrote:

Hi,

I am running Tomcat 6.0.18 64bit on Windows Server 2008 R2 Enterprise. I 
obtained a certificate for my server from StartCom, installed it and configured 
the Connector. The server, intermediate and root certificates are in a keystore 
file. So far all went fine, except for one problem: Tomcat sends only the 
server certificate, not the whole certificate chain. This means that Firefox 
(all newer versions) thinks the certificate is invalid.

I tried to import the StartCom certificates into the default keystore cacerts, 
no difference. The problem is not that Tomcat cant validate the certificate, 
but that the intermediate certificate is not sent (verified with Wireshark).

I tried to set all entries in logging.properties to ALL, but I dont get 
anything in my logs. Has anyone encountered the same behaviour?

server.xml:
 


keytool -list -keystore tomcat.keystore:


Keystore-Typ: JKS
Keystore-Provider: SUN
Ihr Keystore enthält 3 Einträge.
startcom.ca.sub, 23.05.2011, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): 4F:9B:88:B0:78:F3:16:9F:19:DC:F1:A3:8A:50:DD:82
startcom.ca, 23.05.2011, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
intern, 23.05.2011, PrivateKeyEntry,
Zertifikatsfingerabdruck (MD5): 30:93:DB:AD:5A:DB:76:00:49:EC:EA:0F:4B:9E:C3:3C

keytool -list -v -keystore tomcat.keystore: (output shortened)


Keystore-Typ: JKS
Keystore-Provider: SUN
Ihr Keystore enthält 3 Einträge.
Aliasname: startcom.ca.sub
Erstellungsdatum: 23.05.2011
Eintragstyp: trustedCertEntry
Eigner: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital 
Certificate Signing, O=StartCom Ltd., C=IL
Aussteller: CN=StartCom Certification Authority, OU=Secure Digital Certificate 
Signing, O=StartCom Ltd., C=IL
Seriennummer: b
Gültig von: Wed Oct 24 22:57:08 CEST 2007 bis: Mon Oct 22 22:57:08 CEST 2012
Digitaler Fingerabdruck des Zertifikats:
   MD5:  4F:9B:88:B0:78:F3:16:9F:19:DC:F1:A3:8A:50:DD:82
   SHA1: A9:C3:A1:41:78:DF:B2:B1:D1:94:1D:5E:3F:56:DA:FA:E2:E1:40:37
   Unterschrift-Algorithmusname: SHA1withRSA
   Version: 3
...
***
***

Aliasname: startcom.ca
Erstellungsdatum: 23.05.2011
Eintragstyp: trustedCertEntry
Eigner: CN=StartCom Certification Authority, OU=Secure Digital Certificate 
Signing, O=StartCom Ltd., C=IL
Aussteller: CN=StartCom Certification Authority, OU=Secure Digital Certificate 
Signing, O=StartCom Ltd., C=IL
Seriennummer: 1
Gültig von: Sun Sep 17 21:46:36 CEST 2006 bis: Wed Sep 17 21:46:36 CEST 2036
Digitaler Fingerabdruck des Zertifikats:
   MD5:  22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
   SHA1: 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
   Unterschrift-Algorithmusname: SHA1withRSA
   Version: 3
...

***
***

Aliasname: intern
Erstellungsdatum: 23.05.2011
Eintragstyp: PrivateKeyEntry
Zertifikatskettenlänge: 1
Zertifikat[1]:
Eigner: 
EMAILADDRESS=postmas...@htl-klu.at, 
CN=intern.htl-klu.at, OU=StartCom Verified Certificate Member, O=Bernhard Hobiger, 
L=Klagenfurt, ST=Karnten, C=AT, OID.2.5.4.13=165616-YmmhPnif68b3zfKu
Aussteller: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure 
Digital Certificate Signing, O=StartCom Ltd., C=IL
Seriennummer: 1a3d
Gültig von: Thu Mar 18 09:26:36 CET 2010 bis: Mon Mar 19 00:20:28 CET 2012
Digitaler Fingerabdruck des Zertifikats:
   MD5:  30:93:DB:AD:5A:DB:76:00:49:EC:EA:0F:4B:9E:C3:3C
   SHA1: AD:21:D5:1B:83:BB:DF:A7:61:BA:BD:E0:F9:7A:13:8B:F9:EF:8A:CC
   Unterschrift-Algorithmusname: SHA1withRSA
   Version: 3
...
***
***






Hello,

Please take notice at the following lines in your output...

My German(?) isn't all that good, but I see this,  
"Zertifikatskettenlänge: 1", which I know in English should read 
something to the affect of... 'Certificate Chain Length'


This is why Tomcat (JSSE) is only serving up the one certificate (depth 
0) and when I see this output, it would appear the '-trustcacerts' flag 
was not used when importing the certificate(s). See this page for 
reference [ 
http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html 
]


Here's also a blog posting from a fellow StartCom customer.

http://magictrevor.wordpress.com/2011/01/26/startssl-startcom-certificates-and-tomcat/

I hope this helps!

--Crypto.Sal



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SLL Certificate Chain

2011-05-23 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

To whom it may concern,

On 5/23/2011 4:53 AM, Dipl.-Ing. Mag. Bernhard Hobiger wrote:
> I am running Tomcat 6.0.18 64bit on Windows Server 2008 R2
> Enterprise. I obtained a certificate for my server from StartCom,
> installed it and configured the Connector. The server, intermediate
> and root certificates are in a keystore file. So far all went fine,
> except for one problem: Tomcat sends only the server certificate, not
> the whole certificate chain. This means that Firefox (all newer
> versions) thinks the certificate is invalid.
> 
> I tried to import the StartCom certificates into the default keystore
> cacerts, no difference. The problem is not that Tomcat cant validate
> the certificate, but that the intermediate certificate is not sent
> (verified with Wireshark).

I haven't done much work with SSL certs in Java, but I wonder what would
happen if you imported all of the certs, together, into a single alias
in your cert store. Have you tried that, or did you import each cert
(yours, intermediate, etc.) into separate certs within the cert store?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3azXsACgkQ9CaO5/Lv0PAi/gCgrrgCcDCHueT7EMNRR0jlL4JM
6A4AmwRnCsI6TLCGAkvjxuIj0C0vQhZz
=9NOA
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



SLL Certificate Chain

2011-05-23 Thread Dipl.-Ing. Mag. Bernhard Hobiger
Hi,

I am running Tomcat 6.0.18 64bit on Windows Server 2008 R2 Enterprise. I 
obtained a certificate for my server from StartCom, installed it and configured 
the Connector. The server, intermediate and root certificates are in a keystore 
file. So far all went fine, except for one problem: Tomcat sends only the 
server certificate, not the whole certificate chain. This means that Firefox 
(all newer versions) thinks the certificate is invalid.

I tried to import the StartCom certificates into the default keystore cacerts, 
no difference. The problem is not that Tomcat cant validate the certificate, 
but that the intermediate certificate is not sent (verified with Wireshark).

I tried to set all entries in logging.properties to ALL, but I dont get 
anything in my logs. Has anyone encountered the same behaviour?

server.xml:



keytool -list -keystore tomcat.keystore:


Keystore-Typ: JKS
Keystore-Provider: SUN
Ihr Keystore enthält 3 Einträge.
startcom.ca.sub, 23.05.2011, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): 4F:9B:88:B0:78:F3:16:9F:19:DC:F1:A3:8A:50:DD:82
startcom.ca, 23.05.2011, trustedCertEntry,
Zertifikatsfingerabdruck (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
intern, 23.05.2011, PrivateKeyEntry,
Zertifikatsfingerabdruck (MD5): 30:93:DB:AD:5A:DB:76:00:49:EC:EA:0F:4B:9E:C3:3C

keytool -list -v -keystore tomcat.keystore: (output shortened)


Keystore-Typ: JKS
Keystore-Provider: SUN
Ihr Keystore enthält 3 Einträge.
Aliasname: startcom.ca.sub
Erstellungsdatum: 23.05.2011
Eintragstyp: trustedCertEntry
Eigner: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital 
Certificate Signing, O=StartCom Ltd., C=IL
Aussteller: CN=StartCom Certification Authority, OU=Secure Digital Certificate 
Signing, O=StartCom Ltd., C=IL
Seriennummer: b
Gültig von: Wed Oct 24 22:57:08 CEST 2007 bis: Mon Oct 22 22:57:08 CEST 2012
Digitaler Fingerabdruck des Zertifikats:
  MD5:  4F:9B:88:B0:78:F3:16:9F:19:DC:F1:A3:8A:50:DD:82
  SHA1: A9:C3:A1:41:78:DF:B2:B1:D1:94:1D:5E:3F:56:DA:FA:E2:E1:40:37
  Unterschrift-Algorithmusname: SHA1withRSA
  Version: 3
...
***
***

Aliasname: startcom.ca
Erstellungsdatum: 23.05.2011
Eintragstyp: trustedCertEntry
Eigner: CN=StartCom Certification Authority, OU=Secure Digital Certificate 
Signing, O=StartCom Ltd., C=IL
Aussteller: CN=StartCom Certification Authority, OU=Secure Digital Certificate 
Signing, O=StartCom Ltd., C=IL
Seriennummer: 1
Gültig von: Sun Sep 17 21:46:36 CEST 2006 bis: Wed Sep 17 21:46:36 CEST 2036
Digitaler Fingerabdruck des Zertifikats:
  MD5:  22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16
  SHA1: 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F
  Unterschrift-Algorithmusname: SHA1withRSA
  Version: 3
...

***
***

Aliasname: intern
Erstellungsdatum: 23.05.2011
Eintragstyp: PrivateKeyEntry
Zertifikatskettenlänge: 1
Zertifikat[1]:
Eigner: 
EMAILADDRESS=postmas...@htl-klu.at, 
CN=intern.htl-klu.at, OU=StartCom Verified Certificate Member, O=Bernhard 
Hobiger, L=Klagenfurt, ST=Karnten, C=AT, OID.2.5.4.13=165616-YmmhPnif68b3zfKu
Aussteller: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure 
Digital Certificate Signing, O=StartCom Ltd., C=IL
Seriennummer: 1a3d
Gültig von: Thu Mar 18 09:26:36 CET 2010 bis: Mon Mar 19 00:20:28 CET 2012
Digitaler Fingerabdruck des Zertifikats:
  MD5:  30:93:DB:AD:5A:DB:76:00:49:EC:EA:0F:4B:9E:C3:3C
  SHA1: AD:21:D5:1B:83:BB:DF:A7:61:BA:BD:E0:F9:7A:13:8B:F9:EF:8A:CC
  Unterschrift-Algorithmusname: SHA1withRSA
  Version: 3
...
***
***