PKCS#12 trust store without private key
65 views
Skip to first unread message
Oleg Yegorov
Sep 19, 2016, 12:31:50 PM9/19/16
to Search Guard
I'm using SearchGuard 2.4.0.16 with ES 2.4.0.0.
I get the following exception when I try to use a trust store that contains a self-signed certificate that doesn't have a private key:
Exception in thread "main" ElasticsearchSecurityException[Error while initializing HTTP SSL layer: java.security.KeyStoreException: no certificate chain or certificate with alias: null]; nested: KeyStoreException[no certificate chain or certificate with alias: null];
Likely root cause: java.security.KeyStoreException: no certificate chain or certificate with alias: null
This is an extract from my config file.
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.keystore_type: PKCS12
searchguard.ssl.transport.keystore_filepath: client.p12
searchguard.ssl.transport.keystore_password: 1
searchguard.ssl.transport.truststore_type: PKCS12
searchguard.ssl.transport.truststore_filepath: root.p12
searchguard.ssl.transport.truststore_password: 1
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_type: PKCS12
searchguard.ssl.http.keystore_filepath: client.p12
searchguard.ssl.http.keystore_password: 1
searchguard.ssl.http.truststore_type: PKCS12
searchguard.ssl.http.truststore_filepath: root.p12
searchguard.ssl.http.truststore_password: 1
Everything is fine when root.p12 has the private key.
Why is it required to have private keys in the trust store?
Thanks in advance!
Oleg
I get the following exception when I try to use a trust store that contains a self-signed certificate that doesn't have a private key:
Exception in thread "main" ElasticsearchSecurityException[Error while initializing HTTP SSL layer: java.security.KeyStoreException: no certificate chain or certificate with alias: null]; nested: KeyStoreException[no certificate chain or certificate with alias: null];
Likely root cause: java.security.KeyStoreException: no certificate chain or certificate with alias: null
This is an extract from my config file.
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.keystore_type: PKCS12
searchguard.ssl.transport.keystore_filepath: client.p12
searchguard.ssl.transport.keystore_password: 1
searchguard.ssl.transport.truststore_type: PKCS12
searchguard.ssl.transport.truststore_filepath: root.p12
searchguard.ssl.transport.truststore_password: 1
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_type: PKCS12
searchguard.ssl.http.keystore_filepath: client.p12
searchguard.ssl.http.keystore_password: 1
searchguard.ssl.http.truststore_type: PKCS12
searchguard.ssl.http.truststore_filepath: root.p12
searchguard.ssl.http.truststore_password: 1
Everything is fine when root.p12 has the private key.
Why is it required to have private keys in the trust store?
Thanks in advance!
Oleg
SG
Sep 19, 2016, 3:33:25 PM9/19/16
to search...@googlegroups.com
Can you provide logs on debug level?
You should see log statements like:
Alias xxx: is a certificate entry?true/is a key entry?false
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6e3e383-d3b0-430f-b198-3d2b305d9e72%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
You should see log statements like:
Alias xxx: is a certificate entry?true/is a key entry?false
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f6e3e383-d3b0-430f-b198-3d2b305d9e72%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Oleg Yegorov
Sep 20, 2016, 10:10:39 AM9/20/16
to Search Guard
This is what I see in the logs:
I attached the full log, as well as the PKCS#12 files I'm using.
Basically, in this simple setup I'm trying to use the same certificate for the trust store (no private key) and key store (with private key)
Thanks.
Oleg
[2016-09-20 17:06:10,843][DEBUG][com.floragunn.searchguard.ssl.util.SSLCertificateHelper] Alias iis express development certificate container: is a certificate entry?false/is a key entry?true
I attached the full log, as well as the PKCS#12 files I'm using.
Basically, in this simple setup I'm trying to use the same certificate for the trust store (no private key) and key store (with private key)
Thanks.
Oleg
Oleg Yegorov
Sep 23, 2016, 9:37:09 AM9/23/16
to Search Guard
Any ideas about the possible cause? Thanks in advance.
Reply all
Reply to author
Forward
0 new messages